Windows Analysis Report
c56D7_Receipt.vbs

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwor3july.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: xwor3july.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49755 -> 12.221.146.138:9402

Source: Joe Sandbox View

IP Address: 12.221.146.138 12.221.146.138

Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View	ASN Name: ATT-INTERNET4US ATT-INTERNET4US

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /Motocrossbanerne37.pif HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: apslline.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Motocrossbanerne37.pif HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: apslline.com
Source: global traffic	HTTP traffic detected: GET /LfGiMdRCMSvlQHkIpf170.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: apslline.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: apslline.com
Source: global traffic	DNS traffic detected: DNS query: xwor3july.duckdns.org

Source: filaucioso.bat, filaucioso.bat, 00000005.00000000.2022571987.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat.0.dr, Busaos.pif.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wscript.exe, 00000000.00000003.1778774215.0000020E79077000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000001.00000000.1781880896.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat, 00000001.00000002.2029959804.000000000040A000.00000004.00000001.01000000.00000005.sdmp, filaucioso.bat, 00000005.00000000.2022571987.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat.0.dr, Busaos.pif.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: filaucioso.bat, 00000005.00000002.3029149028.00000000337F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe, 00000000.00000002.1792928891.0000020E78FA4000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000005.00000002.3009633630.0000000003476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/
Source: filaucioso.bat, 00000005.00000002.3028675290.0000000032A50000.00000004.00001000.00020000.00000000.sdmp, filaucioso.bat, 00000005.00000002.3009633630.0000000003476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/LfGiMdRCMSvlQHkIpf170.bin
Source: wscript.exe, wscript.exe, 00000000.00000003.1714870474.0000020E78C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715125263.0000020E78BE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792928891.0000020E78FA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787973256.0000020E78BE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792671599.0000020E76FBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1791188992.0000020E78BE6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792604906.0000020E76FB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790076467.0000020E76E71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790076467.0000020E76DEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715027425.0000020E76E1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1791162890.0000020E76FBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1788098189.0000020E76FBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1791638449.0000020E76FBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792192545.0000020E76E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/Motocrossbanerne37.pif
Source: wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/Motocrossbanerne37.pif:U
Source: wscript.exe, 00000000.00000003.1791259002.0000020E78E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/Motocrossbanerne37.pifQ
Source: wscript.exe, 00000000.00000002.1792100540.0000020E76DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/Motocrossbanerne37.pifk
Source: wscript.exe, 00000000.00000003.1790076467.0000020E76E71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792192545.0000020E76E78000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790768918.0000020E76E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com:443/Motocrossbanerne37.pif

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 103.53.40.62:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.53.40.62:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\ProgramData\filaucioso.bat

Windows user hook set: 0 keyboard low level C:\ProgramData\filaucioso.bat

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

1_2_00405252

System Summary

Source: C:\Windows\System32\wscript.exe	COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}			Jump to behavior

Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		1_2_00403248
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_00403289 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_00403289

Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_6E3A1A98	1_2_6E3A1A98
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_000D6F24	5_2_000D6F24
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_000DEB98	5_2_000DEB98
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_000D0EB8	5_2_000D0EB8
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_000D711B	5_2_000D711B
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_000DD8E8	5_2_000DD8E8
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366CB4E8	5_2_366CB4E8
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366C1561	5_2_366C1561
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366C1E10	5_2_366C1E10
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366C6FC9	5_2_366C6FC9
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366C02B8	5_2_366C02B8
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_366CCDB0	5_2_366CCDB0
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_36843EC6	5_2_36843EC6
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_36840F50	5_2_36840F50
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_36841C28	5_2_36841C28
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_36840C08	5_2_36840C08

Source: C:\ProgramData\filaucioso.bat

Code function: String function: 00402B2C appears 50 times

Source: c56D7_Receipt.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@5/28@5/2

Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		1_2_00403248
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_00403289 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_00403289

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_0040450D GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040450D

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_00402138 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,

1_2_00402138

Source: C:\ProgramData\filaucioso.bat	Mutant created: NULL
Source: C:\ProgramData\filaucioso.bat	Mutant created: \Sessions\1\BaseNamedObjects\JIs7HXfvmVwG8wtR

Source: C:\ProgramData\filaucioso.bat

File created: C:\Users\user\AppData\Local\Temp\nsu12FA.tmp

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\c56D7_Receipt.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\c56D7_Receipt.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"
Source: C:\ProgramData\filaucioso.bat	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Section loaded: winmm.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

VBScript performs obfuscated calls to suspicious functions

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\ProgramData\filaucioso.bat", "1", "false");

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2030976668.000000000503C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_6E3A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_6E3A1A98

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_6E3A2F60 push eax; ret

1_2_6E3A2F8E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\ProgramData\filaucioso.bat

File created: C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif

Source: C:\ProgramData\filaucioso.bat	File created: C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\filaucioso.bat	Jump to dropped file
Source: C:\ProgramData\filaucioso.bat	File created: C:\Users\user\AppData\Local\Temp\nsj1E85.tmp\System.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\ProgramData\filaucioso.bat

Source: C:\Windows\System32\wscript.exe

File created: C:\ProgramData\filaucioso.bat

Switches to a custom stack to bypass stack traces

Source: C:\ProgramData\filaucioso.bat	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\ProgramData\filaucioso.bat	API/Special instruction interceptor: Address: 552CFE4
Source: C:\ProgramData\filaucioso.bat	API/Special instruction interceptor: Address: 20ACFE4

Tries to detect virtualization through RDTSC time measurements

Source: C:\ProgramData\filaucioso.bat	RDTSC instruction interceptor: First address: 54D4ED2 second address: 54D4ED2 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F781D12237Bh 0x00000008 test dx, cx 0x0000000b inc ebp 0x0000000c test cx, C2B2h 0x00000011 inc ebx 0x00000012 test di, 2248h 0x00000017 rdtsc
Source: C:\ProgramData\filaucioso.bat	RDTSC instruction interceptor: First address: 2054ED2 second address: 2054ED2 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F781C77735Bh 0x00000008 test dx, cx 0x0000000b inc ebp 0x0000000c test cx, C2B2h 0x00000011 inc ebx 0x00000012 test di, 2248h 0x00000017 rdtsc

Source: C:\ProgramData\filaucioso.bat	Memory allocated: D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Memory allocated: 337F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Memory allocated: 357F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\ProgramData\filaucioso.bat

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\ProgramData\filaucioso.bat	Window / User API: threadDelayed 8667			Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Window / User API: threadDelayed 1113			Jump to behavior

Source: C:\ProgramData\filaucioso.bat

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj1E85.tmp\System.dll

Source: C:\ProgramData\filaucioso.bat

API coverage: 2.0 %

Source: C:\Windows\System32\wscript.exe TID: 7508	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\filaucioso.bat TID: 7268	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\ProgramData\filaucioso.bat TID: 6048	Thread sleep count: 8667 > 30	Jump to behavior
Source: C:\ProgramData\filaucioso.bat TID: 6048	Thread sleep count: 1113 > 30	Jump to behavior
Source: C:\ProgramData\filaucioso.bat TID: 7268	Thread sleep count: 34 > 30	Jump to behavior

Source: C:\ProgramData\filaucioso.bat	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\ProgramData\filaucioso.bat	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_004062F0 FindFirstFileA,FindClose,	1_2_004062F0
Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_004057B5
Source: C:\ProgramData\filaucioso.bat	Code function: 1_2_00402765 FindFirstFileA,	1_2_00402765
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_00402765 FindFirstFileA,	5_2_00402765
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_004062F0 FindFirstFileA,FindClose,	5_2_004062F0
Source: C:\ProgramData\filaucioso.bat	Code function: 5_2_004057B5 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_004057B5

Source: C:\ProgramData\filaucioso.bat

Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000000.00000003.1715545165.0000020E78BF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DLfeCxqUqemupzIZZAezmSbQGIlcGKKLNWuNSgefPihiGmTpbcGKNLCGLfLkPiBuGUOdf@
Source: wscript.exe, 00000000.00000003.1716175744.0000020E78BE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DACnLKGRUjULRTaTuiRofilPNApTKoWkGJcihLQocudWAKLNLqemupcNKzRokKRlnoKae8
Source: wscript.exe, 00000000.00000003.1790076467.0000020E76E71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACnLKGRUjULRTaTuiRofilPNApTKoWkGJcihLQocudWAKLNLqemupcNKzRokKRlnoKae
Source: wscript.exe, 00000000.00000002.1793069434.0000020E78FE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1783017730.0000020E78FE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN
Source: wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACnLKGRUjULRTaTuiRofilPNApTKoWkGJcihLQocudWAKLNLqemupcNKzRokKRlnoKaeG
Source: wscript.exe, 00000000.00000002.1792303188.0000020E76EA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1793069434.0000020E78FE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1783017730.0000020E78FE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1782867612.0000020E76EA3000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000005.00000002.3009633630.000000000348D000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000005.00000002.3009633630.0000000003438000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: filaucioso.bat, 00000005.00000002.3009633630.000000000348D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc4
Source: wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LfeCxqUqemupzIZZAezmSbQGIlcGKKLNWuNSgefPihiGmTpbcGKNLCGLfLkPiBuGUOdfM
Source: wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LfeCxqUqemupzIZZAezmSbQGIlcGKKLNWuNSgefPihiGmTpbcGKNLCGLfLkPiBuGUOdfX
Source: wscript.exe, 00000000.00000003.1714870474.0000020E78C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715125263.0000020E78BE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790076467.0000020E76DEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715027425.0000020E76E1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790768918.0000020E76E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gGZojGCkPQGhOWgLpWgppUKkxIoKBkofhmumZpuzZctdjPkTZLivOUoLSfdKLCOrgoQA = "ACnLKGRUjULRTaTuiRofilPNApTKoWkGJcihLQocudWAKLNLqemupcNKzRokKRlnoKae"
Source: wscript.exe, 00000000.00000003.1714870474.0000020E78C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715125263.0000020E78BE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790076467.0000020E76DEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715027425.0000020E76E1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790768918.0000020E76E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LfeCxqUqemupzIZZAezmSbQGIlcGKKLNWuNSgefPihiGmTpbcGKNLCGLfLkPiBuGUOdf = "iPWBQighLiQGPkiKasofzJNUAOKixdGNiZmWriNUxKLenuzLmWudKcOzKjUhLzTWkJUI"

Source: C:\ProgramData\filaucioso.bat	API call chain: ExitProcess graph end node			graph_1-4198
Source: C:\ProgramData\filaucioso.bat	API call chain: ExitProcess graph end node			graph_1-4374

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403248

Source: C:\ProgramData\filaucioso.bat

Code function: 1_2_6E3A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_6E3A1A98

Source: C:\ProgramData\filaucioso.bat

Memory allocated: page read and write | page guard

Benign windows process drops PE files

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\wscript.exe

File created: filaucioso.bat.0.dr

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 103.53.40.62 443

Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"			Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Process created: C:\ProgramData\filaucioso.bat "C:\ProgramData\filaucioso.bat"			Jump to behavior

Source: C:\ProgramData\filaucioso.bat	Queries volume information: C:\ProgramData\filaucioso.bat VolumeInformation	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\filaucioso.bat	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\ProgramData\filaucioso.bat

1_2_00403248

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: filaucioso.bat, 00000005.00000002.3030011749.000000003654D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: filaucioso.bat, 00000005.00000002.3009633630.00000000034F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\ProgramData\filaucioso.bat

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 00000005.00000002.3029149028.00000000337F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filaucioso.bat PID: 7924, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 00000005.00000002.3029149028.00000000337F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filaucioso.bat PID: 7924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	1 Windows Management Instrumentation	121 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	215 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	111 Process Injection	3 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c56D7_Receipt.vbs	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\filaucioso.bat	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj1E85.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apslline.com	103.53.40.62	true	true		unknown
xwor3july.duckdns.org	12.221.146.138	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://apslline.com/Motocrossbanerne37.pif	true	unknown
https://apslline.com/LfGiMdRCMSvlQHkIpf170.bin	true	unknown
xwor3july.duckdns.org	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://apslline.com:443/Motocrossbanerne37.pif	wscript.exe, 00000000.00000003.1790076467.0000020E76E71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1792192545.0000020E76E78000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790768918.0000020E76E78000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apslline.com/Motocrossbanerne37.pifQ	wscript.exe, 00000000.00000003.1791259002.0000020E78E70000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	filaucioso.bat, filaucioso.bat, 00000005.00000000.2022571987.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat.0.dr, Busaos.pif.5.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	wscript.exe, 00000000.00000003.1778774215.0000020E79077000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000001.00000000.1781880896.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat, 00000001.00000002.2029959804.000000000040A000.00000004.00000001.01000000.00000005.sdmp, filaucioso.bat, 00000005.00000000.2022571987.000000000040A000.00000008.00000001.01000000.00000005.sdmp, filaucioso.bat.0.dr, Busaos.pif.5.dr	false	URL Reputation: safe	unknown
https://apslline.com/	wscript.exe, 00000000.00000002.1792928891.0000020E78FA4000.00000004.00000020.00020000.00000000.sdmp, filaucioso.bat, 00000005.00000002.3009633630.0000000003476000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apslline.com/Motocrossbanerne37.pifk	wscript.exe, 00000000.00000002.1792100540.0000020E76DB9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	filaucioso.bat, 00000005.00000002.3029149028.00000000337F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://apslline.com/Motocrossbanerne37.pif:U	wscript.exe, 00000000.00000003.1790895980.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716344400.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1787328230.0000020E78C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1790025540.0000020E78C04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715545165.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1716569906.0000020E78C0D000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.53.40.62	apslline.com	India		394695	PUBLIC-DOMAIN-REGISTRYUS	true
12.221.146.138	xwor3july.duckdns.org	United States		7018	ATT-INTERNET4US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1534152
Start date and time:	2024-10-15 16:36:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c56D7_Receipt.vbs
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBS@5/28@5/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 91 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: c56D7_Receipt.vbs

Simulations

Behavior and APIs

Time	Type	Description
10:37:19	API Interceptor	2x Sleep call for process: wscript.exe modified
10:38:06	API Interceptor	1012599x Sleep call for process: filaucioso.bat modified
15:37:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif
15:38:01	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Afmystificeringen C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.53.40.62	https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/45834840-3c14-4374-8f51-bbcadebab762?j=eyJ1IjoiNGRnZ2x2In0	Get hash	malicious	HTMLPhisher	Browse
12.221.146.138	17230659061f7212c82a51474b4881c633df451e130ec6cfbd94355d94352086b239967195549.dat-decoded.exe	Get hash	malicious	PureLog Stealer	Browse
	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Paymentxx212093.vbs	Get hash	malicious	PureLog Stealer, XWorm	Browse
	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Paymentxx212093.vbs	Get hash	malicious	XWorm	Browse
	hvnmaynew.exe	Get hash	malicious	PureLog Stealer	Browse
	hvnmaynew.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	temp2.vbs	Get hash	malicious	GuLoader	Browse
	temp2.vbs	Get hash	malicious	Remcos, GuLoader	Browse
	171691854703bf1130ca78ef4041ee58d9950902e1c0a124d93965554ad493b7cef0815bd3441.dat-decoded.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	http://youutbe.com	Get hash	malicious	Unknown	Browse	98.98.135.24
	https://escuelazoe.com.ar/.5#support@dotcloud.co.za	Get hash	malicious	HTMLPhisher	Browse	13.32.27.129
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	70.137.157.149
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	13.165.162.220
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	99.119.72.226
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	76.201.253.144
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	108.239.35.103
	https://mcafeeinc-mkt-prod2-t.adobe-campaign.com/r/?id=hf505ba5a,7e223f22,7e22536b&e=cDE9JmFmZmlkPTAmY3VsdHVyZT1FTi1VUyZ0az1OUEdkMGVLcjd3SG1jVnF2cHQ2RFpYY3FIbHZlc3lGV1hZN3R5a0ZDTGJWX210NUlTX09UaTEwa291MG15NkZqMCZ0cD02NSZhdD14dXVlczNIRXpPbk45bE5wZzFoMnlFSEpTNnlSSnQxMk4xSzA3N2pHR083QTRYdVdQTzNlNXZmLVdKcUFQQzZYMCZwMj0wMjQvXzAgX29sX2lzX1NlbmRMaW5rX0tleUNhcmRfRE0zMzY4MDkwJnAzPURNMzM2ODA5MA&s=JTMn_G5VW0V9WjEy6_Fw8uIaCQd67lmwdVLQnjaD0bA	Get hash	malicious	Unknown	Browse	13.42.96.26
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	172.124.148.33
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	162.206.178.39
PUBLIC-DOMAIN-REGISTRYUS	IMG0001.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	Invoice.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Documents.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	https://access.kinu.or.kr:8443/link.n2s?url=https://form.jotform.com/242704649007052	Get hash	malicious	Phisher	Browse	208.91.199.114
	0kqoTVd5tK.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	Scanned.pdf.pif.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	103.21.58.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Doc047892345y.exe	Get hash	malicious	DBatLoader, FormBook	Browse	103.53.40.62
	meczK67xaL.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	103.53.40.62
	SWIFT COPY..PAYMENT ADVICE.xls	Get hash	malicious	Unknown	Browse	103.53.40.62
	file.exe	Get hash	malicious	LummaC	Browse	103.53.40.62
	file.exe	Get hash	malicious	LummaC	Browse	103.53.40.62
	file.exe	Get hash	malicious	LummaC	Browse	103.53.40.62
	SecuriteInfo.com.Win32.PWSX-gen.1475.22419.exe	Get hash	malicious	LummaC	Browse	103.53.40.62
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	103.53.40.62
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	103.53.40.62
	lfyJfb6jSS.exe	Get hash	malicious	LummaC	Browse	103.53.40.62
37f463bf4616ecd445d4a1937da06e19	1-Ordine lavorazione esterna_pdf.vbs	Get hash	malicious	GuLoader	Browse	103.53.40.62
	RFQ_56783295_12538_15.10.2024.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	103.53.40.62
	8861299486_INV_AWB_SOF_001_20241015_120755.vbs	Get hash	malicious	GuLoader	Browse	103.53.40.62
	rComandaKOMARONTRADESRL435635Lukketid.bat	Get hash	malicious	Remcos, GuLoader	Browse	103.53.40.62
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	103.53.40.62
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	103.53.40.62
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	103.53.40.62
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	103.53.40.62
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	103.53.40.62
	Prximos VencimientosPDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.53.40.62

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj1E85.tmp\System.dll	https://downloadsnew.garaninapps.com/SRTMiniServer_2.4.3_2024-02-26_INSTALL.exe	Get hash	malicious	Unknown	Browse
	5006_2.6.2.exe	Get hash	malicious	Unknown	Browse
	ocs-office.exe	Get hash	malicious	Unknown	Browse
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse
	jU0hAXFL0k.exe	Get hash	malicious	GuLoader	Browse
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	GuLoader	Browse
	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\ProgramData\filaucioso.bat

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	5329718
Entropy (8bit):	7.979774478767476
Encrypted:	false
SSDEEP:	98304:EH//4Q0gBDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIf/Yapu5koUe:0BD4aUgZLhj3gZj67xHRnFpu5kPe
MD5:	F3A3332B13BAA50C41644B86EFDF0FE4
SHA1:	F3B91AA55B8DCE62CB614E2A43D8E3973B1D47B6
SHA-256:	7FD5435121F2CB4320B1BC49400152EC3FECCE7F5CE0ACCE56F32C327126C970
SHA-512:	46808E4D79D0D1FBE2835456DAF31E0DE9E8F296B7863F38400EAA03FBF33BE450F92DF16F9B77AC5BB95AA33A97D484C1C678891C6E13B151F9CB7865C99BE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@........./.........r.../..............+......Rich...........PE..L......].................b....9.....H2............@...........................?...........@.................................0........`;.x............................................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...X.9..........z..............@....ndata... ...@:..........................rsrc...x....`;......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\Unsurveyable197\Busaos.pif

Process:	C:\ProgramData\filaucioso.bat
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	5329718
Entropy (8bit):	7.979774478767476
Encrypted:	false
SSDEEP:	98304:EH//4Q0gBDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIf/Yapu5koUe:0BD4aUgZLhj3gZj67xHRnFpu5kPe
MD5:	F3A3332B13BAA50C41644B86EFDF0FE4
SHA1:	F3B91AA55B8DCE62CB614E2A43D8E3973B1D47B6
SHA-256:	7FD5435121F2CB4320B1BC49400152EC3FECCE7F5CE0ACCE56F32C327126C970
SHA-512:	46808E4D79D0D1FBE2835456DAF31E0DE9E8F296B7863F38400EAA03FBF33BE450F92DF16F9B77AC5BB95AA33A97D484C1C678891C6E13B151F9CB7865C99BE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@........./.........r.../..............+......Rich...........PE..L......].................b....9.....H2............@...........................?...........@.................................0........`;.x............................................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...X.9..........z..............@....ndata... ...@:..........................rsrc...x....`;......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa21F3.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.286618146008852
Encrypted:	false
SSDEEP:	3:sAAEVvjsvdxE584n:fL9P
MD5:	2B322A53D90A2271FFF01BF0834A5FD9
SHA1:	DA3FB0F558C75C2FE3D0BD7C9C19705B72B57D3D
SHA-256:	C30C98B13BB40861BA5B1CD08CC1018D11C0E9B0C95716A8A0D7B8E0B863CEB9
SHA-512:	F0B775FEF5150A7824FE25320F0FB1C383BAFC1AF7AC79E2E3CC7E791D4F296C44755A5A56BD4DFEEF8D0C9F913B5F9CF5B4AD8487FDC1163DF82050EE64521B
Malicious:	false
Reputation:	low
Preview:	kernel32::ReadFile(i r5, i r1, i 23674880,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsj1E85.tmp\System.dll

Process:	C:\ProgramData\filaucioso.bat
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: 5006_2.6.2.exe, Detection: malicious, Browse Filename: ocs-office.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: #U4e5d#U6708#U58f0#U660e_40981677.xls, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: Part_number_91875-11400_x_6.xls, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn1BE4.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsq2118.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.483822629187616
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEj9id7EVUxQoXUn:uVmxvUn
MD5:	57FCC15EFB7333330E4CE43A197A823F
SHA1:	66BD1A4B000CF26B6E568CACDDA0E9F88C28F899
SHA-256:	30A71BBB38285BAEA3079D8868EE88C97C988727E3A139528FC153291328E394
SHA-512:	C1B9FDA9BA474F6FF65A37656C8CDDF072556A2EEF653DD043FE1E3AE89E1AE8311AA0433BBB5C989912EDBB21C85ED70F6866AB6957C83B88A085CCC4AE0316
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 23674880, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nsr238B.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nsz1E96.tmp

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\unscorified\Capuan\geometri.cya

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	44084
Entropy (8bit):	1.251987965137089
Encrypted:	false
SSDEEP:	384:H5J4r26NPfk3R0omoj53ZOmVFPACwEygLw6:b4igfY3wEy9
MD5:	8E1ECD1CAD1A69BA46F3589D3EE05FCD
SHA1:	511FE3218234DFD061C85834E32694D500A2D8CA
SHA-256:	027B544D8E1F0A9CC480B455943CDB8B7F2E1E6FE64FA4E84C5FB22F58E75534
SHA-512:	D4E8D21B29799A2FD6AA6B254B0E5F1E212F2CEFF6244D3AE1641F460A88FD39EC32AB04E3787BE6C313ABC85B76A2ECC90FA697C58B9899AEE59B16452D98F7
Malicious:	false
Preview:	....................................................................................................................g.....................t...................)...}..............................................................................................................O.f...............................r................................S...U................:........................................2................................................................7........................."....c.........-..........................>.........................j...........h...............................G2......P.......................qd.......................................................................................................................................\........................7.....................O..T;...LK.......j.........................................................Y..........................J...........................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Driftsforstyrrelse\Farisismen24.opt

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	495473
Entropy (8bit):	1.252683728528738
Encrypted:	false
SSDEEP:	1536:29Atz1Dww/YItq3ys1yNe3uRHiOnU2E74SEH:29AtzV/2yFauRHcoH
MD5:	EF47BA5BA9823E8C3469035CF70773D2
SHA1:	21D1961813BA8BABF395C3AFE324487EE355578F
SHA-256:	895776946CC4E8956593C9B8CBA36B3D0523F921C419F2A68C58C82FC5BA8C8B
SHA-512:	E78EA0CA2E615EF745FDE2A8D1FE07F7216E253057805091E0E91A4E7CD780BA8C5E33F2DFA6283104D7A2EED606DEAAE1E82345135CBA914ECAB32B9C5CCF27
Malicious:	false
Preview:	............................................................................................,................................,I..............*..................{.........................................q..............................A.........................................(......X....%..............................................................................................d.B..............................[..............................#.................p..............c............................;.............h.......................7...................................1.....I..................................................a....................................................j...................................................................................................a.......................V.................................{-..........................................[....................................n..................................................\|.................

C:\Users\user\AppData\Local\Temp\unscorified\Driftsforstyrrelse\Louisianians31.mon

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	8601
Entropy (8bit):	1.1545164397538636
Encrypted:	false
SSDEEP:	48:zEuB7ok0LmcrzKI9XjvjvGWt/nSz4DP6FIB/IoZt/V:4uBsk0ac1jvqcD6QhV
MD5:	F4A704DD6599AA965F753CF4AFF41544
SHA1:	27F6166A11011BF9340B9477D469A5E39B67CF5B
SHA-256:	689F1C7B21D424488E2F82F5E1CF663D41BE2B8402853953B723F457D91F5C2F
SHA-512:	F2EC79C777CA0349BA727C2292026C83C3CCB0F84C807431A859DB7196248C95E17DFE13EA081F3020BF12F14001D58824F6EE0AEE770DED6BEB7D94E082C082
Malicious:	false
Preview:	...................8..............................$.....................................................>....................'.......................................Y.....................................B........C....X.......................................:.........................................................V.............................................H.....b..............S...........................................................w..........................f..........................................................................................G..............................................P@...................fj........................G..]................................................0......... ..................................................................................................H.......................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Driftsforstyrrelse\Rottet.fed

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	225561
Entropy (8bit):	1.2509602063831964
Encrypted:	false
SSDEEP:	768:vodpoBR9G/El4UjO+zHLgOWJmrzfhDM2QY2RSbSL8nMzcUqbFuPYVTmTy2MekyEc:W2pzkDkzfhAtNbKANtv4U
MD5:	6865DE99FA19A6862DF5C404DE274F27
SHA1:	4EFBD7E416C513C7B2516052EFD42DB502306C35
SHA-256:	3921ED66814A1199A488E44FDD72C224D4AD9505F3EA9D111E046704B37483B3
SHA-512:	F46BDCB2A29BA7ECD780C181230E573D3D0D7C55BFC06CAD641FA764F90068AFB6A3F7FC14AF1BA725A168EF212CBA93F6530FE7C0D0EE0C78B5A5B729F41B3D
Malicious:	false
Preview:	......................................................."...............+...........).....................................(.....................................................................W.................................. M...............................a.1................r.......................................................................................:..B.............._......U................./........................7.......................................y......................................S...)........................................................n..........(..........x...e......>..............................:........8..................................q.........................................................z..............Y..i............................................2.........f...............................................................................T........................................................v...........5....................................

C:\Users\user\AppData\Local\Temp\unscorified\Driftsforstyrrelse\Somewhatness9.Bie

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	155008
Entropy (8bit):	4.592026808124209
Encrypted:	false
SSDEEP:	1536:GvWaiD1khghhBlYPnsfL3qy0IPazqk8R4JIZoyvUv8fUc/SzqJH3G69/BKhoS64z:GcD1kEVqy0IPaQ7ZhjNaIH37/f8
MD5:	8F6AC9BACA244A9FE17E755F881C8FC5
SHA1:	8C1B08CE1996A597904283F8BE8FE677ABB592D9
SHA-256:	200AD6E107078B2C0ED3B29AA5CE0F7E4AE26E80A8AA25AEA2BB487B2F20AE66
SHA-512:	78B5924ECC3CB0648B5511638AF98EB1E00D8A150CA84F574CAC9DE04F7BD50D95E2A33C981F1F0467EB898D6D9C34978264B178F57B016A106CEC8F82643922
Malicious:	false
Preview:	................3............................&&&&.g......................,......)............ZZ.........{{......I.................!!.k.?.....&&.00............PPPP.p..........7.......\...........<<<.9..............``..............%.....................OO........m.6.P........e...............7777.......................?....P..............,........c..l.....V.........Y................GGG.....}......mmm......I..................H..hh..7...7.g.........mmmmmmmm...............II...........o..33.........""".......................CC..........LLL......q......G......>>................................X......\\..cc........ss..................O....O.QQQQ.R...EE........P..........b..V.........................J..............:...................OO...........a...........hh...<<<..................ggg..HHH.........**..........ww....UU..ooo.........99..........v......II..d....u...nn................c..www..OO..... ........................................77.l.......................g.d........K...(..............

C:\Users\user\AppData\Local\Temp\unscorified\Driftsforstyrrelse\genls.med

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	56731
Entropy (8bit):	1.2442160585209034
Encrypted:	false
SSDEEP:	384:6tYghFWWJicOfl9hdYo9Gvdjh1rjjKlsru8a/3FPzYnaIgapZvHcFe/0C2vqW8IP:NyJicyhlodh1jKlP/3FcRseqD
MD5:	BCA0C962216D9B512E1FEE1F72EBA35B
SHA1:	FF228246A15FA291474DF13F96C51A6BBE03FDBE
SHA-256:	9207608EB008266B5F27EFAF786A1B6D2C4B611F484F62B5FF31D764C0225923
SHA-512:	848BEBCE00D0968884AC1A54BC220DA34FADAA072F403434741DFC3F9843EB3848864184F1F38DAEB013CE0BFEE1BDC09679E80F2EAB9C8CC67ABA3816E0548A
Malicious:	false
Preview:	6.~........................................................E...............................x...............................................-...................}..............................O....k..............................................................X..................................).......Y...7.....................W......................................c...................................................................\....................0....................................4............~.........................................................................................Z...............................................W..............................p................I....R.............................9........................%............................................................."\.....................n......8................................C...............................................................b..............u..........................W.................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Farisismen24.opt

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	495473
Entropy (8bit):	1.252683728528738
Encrypted:	false
SSDEEP:	1536:29Atz1Dww/YItq3ys1yNe3uRHiOnU2E74SEH:29AtzV/2yFauRHcoH
MD5:	EF47BA5BA9823E8C3469035CF70773D2
SHA1:	21D1961813BA8BABF395C3AFE324487EE355578F
SHA-256:	895776946CC4E8956593C9B8CBA36B3D0523F921C419F2A68C58C82FC5BA8C8B
SHA-512:	E78EA0CA2E615EF745FDE2A8D1FE07F7216E253057805091E0E91A4E7CD780BA8C5E33F2DFA6283104D7A2EED606DEAAE1E82345135CBA914ECAB32B9C5CCF27
Malicious:	false
Preview:	............................................................................................,................................,I..............*..................{.........................................q..............................A.........................................(......X....%..............................................................................................d.B..............................[..............................#.................p..............c............................;.............h.......................7...................................1.....I..................................................a....................................................j...................................................................................................a.......................V.................................{-..........................................[....................................n..................................................\|.................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Imu.Gla

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	7.999957575310736
Encrypted:	true
SSDEEP:	98304:SDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIl:SD4aUgZLhj3gZj67xHRl
MD5:	498A8D2FF2582C3230061DB8C034E542
SHA1:	FD90A6C047C4545728E60FEA23DDA445618AB56F
SHA-256:	4FD8B4E320029B4934A877CD932ABACF6A86AABB78DDDB264E7F752C8949A9AB
SHA-512:	EF9CBD701C76595A6F9B2C04C79C2430227CA6D23B6A6716892CC28C8A8B2FD40A98AF9A46AF0EF824F886D9916D8046221710F7F6AC8F35B2F8A4DD24A86B56
Malicious:	false
Preview:	..9.......F.+...t/.....<o.Qme.x.......N;-.6.....M..\:7.I.d@..C...BDvt.v=.x!of.G....R...p.n..].o....,I.B.h".....E..%_v1.#bD.@.].....D....g..-...Bx.l..I...6.........j..p....x.z02O.k$.'..di......S...j...=..<...A....=.".,=...N!.x.....1..h.T$>..\|a u... .q....Y..bjA.......). $.n@..g.....^...D.7...T..ld.v.../2}y.....L.!.}..KDy...g........E.x..j.\.-.:....:....F...2D./.....C....8....Y..s.R.........i..JV..Pv...\|..N......x).`.T...`..)..f...]..c ...W...7V*.U..&...s...{..'..Bn5^0.z@L.~.u..7^..r.#YS.Z..0..i.F...5.......v..L..s..4.BB.8.-.0..n.p.]eCc.m:.G...th..TT.)..6Y......D. C.=....u.H....c..n...oT.s..J-).w....H.\|gd)....D.%.Zn^..e...^.6O........#.9......\.....,g...#.R......l`.s]1..D...z...P.).?.H.t....~...\.A...#..X.y..e]@4!....."K(.?:q..;E.....+.........a......~..U..1.l_...c.=l.!<.i.V.....-iD.K.x......$.8.../.~D..^..l........u....7bA"...'..J....\1....W.T.C..4.5\|G:.......Se,..>...HK.^..e..'B.ah....@....\.9u..6..Q{4.-...n..CX.T..,o..{.m.+.w.......

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Louisianians31.mon

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	8601
Entropy (8bit):	1.1545164397538636
Encrypted:	false
SSDEEP:	48:zEuB7ok0LmcrzKI9XjvjvGWt/nSz4DP6FIB/IoZt/V:4uBsk0ac1jvqcD6QhV
MD5:	F4A704DD6599AA965F753CF4AFF41544
SHA1:	27F6166A11011BF9340B9477D469A5E39B67CF5B
SHA-256:	689F1C7B21D424488E2F82F5E1CF663D41BE2B8402853953B723F457D91F5C2F
SHA-512:	F2EC79C777CA0349BA727C2292026C83C3CCB0F84C807431A859DB7196248C95E17DFE13EA081F3020BF12F14001D58824F6EE0AEE770DED6BEB7D94E082C082
Malicious:	false
Preview:	...................8..............................$.....................................................>....................'.......................................Y.....................................B........C....X.......................................:.........................................................V.............................................H.....b..............S...........................................................w..........................f..........................................................................................G..............................................P@...................fj........................G..]................................................0......... ..................................................................................................H.......................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Micrometers.Cam

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	401789
Entropy (8bit):	7.065739037088379
Encrypted:	false
SSDEEP:	6144:VKZHDLgRwDXlRryEnqgwg7MfFR0bs0A5SmatP+jiCn41/OfGmlYc:Vkx1hyE6gyQbLARxjiC4KGy
MD5:	DE8A813CE4FD2B0CC978241AB06A18EC
SHA1:	FF3712B5D4D5AD5C5229AF56800710DE26CA2D1E
SHA-256:	8DFA258211EEB70EB2DAFE04758756BFBCBECE83013EB853CECA71B22928E91D
SHA-512:	8F06E206F7F58AA9BDC36425589C2AFAFDF42986E1AD1102E5B38A1717CC2E354A1A8564A9A7FCB2DD74E22E214000AF2184C04C2758DA37EAF89C9567BF63AE
Malicious:	false
Preview:	..........lll...............ZZZZ........................eee....................................................K.6...... ........=......i...l......<<..c.................8..........t......T..........q....N.......tt........GGGG..............................}}...%........T..XX....^.......7.pp.hhh..............................D..__..........((.....pp.K...&&&&&&&......k.................................yyyyyyy.........E..a......yy.. ..........................d............................................`.n..........V.....VVV.=..555.U.......222...;;.........._.g..................... .......DDDD.......o.......,..............V........1.3......S.........m......(..................k.....L..ww.9....((..............(..y.......PP..............\|\|\|\|\|\|......(.ZZZ..u......m................r....nn..........O.DDD....ttttt.c...................@....[.......ZZZZZZ.D.}........................................<<<......[[[[......ccc..........*..........RR.......yyyy...J..................xx........VVVV...........

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Rottet.fed

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	225561
Entropy (8bit):	1.2509602063831964
Encrypted:	false
SSDEEP:	768:vodpoBR9G/El4UjO+zHLgOWJmrzfhDM2QY2RSbSL8nMzcUqbFuPYVTmTy2MekyEc:W2pzkDkzfhAtNbKANtv4U
MD5:	6865DE99FA19A6862DF5C404DE274F27
SHA1:	4EFBD7E416C513C7B2516052EFD42DB502306C35
SHA-256:	3921ED66814A1199A488E44FDD72C224D4AD9505F3EA9D111E046704B37483B3
SHA-512:	F46BDCB2A29BA7ECD780C181230E573D3D0D7C55BFC06CAD641FA764F90068AFB6A3F7FC14AF1BA725A168EF212CBA93F6530FE7C0D0EE0C78B5A5B729F41B3D
Malicious:	false
Preview:	......................................................."...............+...........).....................................(.....................................................................W.................................. M...............................a.1................r.......................................................................................:..B.............._......U................./........................7.......................................y......................................S...)........................................................n..........(..........x...e......>..............................:........8..................................q.........................................................z..............Y..i............................................2.........f...............................................................................T........................................................v...........5....................................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\Somewhatness9.Bie

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	155008
Entropy (8bit):	4.592026808124209
Encrypted:	false
SSDEEP:	1536:GvWaiD1khghhBlYPnsfL3qy0IPazqk8R4JIZoyvUv8fUc/SzqJH3G69/BKhoS64z:GcD1kEVqy0IPaQ7ZhjNaIH37/f8
MD5:	8F6AC9BACA244A9FE17E755F881C8FC5
SHA1:	8C1B08CE1996A597904283F8BE8FE677ABB592D9
SHA-256:	200AD6E107078B2C0ED3B29AA5CE0F7E4AE26E80A8AA25AEA2BB487B2F20AE66
SHA-512:	78B5924ECC3CB0648B5511638AF98EB1E00D8A150CA84F574CAC9DE04F7BD50D95E2A33C981F1F0467EB898D6D9C34978264B178F57B016A106CEC8F82643922
Malicious:	false
Preview:	................3............................&&&&.g......................,......)............ZZ.........{{......I.................!!.k.?.....&&.00............PPPP.p..........7.......\...........<<<.9..............``..............%.....................OO........m.6.P........e...............7777.......................?....P..............,........c..l.....V.........Y................GGG.....}......mmm......I..................H..hh..7...7.g.........mmmmmmmm...............II...........o..33.........""".......................CC..........LLL......q......G......>>................................X......\\..cc........ss..................O....O.QQQQ.R...EE........P..........b..V.........................J..............:...................OO...........a...........hh...<<<..................ggg..HHH.........**..........ww....UU..ooo.........99..........v......II..d....u...nn................c..www..OO..... ........................................77.l.......................g.d........K...(..............

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\genls.med

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	56731
Entropy (8bit):	1.2442160585209034
Encrypted:	false
SSDEEP:	384:6tYghFWWJicOfl9hdYo9Gvdjh1rjjKlsru8a/3FPzYnaIgapZvHcFe/0C2vqW8IP:NyJicyhlodh1jKlP/3FcRseqD
MD5:	BCA0C962216D9B512E1FEE1F72EBA35B
SHA1:	FF228246A15FA291474DF13F96C51A6BBE03FDBE
SHA-256:	9207608EB008266B5F27EFAF786A1B6D2C4B611F484F62B5FF31D764C0225923
SHA-512:	848BEBCE00D0968884AC1A54BC220DA34FADAA072F403434741DFC3F9843EB3848864184F1F38DAEB013CE0BFEE1BDC09679E80F2EAB9C8CC67ABA3816E0548A
Malicious:	false
Preview:	6.~........................................................E...............................x...............................................-...................}..............................O....k..............................................................X..................................).......Y...7.....................W......................................c...................................................................\....................0....................................4............~.........................................................................................Z...............................................W..............................p................I....R.............................9........................%............................................................."\.....................n......8................................C...............................................................b..............u..........................W.................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\geometri.cya

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	44084
Entropy (8bit):	1.251987965137089
Encrypted:	false
SSDEEP:	384:H5J4r26NPfk3R0omoj53ZOmVFPACwEygLw6:b4igfY3wEy9
MD5:	8E1ECD1CAD1A69BA46F3589D3EE05FCD
SHA1:	511FE3218234DFD061C85834E32694D500A2D8CA
SHA-256:	027B544D8E1F0A9CC480B455943CDB8B7F2E1E6FE64FA4E84C5FB22F58E75534
SHA-512:	D4E8D21B29799A2FD6AA6B254B0E5F1E212F2CEFF6244D3AE1641F460A88FD39EC32AB04E3787BE6C313ABC85B76A2ECC90FA697C58B9899AEE59B16452D98F7
Malicious:	false
Preview:	....................................................................................................................g.....................t...................)...}..............................................................................................................O.f...............................r................................S...U................:........................................2................................................................7........................."....c.........-..........................>.........................j...........h...............................G2......P.......................qd.......................................................................................................................................\........................7.....................O..T;...LK.......j.........................................................Y..........................J...........................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\icona.ico

Process:	C:\ProgramData\filaucioso.bat
File Type:	Targa image data - Map 32 x 10414 x 1 +1
Category:	dropped
Size (bytes):	669932
Entropy (8bit):	5.5314845590929895
Encrypted:	false
SSDEEP:	6144:gKk30jClLCugYQs0Om0TmZi6ZYMdCZcZtaW22ibSd4MoX1DXI5nR9mx2KdQJf6mC:ghdCugMm0TWNIJpbIu945c2iAWeO
MD5:	43AB379A4F5EB535BEEFA8769D0F145C
SHA1:	B5BEDA93EDAB6D45FC87C74406F28575AE3BA633
SHA-256:	E35EFD069097EFCED37EB9A320F9D1519558C61B3C6B606E659A28B0432ADF35
SHA-512:	27B864E0C981CBC385505AB031A5BF245F8DA6588A7762447305A72E8513F904A4509EB104E6A75EB279D364EF853B936405E3B12C6F63082CB2F33D674826A0
Malicious:	false
Preview:	............ ..(............ .(...lI..``.... ......Y..HH.... ..T......@@.... .(B...,..00.... ..%..l... .... ............... ............... .h....0...PNG........IHDR.............\r.f.. .IDATx....5.q..<U..v....-..9..EQ"...$/..."..$N$'.....X.. .#....H.......$....!PdY....,.Cz.....s.....}..J......o....>...z..J..J..J..J..J..J..J..J..J..J..J..J>..G..../O..j..............%...0i....4..S.v.nyW....K...\.;....,^.p.rqV5.....Z..e..R.6.P`4..[2.4..).N.TPT8... ...T.EEr..E.n.}..+.............:...\|..m.M.y...E.3}....q...#...L.@..#....h.0...E.F(......F".b......iP..I.R.JF.BP.....~.b..h.9...~......+..-&.{...4,V......g.c.y..^v.......'....Y..Q.x.Y.4.........Q.m.....WQ.'. .K9.b..D.S.<X.}^.......s.axY...........,W..[@..>...."&..i..>.'}.T.oOV...U...BZ.QL`$....x.U}..U....m0#w...@3..pD..)...X...Jz.s...K...E./.k..t..._...O.-W.....s^q..6.._r.).?........0$.eS.*2h.R.i....UkGm.5.F..j..0......Oo.3.A..".Z1.IA,bw.d....F.T....."."........O.}.....w.........;$.w...)..)...9.>.....

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\nsis.nsi

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7164
Entropy (8bit):	5.424736170205588
Encrypted:	false
SSDEEP:	192:tVcb8h0g8jt9vETUdc0OcVgW6Bw2uYcJIt:t7unsYKFcVgDzcJw
MD5:	118AE093FAA03BDC13A832B55CEFB2DE
SHA1:	022999FA13CBA8ABCF66C5E866C941547E7AEB33
SHA-256:	4D2145F9211995A99F9828752EF15F9789ADA25B8CEB1EF135CFE9D2ABD5479F
SHA-512:	07D35E1E7319DC0271D4CD467A3597A36ED27A00CB115381A01DDDE7C316D311B70345DB04BC84E4D660732A4616967AE407812252CFC9E053BC82BD5A406032
Malicious:	false
Preview:	!include "MUI2.nsh"..VIAddVersionKey "ProductName" ""..VIAddVersionKey "Comments" ""..VIAddVersionKey "CompanyName" ""..VIAddVersionKey "LegalTrademarks" ""..VIAddVersionKey "LegalCopyright" ""..VIAddVersionKey "FileDescription" ""..VIAddVersionKey "FileVersion" "1.0.0.0"..VIProductVersion "1.0.0.0"....;@@@@@@@@@@@@@@@@@@ DECLARED VAR @@@@@@@@@@@@@@@@@@..Var Carpooldristighedsemanu83..Var udfrdigedesforkarlesl..Var stemmekvgsjapaneserysep..Var Nonviralanthroxanicvejvse..Var morogennemsnitsalderennor..Var kathinatrvlendesminid..Var uidentificerbarh..Var andelsmejerierskge..Var gloseretblondhvernesc..Var stiftamtmandenc..Var affyretristachyou..Var cementalykkeopfat..Var opereredescroce..Var perturbationalh..Var flyttelsopskringmulslet..Var chromatoscopebewailsb..Var snorkeledbryggerkarreness..Var uidentificerbar..;@@@@@@@@@@@@@@@@@@ DECLARED VAR @@@@@@@@@@@@@@@@@@....;!define MUI_ICON icona.ico....SetCompressor BZIP2....; The name of the installer....Name "Desalinates"....; The f

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\semiriddle.flg

Process:	C:\ProgramData\filaucioso.bat
File Type:	data
Category:	dropped
Size (bytes):	213163
Entropy (8bit):	1.2509035420987697
Encrypted:	false
SSDEEP:	768:E6Ak6TqKI8qNenRhDkU13nK/Owzmzj63GMIrCDVOAqiVyycSsOR2D+uFFO8ukH1m:a/TnkUFupj/vM9PV
MD5:	98B0761197297AB236BC284E2B596C55
SHA1:	D84B6FCBC7822AC3617AF2E06807F24B6CB09501
SHA-256:	1B09158404A448B8B8DA21415D6D3FF844658BF441B5A5FB4C651B2B1F5F5809
SHA-512:	6AB83D66E4E5874688F7A64C133EF3514CE355936CD66895EFE8249E316E2C87195B82FF4E7780180BA3B58C097196AA58736BA6A9365CC36943C6AC8D78A71D
Malicious:	false
Preview:	.....................D............................................................................&................................l..................................................................................................s.q....s...........................Z...........................................................................................................................................................................................................................6..............u................/.............................................................................................................................a...............7.............T.................0........................................L........~........................s..........................P..........................................................................................................................*............O.............s..................f....................J...............H

C:\Users\user\AppData\Local\Temp\unscorified\Kdgrydens\tekstilarbejderens.txt

Process:	C:\ProgramData\filaucioso.bat
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	4.150391372844806
Encrypted:	false
SSDEEP:	6:jKYlGRpzKVqXB++DC6XBRuN6kgrRmXLY8bOraYKFSX6WlWfHcSTQX97Mm2CXmVyg:mYsDmVqXBpC6XnDk+wXcj5KFSk+X97xE
MD5:	DCEB38A26FFEAB28D24D304205DD1CFD
SHA1:	7C3CD56A0E4A2A768D14EA41D88D163C8A3E66DD
SHA-256:	68F09ACCAE0DF5988DF3AACFFF32C8025F07A266367AD77E1614814B2A05C98F
SHA-512:	27469F330E5F57D253084536619CAED2F220CC1AAB74B476C175FAA24467301BA0DD1CC52E9F2F15B5052F0CFC397A4C95B7147C7BD6369ECACD7319FF2BCAE5
Malicious:	false
Preview:	bulletinernes rallinae tace frdselstavles.tilgangstiden fiskeriinspektionen balder udfoerselstilladelse jaconet besttelsesmagt.leptochlorite ubestridte slatternes saddel nishiki vognmandsforretningers..citronsafters thermocauteries bractless svejshundenes sindet apostates involve.sparringpartners morkin sheller bananivorous pensionistkortets.blackguard trylleslagenes smrsyrens,

C:\Users\user\AppData\Local\Temp\unscorified\Skattedepartementernes\Micrometers.Cam